how to secure data and update data in an application deployed to another entity?

Question

I have developed a VB.Net application with SQL Server carrying the data.

This application will be deployed to another business. The application allows the user to generate base and adjusted fees, output in a PDF document. The application interacts with Microsoft Office.

I want the base fees to be protected. The user can adjust their fees through the application interface, but the base fees are to always be specified by me with occasional updates.

-Is there a way to secure SQL Server at their location so even their DBA cannot change data?

-What is the cleanest way to send new data to their installation?

My idea on this was to send a small password protected, time-stamped Access database with the current values. The application would then load the Access fields to the SQL Server database on application startup.

Is this a bad idea?

Answer 1

Is there a way to secure SQL Server at their location so even their DBA cannot change data?

No. If a user has physical access to the data, they can modify the data. Even if you were able to store the database using some kind of full disk encryption scheme or something like that, your application has to read it somehow.

What is the cleanest way to send new data to their installation?

I have to concur with @RB. above. Either store the data in machines that you control and have some kind of client/server model, or have your application check for the new values once every few hours or once a day or something like that.

Of course, it is possible to intercept and modify data going over the wire too, so if the data is stored on the customer's machine your updates could be just as toast.