Internet Replication Security

This document addresses security issues related to using Microsoft Access Internet replication. Outcomes PLUS+ is developed on the Microsoft Access platform and uses the Internet replication features. Microsoft Jet is a reference to the database management system that Microsoft Access uses.

 

Excerpts and information contained in this document are from the Microsoft technical white papers:

“Database Replication in Microsoft Jet 4.0”, Debra Dove Microsoft Corporation January 1999.

“Internet Synchronization with the Microsoft Jet Database Engine: A Technical Overview” Michael Wachal Microsoft Corporation Revision Date: January 1999.

“Health Insurance Portability and Accountability Act (HIPAA): A White Paper: Health Information Security” Microsoft Corporation Revision Date: March 2001.

 

Microsoft Jet uses incremental replication. Therefore, during a single synchronization between two replicas, the only updates made are those resulting from changes made since the last synchronization. This provides significant benefits over methods of data distribution that transmits the whole database whenever new data or objects require distribution. Each record in a replicable database has a generation counter; Microsoft Jet uses this field to control incremental exchanges.

The Internet connection uses the HTTP protocol, which sends all data via TCP/IP. Just like any data sent via the Internet, it is broken up into packets and sent to the receiving computer. The receiving computer, TIG’s Internet replication server, requires an authorized user to make the connection and start the replication process.

Microsoft Access implements its own user-level security. This security works by assigning permissions to users and groups of users. These permissions determine the users access to the objects within the database. The database also uses an encryption method that can only be decrypted by the original creator, in this case TIG.

 

 

With that understood, we can address a few common concerns:

 

Can someone intercept my data during synchronization?

There are software tools that will allow Internet traffic to be intercepted. Because of incremental replication, the data being sent during synchronization cannot be assembled into any meaningful format without the rest of the database.

 

Can someone get an unauthorized copy of the data from the Internet server?

No. The server is secured and only allows authorized users to obtain complete copies of the database. Downloading a copy of the database can only be done when support personnel would allow it and provide instructions to the user.

 

Can someone who has Access installed, open the database?

No. Assuming an unauthorized user has a retail version of Access installed and attempts to open the database to view it’s contents, the user-level security implemented on the database would prevent it from opening.

 

 

The combination of user-level authentication, data encryption, and incremental replication, make Internet Replication a secure solution. TIG will continue to implement new security features as technologies are available and it is reasonable to do so.

 

 

“There are currently over 500 Healthcare Line of Business applications built on the Microsoft Windows operating system platform.  Each of these applications leverage the functionality of the platform that its builders felt was appropriate for their product.  This includes everything from the functionality of the operating system to the development tools they use to build the application.  Clearly, the Microsoft platform is made up of products that support the design and development of both applications and technical infrastructure to run any business.  These products are built on standards that are applicable across all vertical industries and with a determined eye towards privacy and security.  The HIPAA regulations are still currently in draft form and specific to the Healthcare industry; thus they were not used directly as requirements for our products.  However, to the extent they leverage current computing standards to secure and protect Healthcare information, there is every reason to believe the Microsoft platform will be directly applicable.  Furthermore, Microsoft is committed to creating a platform that will addresses Healthcare industry issues.  To that end, we will continue to track the regulations as they become more clearly defined and assist the industry with understanding how the Microsoft platform can be utilized to construct applications and infrastructure that address HIPAA regulations.”

 

HIPAA White Paper: Health Information Security: Summary – Microsoft