When previous devs inside my company needed to store sensitive user data (for instance, medical records), they did the next. I doubt its merits.

  1. There's data considered "insensitive" (user login, profile info), and "sensitive" (user medical records).
  2. You will find three databases. Insensitive data in A, medical records in B, and also the mapping between A and B in C.
  3. A hacker must hack the 3 databases to tie customers (A) to medical records (B).

Our very own after sales code calls C to tie A and B data together for user display. I believe the ubiquity of the code invalidates the advantage of splitting databases: when the hacker accesses our bodies, he is able to call our logic.

What benefits of the aforementioned system shall we be held missing (or exist possible ways to secure such data)?

I'd state that when your system continues to be jeopardized and also the assailant is beyond the threshold with access, then your databases are only a matter of time. What it really is doing reaches least possibly stalling to burglar within their intent - however the cost (when it comes to maintenance, performance, project clearness and so forth) might over-shadow the advantages.

I am sure you will see sufficient information for any determined person to determine that X, Y and Z databases are linked - unless of course you obfuscate database names, table names along with other structural indications.

Ideally you ought to be searching to create the body impenetrable, other things beyond which are mitigations, the dealing with of signs and symptoms with neglect for that problem (that you have been used), which the trade-off should be considered distinctively towards the situation.

In my opinion and opinion, splitting the database like this can be a oddly contrived method of security which i find to become ingeniously silly.

In reaction towards the general question "is splitting databases the best security measure", isolation is actually a well-known, helpful tool for applying security. Be it benefits over-shadow its disadvantages (generally, additional complexity) is greatly situation-specific and I'm not sure the solution inside your system's situation.

Suppose for instance that somebody desired to build an statistics application on the top of the data. It might be very helpful to achieve the mapping data completely from the picture. When the statistics application is breached, the mapping details are not in danger.

Reacting with a comments below, even just in your system's specific situation, it isn't a formality that "breaking the machineInch comes down to breaking all databases at the same time. Guess that an assailant exploits a SQL injection vulnerability inside your application. When the mapping information is separate and hardened (extra controls on code that accesses mappings, say), then isolation could possibly be the distinction between subjecting unassociated data and connected data.

Not quarrelling that it's a good design for the system. Just attempting to explain different types of rationale that may get into this.

I am utilizing the same isolation strategy inside a similar situation. The "databases" during my situation are configuration databases. All the preprod configuration gets into one repo and also the production config gets into another repo. All designers have the preprod repo, only release engineers have the push repo. The explanation is the fact that I would like defense thorough: as i could certainly implement access controls around the individual repo folders, I'd rather result in the production config simply network-unreachable to any or all unauthorized staff.