none
Access & Navigating IT departments - career advice needed RRS feed

  • Question


  • Greetings all.  I'm seeking advice on how to navigate IT departments who are dismissive of, unfairly demonize and disallow use of Access.  One specific question I have is whether there exists any sort of way I can get some sort of "Microsoft approved secure" designation for applications built using Access.

    Here is my bigger story.  I an a software engineer and department manager with a Masters Degree in Computer Science (from 1990), 25 years running a software business with applications built in Access, and extensive experience building applications that have automated a university department.  In my current job, I am in the process of automating another department.  The work I have done has transformed the ways these departments do work, and I have won awards attesting to this fact.

    Many years ago at the start of my career I wanted to start my own business writing software to automate jewelry stores.  I started building an application using dBase.  But then I read that Microsoft was coming out with a Windows-based relational database system.  I stopped the dBase development and bought MS Access the day it came out, and have literally been using it ever since.  I have created and implemented serious software development methodologies within the Access platform (VBA, version control, split dashboards/data with ODBC connection to MySQL and SQL Server backends, etc).  I design my applications very conscious of security -- I use compiled accde versions of the program, I password-protect and encrypt, and am always aware of what I am doing and the security ramification and code accordingly.  

    Since leaving my own business and starting to work in a large, university setting, I have hit the unfortunate experience of IT departments, when learning what I am doing at department levels, saying from the very top "there shall be no use of MS Access, it is insecure" .. and then they do not take the time and have the curiosity to speak with me and see at all the measures I have taken to keep things secure and the value my applications bring to the table.   They just say 'not allowed'.

    I have learned that IT departments' bias against MS Access has much to do with the way Microsoft markets the product: using MS Access regular office staff can create their own databases.  Then human resource departments give office staff a 1/2 - 1 day training course in Access.  They go back to their offices and try to build something... it might work for a little while, but inevitably they hit something where they get stuck.  Because -- let's face it -- building relational databases can get very conceptually difficult and it is not the sort of undertaking that a typical office staff member is equipped to do.   When they get stuck, they call IT departments, and IT gets very upset with Access since they do not feel this should be their job -- and then they say things like Access is not allowed.  Plus, they make blanket statements declaring Access "insecure" without looking at the specifics of how I have things architected, making the chance of any security problems infinitesimally small.

    As you can imagine, this has really roadblocked my career.  I have been using Access since the day it came out in the early 90s and I'm probably one of the best in the world at knowing how to use it.  But I am repeatedly trying to navigate the resistance of IT.

    I would love to hear the experiences of others and what was done to counter this sort of resistance.

    Thank you,

    Alyssa Siegel

     


    Monday, December 16, 2019 2:04 AM

All replies

  • Welcome to every Access developer's nightmare.  I'm sure you know several ways to secure an Access application. Create a sample, secure it and tell the IT department to hack it without cheating (ie using an IT admin account that has more permissions than God). If they can't, you've proven your point. If they can, you've got some more learning to do.

    My basic method for securing an app is to use SQL Server back end and trap the user's Active Directory username in the front end. If I haven't added that username (encrypted, of course) to the user table, that user is kicked out. Even if the user can get around my front end security they can't get to the data because they can't get past the SQL Windows Authentication.


    Bill Mosca
    https://wrmosca.wordpress.com/
    https://groups.io/g/MSAccessProfessionals

    Monday, December 16, 2019 5:12 PM
  • If you do need more ideas for making a database as secure as possible, you may find this article and the associated links useful Improve Security in Access Databases
    Monday, December 16, 2019 5:31 PM
  • I can’t offer much, but what I often do suggest and say is that we not using Access for the database, but SQL server run by the IT department. So daily backups, security is managed by the IT department, and we not using Access to save or store data.

    So I point out that we not using Access as a database anymore. It’s only a developer tool, and like a web site or any other desktop program, the database is SQL server, and thus the security of say an accoutring package, or Access is the same.

    So, I tend to stress that one is not using Access the database anymore. This tends to “help” your case a lot.

    So, anytime you encounter some IT department saying that Access is not secure, simply state that you not been using Access as “the” database system for years and years. So what would be the problem then?

    This then turns the conversion around. You simply installing some program, but no one is suggesting to use Access as a database. You can state you not done that for years.

    So you just using some program like the accounting package, or CRM system or whatever.

    So, I can’t help too much, but simply frame in all conversations and when using the term database, ensure that you always state the only database you are using is SQL server.

    So if they say Access is a bad idea, simply state that you not used Access as a database for years and years.

    State that the ONLY database you are using is SQL server which is managed by the IT department, and it’s safe and secure, and backed up nighty.

    I mean, if the IT department does not know the difference between an application and a database, then how can they offer advice on the matter?

    Flat out state that you don’t use Access as a database. In fact the instant you use SQL server etc., then you are NOT using Access as the database here at all.

    Pulling data in to an Accounting package, Excel or Access is thus no different.

    So, turn the tables here, and argue that you’re not using Access as a database, and security is an issue of SQL server, not Access.

