MartyConnelly
martyconnelly at shaw.ca
Sat Apr 7 12:16:39 CDT 2007
Two tier authentication with a USB Fob is supposed to verify the guy with the password and the USB token are the same. In other words the password hasn't been loaned out. The token alone won't get you in. There are $5 USB tokens on the market now but may require some server hardware possibly in 2K to 5K dollar range. Until this year the price was around $60. Here are some cheap Canadian examples. http://www.itbusiness.ca/it/client/en/home/News.asp?id=41998 I have been looking for a case study where someone has hooked this into Sharepoint sites. The vendors might be able to provide it. Some continental European banks have been doing client web app with USB tokens (even at an 60 Euro cost) for a couple of years. Charlotte may have done some HIPPA work. Aside from this there has to be a lot of data encryption. Jim Dettman wrote: >Marty, > > Yes, one of my big concerns with this app is security. That's also why >I'm approaching their requirement of possible web access with some >hesitation. If there will not be a web interface, then the allure of doing >a 3-tier design becomes a lot less. > > The main app is going to be using SQL Server for the BE, so it will be >tight and access to the system will be through Terminal Services. It's the >web thing that worries me, although that's not in the scope as yet. > > In the states, we need to deal with the HIPAA (Health Insurance >Portability and Accountability Act), which I need to get some info on, as >I'm not sure how far I need to go with security. I'm assuming the worst at >this point<g>. > >Jim. > >-----Original Message----- >From: accessd-bounces at databaseadvisors.com >[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of MartyConnelly >Sent: Friday, April 06, 2007 8:43 PM >To: Access Developers discussion and problem solving >Subject: Re: [AccessD] New database design for MS SQL > >In Canada with Web based Apps on health and legal sites, you will >have to soon consider using two tier authentication for security to >conform with. >The Personal Information Protection and Electronic Documents Act, >also known by the awkward acronym PIPEDA, which came into full effect on >Jan. 2004. >There have been several sites in Ontario that have been compromised when >password only. >Nurses were leaving userids etc on postit notes and patients were >looking through >STD reporting sites that were supposed to be doctor only access. >So it is biometrics or dongles or USB keys (some with cyclical keys are >into the $20 range). >Forget fingerprint devices, Discovery channel showed a method to defeat >this 6 months ago. >By the way this will probably start to apply to HIPPA and European Data >Privacy Acts. >This isn't being enforced yet but will be soon. > > >Jim Dettman wrote: > > > >>Charlotte, >> >><< It offers so much more flexibility than our beloved Access can right >>now.>> >> >> That's what I've been thinking. I am worried that they are going to want >>a web interface for their nurses that are remote and possibly at some point >>give Doctors and Attorneys access to the system. >> >>Jim. >> >>-----Original Message----- >>From: accessd-bounces at databaseadvisors.com >>[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Charlotte Foust >>Sent: Friday, April 06, 2007 1:11 PM >>To: Access Developers discussion and problem solving >>Subject: Re: [AccessD] New database design for MS SQL >> >>I don't know VFP, but I'd say go with the full 3-tier approach. It >>offers so much more flexibility than our beloved Access can right now. >>Since Access itself is moving toward being a front end, the next >>versions may see it gain a lot of those capabilities, but for now they >>aren't there. The .Net framework hasn't yet found its way into Access. >> >>Charlotte Foust >> >> -- Marty Connelly Victoria, B.C. Canada