Gain the best from existing resources to improve data security

The following is a response to requests of introducing password
protection into address book program Open Contacts which is
distributed as freeware. The descriptions should also apply to other
private data, and using private data in portable devices. It is assume
you had known about Open Contacts and TrueCrypt. The following article
is basically a general discussion about data security, using Open
Contacts and TrueCrypt as examples.

****************************************************
Security

Some users sent some requests about password protection of the address
book, with comparison with other address book programs which provide
such protection.

They are concerned by the security of address book data. While
security is essential to privacies of you and your contacts, it is
more practical for you to understand what security level you need, and
what resources available for security, while there are many security
solutions around.

While putting a lock on an address book program or its database is
looking secured as some address book programs in the market do, we
don't believe that an address book is a good gate of installing lock,
considering the balance of the security of your private data, and the
convenience of using such data. For example, for security of your
home, you would install locks on the front door, will you install
locks on every bed rooms, bathrooms and toilets? Yes, it will be more
secured if you do so, apparently, however, you will lost some
conveniences of living.

Windows already provide some front door locks for you. You need to log-
on to access your computer. When you leave for a moment, you can lock
the computer (by default pressing Ctrl+Alt+Del). Otherwise, anyone can
access your other private data even if you have your address book data
locked. You are not going to put locks on every pieces of your private
data, while keeping the front door open.

If you use Open Contacts in desktop mode, you has better to run your
account in Least-Privileged User Account (LUA) mode, and put the
database files into a folder exclusively accessed by your account.
When you install Open Contacts, you are offered with 5 options, you
may choose to install for current user only. Then the data files will
be copied to your personal folders which only you can access by
default, unless every users of your computer are Administrator.

If you use Open Contacts in LAN environment, you may put the database
file in a secured server. Workstations should not be able to access
the database file directly, but through Firebird database server.
Please work with your system administrator to improve data security.
If the contact data contain linked files, the directories of these
files should allow workstations authenticated by Windows networking
system to access.

You may argue that if the computer gets stolen or the external drives
such as USB memory drive get lost, the address book data will risk of
exposing to authorized uses. Yes, we are going to talk about how to
further protect your address book data, as well as your other private
data.

An SQL database can be secured when authentication mechanism is sound
and the database files are kept in a safe place. If the files got
stolen, the authentication mechanism will take no effect. While it is
not rare to encrypt data in a database, however, this will bring
penalty to performance, and queries will be made difficult.

Data security is a big topic not likely to be discussed here in
detail. Though Open Contacts does not provide built-in security,
however, it is easy to use existing resources to introduce certain
level of security to Open Contacts, without costing you a penny.

Just encrypt the folders using Windows' built-in encryption ( Apply to
NT, Windows 2000, Windows Server 2003, XP with NTFS file system
volumes). When you do this, please ensure that you understand how this
works so that you don't do something to destroy the data access
forever. All of this are fully documented in the Help of Windows for
both "file permissions" and "encryption". For further answers and
questions about encrypted folders, please contact Microsoft supports
or check relevant newsgroups.

If you use Open Contacts in an external drive with which NTFS can
hardly works, you may consider to use an open source freeware program
called TrueCrypt located at www.truecrypt.org. TrueCrypt also support
green installation on an external drive. You may then put Open
Contacts and related files to the encrypted container managed by
TrueCrypt. Please study the TrueCrypt website and the user manual for
more details.

Please note, we do not provide technical supports to general questions
of Windows, LUA, encryption and TrueCrypt etc. Please write to
respective parties for further assistant.

Summary of Acquiring Data Security
1. Log-on protection of Windows, and screen-lock protection.
2. Run with Least-Privileged User Account.
3. Encrypt personal folders of your hard disks using Windows (NTFS
systems) built-in encryption and permissions.
4. In LAN environment, secure the server and the network
authentication.
5. For using private data on external drives like USB memory drive or
portable hard disk, use TrueCrypt.

The advices above apply to protecting Open Contacts address book
database, as well as your general practices of protecting your private
data.