Cloudscape and Security
Page 9 of 10

Notes on the Cloudscape Security Features

Because Cloudscape does not support traditional grant and revoke features, the security model has some basic limitations. For both embedded and client/server systems, it assumes that users are trusted. You must trust your full-access users not to perform undesirable actions.

In addition, in the Cloudscape system, it is not necessary to have a specific connection (or permission to access a particular database) to shut down the system. Any authenticated user can shut down the system.

However, a sophisticated user with the database encryption key might be able to physically change those properties in the database files.

Other security holes to think about are:

  • JDK subversion, running the application under a home-grown JDK
  • trolling for objects
  • class substitution, locating a class that has access to sensitive data and replacing it with one that passes on information

For notes on the security limitations in a distributed, synchronized Cloudscape system, see the Cloudscape Synchronization Guide.