On 2019-03-29 17:05:41 +0100, Moreno Andreo wrote:
> Il 28/03/2019 23:50, Peter J. Holzer ha scritto:
> > On 2019-03-28 15:29:50 +0100, Moreno Andreo wrote:
> > > here I'm trying to find a way so nobody can, without the use of the
> > > application, match a patient with their clinical records (i.e. someone
> > > breaking into the server -- data breach)
> > I think it is very optimistic to assume that an intruder would get
> > access to the database but not the application.
> Well, application resides on another instance (server), but if the attacker
> has been able to take control of one server, he surely could try to break
> another one, but it takes time.....
I can't claim to be a security expert any more (I've drifted away from
that topic over the last decade or so), but most data breaches that were
publicised over the last few years started at some employees desktop.
As such your assumption "server A may be hacked, server B safer, and the
application is completely safe" seems unrealistic to me. I think that
the application will fall first (and whatever privileges it provides to
the user will therefore be in the hands of the attacker), and the
server(s) will come aftet that. So I would design such an application
with the assumption that the user's PC has been compromised and secure
the server(s) against that case.
hp
--
_ | Peter J. Holzer | we build much bigger, better disasters now
|_|_) | | because we have much more sophisticated
| | | hjp@hjp.at | management tools.
__/ | http://www.hjp.at/ | -- Ross Anderson <https://www.edge.org/>