MS Access, software app or a System?

  • Thread starter Thread starter Jody Jenkins
  • Start date Start date
J

Jody Jenkins

There is a debate among our security people. Some say that MS Access is a
software app, others considered a system and needs to be CNA`d. I say its a
software app. Any thoughts.
 
Now here's a debate!

I'd say it is an App which is used to build systems... One way or another,
if you use it to house sensitive information then you need to take steps to
secure it's access. But on a closed LAN with proper security in place,
problems should be minimal.

It will be very interesting to see what others say on this matter.
--
Hope this helps,

Daniel Pineault
http://www.cardaconsultants.com/
For Access Tips and Examples: http://www.devhut.net
Please rate this post using the vote buttons if it was helpful.
 
There is a debate among our security people. Some say that MS Access is a
software app, others considered a system and needs to be CNA`d. I say its a
software app. Any thoughts.
Click to expand...

I'm a bit unclear on what constitutes a "system", so I really can't
address that directly. However, I tend to look at Access as three things
in one package:

1) A database engine
2) An IDE
3) An application

1) Consider SQL Server. It's a database engine, and you certainly can't
hand it off to a user and expect them to find their way around the
tables and rows.

2) Consider Visual Studio. It's an IDE and you can write code to build
an application with it. It doesn't come with a database engine... at
least not without you taking step to actually include or refer to it. It
also can't run an application as an application. You would use it to run
it in debug mode to test/step through the code but not to actually use it.

Access does all of that in the same package - but of course this assumes
that the user is the developer which is not always the case here - more
often than not, the user is here to use it as an application that's
developed by someone else (even if not officially a developer - could be
just a power user or the "most tech savvy guy in the office").

Back to the question - if I were to want them to treat Access as an
application, I'd think about distributing MDE/ACCDE files instead so it
will in fact act more like an application and less than an IDE. That
won't save the developer's machine from needing to be auditing because
we still need the full version of Access (and thus the IDE capability)
to develop the applications. (That's assuming they would treat an IDE as
a "system"... how do they handle Visual Studio and software supporting
SQL Server (e.g. SSMS & BIDS?)

My $0.02 FWIW.
 
In the works of the security officer that thinks that Access is a software
app, a System has funding, O&M, hardware/software and specialized personnel
hired to maintain it, etc,etc.
 
In the works of the security officer that thinks that Access is a software
app, a System has funding, O&M, hardware/software and specialized personnel
hired to maintain it, etc,etc.
Click to expand...

Well, as I alluded to earlier, how do they currently treat Visual Studio
and SQL Server (or whatever software they use for development
work/database) may be a good indication of how they should treat Access
because as I've explained, Access has the features of an IDE, a database
engine and an application all in one package so it's more closer to a
System than a software app, IMHO.

The hard part is that in some ways, Access is more or less intended to
be more accessible to people who are not necessarily the developer, the
DBA or involved in the trade - it's supposed to (in theory) democratize
the database development/creation by allowing office monkeys to build
their ad hoc database which eventually may transform into mission
critical applications. Not all make that steps but some do. If you've
not already, I strongly recommend you & the other security officers read
the paper from FMS Inc. on the database evolution.

http://www.fmsinc.com/tpapers/genaccess/dbod.asp
 
Jody Jenkins said:
There is a debate among our security people. Some say that MS Access is a
software app, others considered a system and needs to be CNA`d. I say its
a
software app. Any thoughts.
Click to expand...


What is a "system" in the eyes of the people who matter? I think of Access
itself as an application, and of database apps developed with Access as
applications as well. However, it doesn't matter what I think; it matters
what your definition of a "system" is.
 
Based on your own definition "a System has funding, ... specialized personnel
hired to maintain it" I would define Access in this case as a System for the
simple reason that in a well organised organization an important db will be
assigned funding and personnel to develop/maintain it.

If on the other hand it is a small project which is left "Off the books" and
left to some random employee, then I guess it would be considered an App.

I would urge you, based on your def. to treat it as a system.
--
Hope this helps,

Daniel Pineault
http://www.cardaconsultants.com/
For Access Tips and Examples: http://www.devhut.net
Please rate this post using the vote buttons if it was helpful.
 
There is a debate among our security people. Some say that MS
Access is a software app, others considered a system and needs to
be CNA`d. I say its a software app. Any thoughts.
Click to expand...

Without the definitions they have historically used to make this
determination, comment on the subject is not going to be very
illuminating, seems to me.

Access is pretty much one of a kind. The only app I can think of
that's really like it is FileMaker. This means it's not likely to
fit well into categories that have been created to catalog "normal"
applications.
 
In the works of the security officer that thinks that Access is a
software app, a System has funding, O&M, hardware/software and
specialized personnel hired to maintain it, etc,etc.
Click to expand...

