Security is an important and fundamental topic for a database or business solution system. This article proposes an overview of how 4D protects your data. In fact, security is about data protection. And data protection is a huge area. Data needs to be protected for unwanted access, but also for loss.This is an important fact, as most users think only about protecting for unauthorized users, not about protection for events such as power failure, damaged hard disk, accidental data modifications and so on.
Security and data protection is a very wide area: it starts by user authentication, goes to external access (such as web or SQL), unwanted code execution (SQL injection, script inspection attacks), then security updates, backup and more.
4D Server
4D Server is an integrated Client/Server development system, optimized to build robust business applications with an embedded database system. While 4D can send out data (with standards such as HTTP, SOAP, ODBC or OCI) or can be accessed from the outside (with HTTP, SOAP, ODBC/SQL), the main usage is based on the internal development language “4D”, using an internal, proprietary network protocol to communicate between the business client and the server.
The network communication supports TLS 1.2 encryption, either using a predefined key (no SSL certificate required) or alternatively a customer provided key file.
The tight binding between development language and network communication allows a high level build in protection concept, avoiding typical attack scenarios such as SQL injection or buffer overflow.
The 4D language is a powerful and mature language, perfectly designed to build business application systems. It consists in more than a 1500 commands, covering database operations (order by, query, creating, transactions and so on), printing, communicating with other devices or computers, document management, window or user interface commands and much more. Take a look at the 4D language manual for more details.
The language itself is tokenized, even in interpreted (development or prototyping) mode, it is never executed as text evaluation. In production mode the language is compiled, with automatic range checking protection for buffer overflow attacks.
4D Web Server
4D feature its own build-in HTTP Server, a powerful, multi-threaded server for both static and dynamic content. The tight integration has a drastic impact on increased security.
Beside better code security (see below), this concept removes the typical forgotten update problem. As all is integrated, there is only one software to update (see “Software Update Section” for additional details). Normal solutions requires a huge amount of software packages to update: from PHP, OpenSSL, Apache, NodeJS and so on… All needs regular updates and it is common that some parts stay unpatched for a long time, especially if used as department solution, without a specialized IT team.
Web requests triggers 4D code, which responds to the request on business application level, not just on database level. The tight integration allows to control every request, using build in authorization or customized implementations, of course TLS encrypted.
The build-in HTTP Server also allows fine control justifications, by example for a REST Server.
SOAP/Web Service Server
Similar as the HTTP Server, a SOAP Server is built-in, allowing detailed access control, based on business objects (not just database level).
4D SQL Server
While data access for 4D Remote by default goes through a property protocol, SQL access (natively or via ODBC), is supported as well. In addition, there are open source PDO (PHP Data Objects) drivers available. SQL access to the database level can be controlled with password system, SQL schemas and fine controlled using SQL views.
4D’s build-in password system
4D’s build-in user authorization system can be replaced by 3rd party systems. 4D supports the direct usage of Microsoft Active Directory and LDAP, as well as fully customized systems.
Software Update mechanism
Modern software might be a complex combination of software products, database server, middleware, application server, web server and more. It’s easy to forget to keep all the pieces up-to-date, like an OpenSSL DLL for instance. 4D reduces this problem in many ways, not just helping the admin with his daily life but reducing the risk by design.
As integrated all in one solution, it is only one folder to replace. Everything is installed in a single folder, it could be even replaced with a drag&drop process. Making it simple avoids the “I’ll do it later” syndrome. With a single replace, all parts of the business application is updated in one step, nothing can be missed.
The server can be updated fully automatically. The update process is neither controlled nor forced by 4D itself, it is fully in the hand of the developer of the solution.
Backup and journaling system
4D provides out of the box a transactional-based journaling system. Every single data modification operation is logged and can be rolled back. In case of an emergency case, the work of the day can be restored – nothing is lost. In case of an interruption, database is automatically checked on restart and missing operations (kept in memory, not stored to disk yet) are restored, to have the database back with all information. Even in case of a total data corruption (bad disk, etc…), the data file is automatically restored from last full backup and the journal including the daily work is integrated.
The transaction journal can also be useful in case of accidental deletion (or sabotage record manipulation) as well, both for forensic and data recovery.
Standard backup is part of the 4D product, no additional licensing is required, just an additional hard disk is needed (to protect for disk failures).
In 24/7 environments, 4D supports the usage of cascaded and/or star mirror systems. A production, a mirror and a secondary mirror builds a cluster of systems to provide services around the clock. An additional mirror system could be run in another city or cloud to protect the data even in extreme disasters.
In parallel to transactional-based journaling 4D supports snapshots of virtual machines as well (VSS Writer).
Additional protection
All standard protection concepts, such as server room protection or using encrypted hard disks (hardware solutions like encrypted SSD or software solution like Bitlocker) are of course recommended as well.