    Regards,

    Albert D. Kallal (Access MVP 2003-2017)

    Edmonton, Alberta Canada

    Monday, December 16, 2019 7:57 PM
  • Bill,

    Thanks so much.  I will absolutely consider your advice and let you know how it goes.  In my last gig I worked in a math department with some of the most prestigious brains in the world, and I tried the "here ya go try to hack this" approach -- but the mathematician I was working with specifically started in with "that wouldn't prove anything because theoretically it could still happen..." and he wouldn't even give it a shot.  As if the secretaries are sitting there formulating SQL injection queries that wouldn't get past the access front-end anyway... It was kind of insane.  It's more like they don't want to go near what they don't understand and need to make this sort of sweeping generalization.  I'm very glad to see I am not alone.  Will keep you posted.  Thank you again for your advice.

    Alyssa

    Wednesday, December 18, 2019 12:48 PM
  • Thank you very much -- I will be sure to check it out.

    Alyssa

    Wednesday, December 18, 2019 12:49 PM
  • Albert,

    Great advice, thank you.  I have tried things similar to what you suggest, but find that even getting the high-level IT execs to be open minded enough to have the conversation with me is problematic...  it is very political.

    The good news for me is that now I am working closely with some who understand my cause and may help break through this.   I'll keep you all posted.  Again thank you for your great advice.

    Alyssa

    Wednesday, December 18, 2019 12:57 PM
  • Unfortunately the applications that most IT professionals see are the ones that are designed, like you say, by someone who's taken a half day course and has created some monolithic atrocity that they want to put on a file server for everyone in the department to use.  It's a network hog because all the data and program logic are in a single file and it can be corrupted or even deleted altogether by anyone that has access to use it. I've also been doing Access since v 2.0 and have not only seen many apps like these, I even developed a couple such horrors myself early on.

    What IT pro's often don't see are the applications that are professionally designed and use SQL Server or Oracle or Cache or whatever enterprise scale database engine that has an ODBC connector as a back end.  These applications are as secure and scalable as applications designed using *any* other tool because if you've done it right, the security and scalability is all handled in whatever back end database engine you choose to use.  As a bonus, with Access you have a tool where the end user can do their own ad hoc queries or produce their own nice printed and formatted reports if they want. 

    In our institution everyone has the Office suite and everyone has Access.  Distributing an application that has all of these features is as simple as giving them proper permissions to a database on a SQL server and handing them an .mdb or .accdb file.  I am not aware of another application development solution that is as robust, simple, and secure.

    -Bruce

    Wednesday, December 18, 2019 4:52 PM
  • Bill,

    Thanks so much.  I will absolutely consider your advice and let you know how it goes.  In my last gig I worked in a math department with some of the most prestigious brains in the world, and I tried the "here ya go try to hack this" approach -- but the mathematician I was working with specifically started in with "that wouldn't prove anything because theoretically it could still happen..." and he wouldn't even give it a shot.  As if the secretaries are sitting there formulating SQL injection queries that wouldn't get past the access front-end anyway... It was kind of insane.  It's more like they don't want to go near what they don't understand and need to make this sort of sweeping generalization.  I'm very glad to see I am not alone.  Will keep you posted.  Thank you again for your advice.

    Alyssa

    Thursday, December 19, 2019 3:42 PM
  • Yes Bruce, absolutely!  One day I will write my memoirs about what I just accomplished in last 4 years in a university math department... totally to your point and more twists and turns trying to navigate IT and math faculty (who were in denial that what I had built *should* be possible without being insecure etc..).  good to know I am not alone.

    Also nice to meet another 2.0 person!  One of the things in my career I'm most proud of was building a program that was able to convert Access 2.0 applications to Access 2013...  it was necessary because I had many users still on 2.0 and I hadn't kept up with all of the incremental access upgrades.   

    Best

    Alyssa

    Thursday, December 19, 2019 3:52 PM
  • As a consultant, I see both very helpful IT departments and IT department that are opposed to anything Access related.  What I learnt long ago was there is nothing to be gained trying to argue with them.  Don't waste your time.   Instead focus your energies on building a case to present management.  Be sure to demonstrate the $$$$ your solution saves (that also means times savings).  It's always good to include comparables (Access costs 5000$ vs some other solution 50000$ type of thing).  With that in hand, management will take care of getting IT onboard and you haven't burnt your bridges by arguing with the IT personnel. Decisions like what tools to use have to come from management, concentrate your efforts there.

    You can also provide management with details of the steps you would like to implement to secure the Access database.

    But don't try to explain things to IT, your wasting your time, unless they ask you and are trying to work with you (such IT departments do exist and are a pleasure to collaborate with!!)

    Good luck.


    Daniel Pineault, 2010-2019 Microsoft MVP
    Professional Support: http://www.cardaconsultants.com
    MS Access Tips and Code Samples: http://www.devhut.net

    Thursday, December 19, 2019 3:57 PM
  • Daniel,

    This is excellent advice.  Thank you.  (And my apps don't really even require access for the users since they can download MS's free runtime engine.  So can even make the case for no cost other than database + my own development environment)

    Thanks so much

    Alyssa

    Thursday, December 19, 2019 4:06 PM