I do not think the question as posed has an answer and most people who have a naive understanding of data security will answer no: it is not a good idea to store data with different levels of classification in the same place.
I disagree. Who is in charge on enforcing access control? The app is. Nobody else can be in charge of this. So the real question is: is the app good enough to satisfy the access control requirements for the highest level of classification? If so, I do not see a problem in applying the same high standard to lower classification by storing all documents in the same place. Keeping the data separate makes logging and monitoring of access easier. But that is all. Massimo On Thursday, 28 July 2016 15:48:30 UTC-5, Alex Glaros wrote: > > I'm writing an app that government organizations use for project > management and other functionality, and, using the same app, open areas for > citizen engagement, for example, crowdsourcing citizen ideas for government > projects. > > Citizens and government share the same data. > > Everything is locked down meticulously using decorators, db.auth_group, > SSL, but are there design improvements I can make to improve security, for > example, only allowing citizen access via API so that they are not directly > querying the shared tables? > > Are there specific risks when government classified information is stored > in same Postgres database that citizens use to engage with government? > > thanks, > > Alex Glaros > > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
