Community
Showing results for 
Search instead for 
Do you mean 
Reply

Security holes in Act - remote databases

Copper Contributor
Posts: 39
Country: USA

Security holes in Act - remote databases

I have a question.  I need a remote user to access to view an ad content to our database of 10000 contacts.  I know that I can turn off the ablility to synchronize if he leaves the company, but he will still be able to walk away with my database of 10000 contacts.  Is there a way to remotely disable the database or better yet, make it so that the his access is denied if there was no synchronization within x number of days?

 

Also, it seems that even if his access is turned off, he will still be able to have access to the Attachments folder which has many cruicial and proprietary documents.

 

It seems that these are major faults in the security management of the program and limit my confidence in deploying remote databases.

Platinum Elite Contributor
Posts: 14,384
Country: Australia

Re: Security holes in Act - remote databases

There is an option to expire sync after X days... but the user can still access the database.

 

I'm not sure what would happen if you marked a user as Inactive in the Publisher database and then they sync'd - but even that wouldn't protect the attachments

 

If the security is that crucial, you might try switching to ACT! Premium for Web - then they don't have a local copy

Copper Contributor
Posts: 39
Country: USA

Re: Security holes in Act - remote databases

As I suspected, glaring security holes with no real solutions.  (Act for Web is not an option for my business right now.) Unfotunate.  Hopefully they will fix that in the next version.
New Member
Posts: 8
Country: USA

Re: Security holes in Act - remote databases

I have the same exct issue.  The best work-around I can see is, for performance reasons too, is to create a sync set of only the contacts that relate to the user.  This seems to address both security and performance issues to a certain degree.  ie. Each sales rep sync's their contacts to the server, but doesn't synch each other's contacts.  The tough question is what to do with common contacts, and I'm stuck with that too.  Any suggestions?

 

I completely agree and have thought the same thing about adding the feature to automatically disable access to the database after X days of not synchronizing.  SAGE -PLEASE ADD THIS FOR 2009!!!

Nickel Elite Contributor
Posts: 595
Country: USA

Re: Security holes in Act - remote databases


ngilliam wrote:

The best work-around I can see is, for performance reasons too, is to create a sync set of only the contacts that relate to the user.  This seems to address both security and performance issues to a certain degree.  ie. Each sales rep sync's their contacts to the server, but doesn't synch each other's contacts.  The tough question is what to do with common contacts, and I'm stuck with that too.  Any suggestions?


The sync set is not for security because any remote user can add additional contact from the master database to their sync set. Some security is possible using contact limited access on the master database (this requires the premium version).

 

The simple fact is there is no possible total security so long as the remote user has database files on the remote computer. Because the files are managed by Windows, the ACT! program has no way of imposing total security over the database files. As Mike suggested, the closest to the level of security you both want is to switch to ACT! for the WEB because that way they don't have any database files on the remote computers.

Roy Laudenslager
ACT! Certified Consultant
Techbenders
royel@techbenders.com
New Member
Posts: 8
Country: USA

Re: Security holes in Act - remote databases

Roy, thanks for your feedback.  On the premium version, can't you use limited access as you mention below, specify the sync set criteria to only sync contacts where the user is the contact manager and/or they have limited access to, and then disable the ability for users to edit the sync set?

 

As we speak, I'm trying to design the best synch strategy, with considerations for both security and performance.  Each rep does not need to see the other rep's contacts, but of course, the server needs to see all.  For common contacts, once limited access rights have been granted, then there doesn't seem to be a way (as Jeremy mentioned) to disable access to them.  Any options?

 

Thanks in advance....

 

Nathan

Nickel Elite Contributor
Posts: 595
Country: USA

Re: Security holes in Act - remote databases

If you set up limited access on the master so that each remote only has access to their contacts, it's then a good idea to make their sync set be limited to only their contacts. The main thing with limited access, if they tried to add contacts from the master database to their sync set, they would not see the other contacts in the master database so they can't add them to their sync.

 

Because the database files exist on their computer, it would always be possible to gain access to the information in those files no matter how the ACT! program tried to restrict it. It might be possible to encrypt the stored data but that would need to be done by the MSSQL server and I don't know if that is possible.

Roy Laudenslager
ACT! Certified Consultant
Techbenders
royel@techbenders.com
New Member
Posts: 8
Country: USA

Re: Security holes in Act - remote databases

I think I see what you mean, which is OK.  I have a small team of about 6 (maybe grow to 10-15) that all work remotely from home offices (but here in town) and will sync over the internet.  I'm the only one that will have access to the server, so they wouldn't be able to open the main db up anyway.  If I need to change the sync set, can I log in with my admin ID on the server and change the sync set?  I suppose I would need to re-package another remote db for them, but it would address the security issue, wouldn't it?  ie. In this scenario, how would they have access to contacts they shouldn't?

 

The other thought I had if the sync set needs to be changes is...can I log into their remote db with my admin ID and change the sync set for them?

 

Can you think of a better sync strategy for this scenario?

 

Again, thanks in advance...

 

Nathan

Copper Contributor
Posts: 39
Country: USA

Re: Security holes in Act - remote databases

I can think of one option.  Have it so the remote database locks if they don't synchronize within x number of days.  It seems simple enough to add that feature.
Nickel Elite Contributor
Posts: 595
Country: USA

Re: Security holes in Act - remote databases


Jeremy wrote:
I can think of one option.  Have it so the remote database locks if they don't synchronize within x number of days.  It seems simple enough to add that feature.

 

I hate to tell you I could easily get around that kind of a block.
Roy Laudenslager
ACT! Certified Consultant
Techbenders
royel@techbenders.com