SECURITY FEATURES IN PROGRESS® DATADIRECT® DRIVERS
Only Progress DataDirect Connect database drivers for ODBC, JDBC, and ADO.NET include industry standard security features such as TLS / SSL data encryption and Kerberos authentication. Using DataDirect Connect products for database access is one of the best proactive security measures you can take to reduce security related losses (as verified by The Internet Security Advisors Group in their independent review of DataDirect products.) With DataDirect you can:
- Reduce risk
- Design highly secure applications
- Reduce the cost of maintaining a secure architecture
Reduce Risk
Unlike other alternatives, DataDirect Connect includes comprehensive security mechanisms as standard features, making it easy to provide robust application security. These security features ensure secure data exchange, address potential security vulnerabilities inherent in database access and networks, and in many cases could have prevented well-known highly publicized security breaches.
Design Highly Secure Applications without Compromising Usability
DataDirect Connect helps you reduce risk and secure your company's information assets by enforcing authorization control and by protecting data that is transmitted across the network.
- OS Authentication - DataDirect Connect includes de facto industry standard OS authentication via the Kerberos and NTLM protocols, which integrate seamlessly into a Single Sign-On environment. This eliminates the need for multiple logins, user IDs, and system IDs and the need users to log in separately for each application.
- Network Data Encryption – With DataDirect Connect, data exchanged between the application and the database is encrypted automatically using the TLS / SSL encryption standard or native database encryption. This significantly reduces the risks associated with the most common data thefts.
- Secure Architecture– The design of DataDirect middleware reinforces application security because it eliminates the need for database client libraries, which effectively eliminates a point of vulnerability.
Reduce the Cost of Maintaining a Secure Architecture
Choosing DataDirect Connect when designing your distributed applications simplifies development because data encryption and authentication is automatically included. This built-in security functionality eliminates the need to purchase additional products and makes it easy and cost effective to develop secure applications. In addition, DataDirect's consistent, standard-based implementation ensures compatibility with existing IT architectures, while minimizing development complexity.
To successfully implement integrated authentication and a Single Sign-On (SSO) environment, all components must participate, including the data access middleware. DataDirect Connect integrates seamlessly into Kerberos-based or NTLM authentication mechanisms, enabling you to include database access in a Single Sign-On (SSO) environment. See the ISAG Security Review of DataDirect Connect for more on the benefits of integrated authentication and SSO.
OS Authentication Features in DataDirect Connect
| Feature | Benefit |
|---|---|
|
Delegation of Credentials - Delegate the user credential through the programs involved in the application stack. |
Allows application to authenticate the real user vs. an administrative ID that is less secure and obfuscates DB activity. |
|
Reauthentication - Re-associate a pooled connection with a different authenticated user. |
Applications that use connection pooling can more efficiently re-use connections while minimizing the number of connections required in the pool. |
|
Type 5 JDBC support - The only (patent-pending) suite of JDBC drivers on the market that support Kerberos-based OS authentication while utilizing a pure, 100% Java architecture. |
Offers a choice of implementing a pure Java authentication that is not dependent on extraneous DLLs or shared libraries that need to be installed and maintained on each platform where the driver will be deployed. |
Note: Features listed above are available only with Kerberos-based OS Authentication.
Network data encryption is made possible through either the use of TLS (Transport Layer Security, also known as SSL, or Secure Socket Layer) or through one of the native encryption algorithms supported by the database. TLS encryption is an industry-standard mechanism that secures the integrity of your data by encrypting information and providing client/server authentication.
Unlike other middleware alternatives, DataDirect Connect includes encryption support as part of is core functionality. With DataDirect Connect, you can choose to have your application automatically encrypt any data exchanged between it and the database server. This approach:
- Reduces risk of data theft
- Simplifies implementation
- Minimizes development complexity
Network Data Encryption Benefits
| Risk | Benefit |
|---|---|
| Non-Standard Encryption Mechanisms - Complicates development and impedes later changes. | Simplifies Development - As an industry standard, TLS encryption relies on established development libraries available on all commonly used IT architectures. It simplifies your implementation processes, minimizes development complexity, and reduces the long-term risks of non-adaptability. |
| Router Vulnerabilities - Data packets travel between drivers and databases via one or more routers, which may be configured to "read" data packets passing through them, allowing a user to log and exploit the information. | Reduces Risk of Data Theft - Enabling network data encryption ensures that any data exchanged between a driver and database is encrypted. This in turn ensures that — even if intercepted — captured data will be unreadable and impossible to modify in any intelligible manner. |
| Packet Sniffing - Sophisticated freeware can be used to log data packets passing over a network, putting transmitted data at risk of being captured and logged. | |
| SQL Injection - Where data packets have been captured by a hacker, SQL statements they contain can be modified to return more information than intended from a data source — for instance, to return from an HR database information about all employees instead of just one. | |
| Credential Vulnerability - Packet sniffing commonly targets database access credentials — i.e., usernames and passwords used to access a database. Credentials transmitted in clear text or via weak encryption leave themselves vulnerable to being captured and used maliciously. | Protects Credentials - Using TLS encryption ensures that any database credentials sent by a driver to a database will be encrypted and thus useless to unauthorized users. Better yet, Kerberos can be used in conjunction with networ data encryption to entirely eliminate the transmission of credentials. |
DataDirect Connect database drivers are designed to reinforce application security. This is accomplished mainly by eliminating the need for database client libraries and through extensive testing and third-party review. The main architectural factors that impact application security are outlined below.
|
Security Risk |
DataDirect Feature |
|---|---|
|
Network Vulnerabilities Packet sniffing and router logging. |
Wire Protocol Architecture – Eliminates database client libraries and thus additional data exchanges between the data driver and client. |
|
Unmanaged Code in .NET Applications |
100% Managed Code – DataDirect's strict use of managed code means its data providers run entirely within the .NET CLR, taking advantage of security controls and permissions. 100% managed code also has no direct access to memory, machine registers, or pointers. |
|
Denial of Service Attacks |
Type 5 JDBC Architecture – 100% pure Java architecture regardless of the platform or functionality ensures zero dependencies on database client libraries that can be hacked. Wire Protocol Architecture – Eliminates database client libraries, thus avoiding the memory leaks that client libraries engender. 100% Managed Code – Common Denial of Service attacks (that involve making API methods operate out of specification, causing buffer overruns) are rendered impossible because DataDirect ADO.NET data providers run entirely within the .NET Framework's CLR. |
|
Inferior Middleware Design and Implementation |
Comprehensive Test Suite - DataDirect thoroughly tests and certifies our products in a wide variety of scenarios as part of our standard release cycle. Validation by 3rd Party Security Specialists - The Internet Security Advisers Group (ISAG) applied its specialized expertise in IT security to ensuring that DataDirect's software is free of known security vulnerabilities. |