Abstract: this seems an easy question, but I have not found a proper answer yet feel free to give your answer and a little justification.
The complete question is:
What should I secure? the access to the resources, or the content of the resources?
Securing the access means controlling who sees the resources, in terms of who can read files, databases, etc.
Securing the content means encrypting the file content or the data inside databases, so everybody can read but only a few can understand.
Meanwhile you think a response,
– There is an application, let’s say, and ASP.NET application.
– Then there is IIS authentication, let’s say, Windows Integrated Authentication.
– Then there is .NET Framework Code Access Security settings, let’s say, system administrators configuring execution permissions to the assembly.
– Then there is more Code Access Security (developer’s), so the .NET assembly asks declaratively for a read permission to a resource file.
– Then there is the resource file, encrypted, of course, to store a Connection String.
– Then there is a connection to a database engine, with user/password challenge for authentication.
– Then there is database authorization, give access to a concrete database object.
– Then there is a query, that returns an encrypted column (lovely Yukon).
– Then there is a database-level encryption user key, using a password or passphrase provided by the user, so the executing assembly can read the column data.
– So the column data goes in clear to the assembly, which returns the information to the IIS to be returned to the human-being at the other side of the network. Of course IIS uses a HTTPS connection, beware of hackers
back to que question… Encrypt files or protect them from being read? or both? most important: why?