I'm reading behind the lines that there's a failure to distinguish
between:

1. Access the application, installed on a PC.

2. an Access application, which is an MDB/ACCDB that is a program
itself that incidentally requires Access to be installed to run it.

In the former case, Access is an application, not a system.

In the latter, it's a system.

I would guess that the parties with vested interests are not going
to want to distinguish between Access and the advertising
department's Assets Management application, that just so happens to
use Access. But if they had any sense, they would make just that
distinction.
 
There is a debate among our security people. Some say that MS Access is a
software app, others considered a system and needs to be CNA`d. I say itsa
software app. Any thoughts.
Click to expand...

Neither - or both... its a tool. You can use it to build a system
that requires "funding, O&M, hardware/software and specialized
personnel hired to maintain it" or you can just as easily use it to
create a simple little way to beat some data into submission or
anything in between.
 
David W. Fenton said:
I'm reading behind the lines that there's a failure to distinguish
between:

1. Access the application, installed on a PC.

2. an Access application, which is an MDB/ACCDB that is a program
itself that incidentally requires Access to be installed to run it.

In the former case, Access is an application, not a system.

In the latter, it's a system.

I would guess that the parties with vested interests are not going
to want to distinguish between Access and the advertising
department's Assets Management application, that just so happens to
use Access. But if they had any sense, they would make just that
distinction.
Click to expand...
So, just out of pure curiosity, how would you classify my Fleet Maintenance
program that is a small db since we only have 38 trucks and 46 trailers. It
has 4 years of maintenance records, about 6000 records, to include all
pertinent data on the equipment and the vendors. It assigns and prints
Purchase Orders and has about 6 forms and 12 reports. I have split it and
put the be on the server. I'm the sole developer and maintainer and it's
really only used by myself and one other. It's not "on anyones books" since
the cost was minimal; MS Office 2007 Pro, several $50 books and my time at
home and work. (I don't think we can count the alcohol consumed out of
frustration...LOL)

On the other hand, the records produced from this "app/system" proved a tire
ring theft and per the DA saved our company $16,000.

So....do I have an app or a system??

Cindy
 
So, just out of pure curiosity, how would you classify my Fleet
Maintenance program that is a small db since we only have 38
trucks and 46 trailers. It has 4 years of maintenance records,
about 6000 records, to include all pertinent data on the equipment
and the vendors. It assigns and prints Purchase Orders and has
about 6 forms and 12 reports. I have split it and put the be on
the server. I'm the sole developer and maintainer and it's really
only used by myself and one other. It's not "on anyones books"
since the cost was minimal; MS Office 2007 Pro, several $50 books
and my time at home and work. (I don't think we can count the
alcohol consumed out of frustration...LOL)
Click to expand...

I'd call it a system.
On the other hand, the records produced from this "app/system"
proved a tire ring theft and per the DA saved our company $16,000.


So....do I have an app or a system??
Click to expand...

The key distinction to me seems to me whether they recognize that
the application in this case is your fleet management app, not
Access. And then the determination of whether it's a system or app
should be made based on the characteristics of your fleet management
app, rather than on the characteristics of Access.

Classifying your app based on evaluating Access would be like
classifying a VB app based on evaluating the runtime files needed
for it (in old VB -- obviously from VB6 on, you could compile to EXE
without need of the runtime files).
 
Security? CNA? What's the acronym, and what's the context?

If you mean, is Access a system that needs to be secured, yes, it's a
system. People use the system to handle data and to automate tasks, and the
system needs to have security audits and training.

If you mean, is Access a system that needs to be administred, no, it's an
app, part of MS office. Systems built using Access may need separate admin
support, but MSACCESS.EXE should be supported as a small part of your
standard desktop.

(david)
 
All of the databases that I have created so far (21 of them) are used solely
by a small group of individuals, between 2-10 users per database. Our IT dept
is responsible for MS Office O&M and I am only the DBA. All of the databases
are secured. With that being said, I believe that MS Access is a application,
not a system.
 
Jody Jenkins said:
There is a debate among our security people. Some say that MS Access is a
software app, others considered a system and needs to be CNA`d. I say its a
software app. Any thoughts.
Click to expand...

Somewhere in the middle.

Anyone could write a malicious MDB/ACCDB/MDE/ACCDE/etc file which
deletes all files on the hard drive or network server. Or worse it
encrypts those files with a hidden password. Then the owner of the
app can demand a ransom.

Or worse it could randomly make changes to every 10,000th byte in a
random number of the files on the server.

Mind you an Excel spreadsheet, Word document or DOS exe could do the
same thing.

Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
Granite Fleet Manager http://www.granitefleet.com/
 
Back
Top