Question : What is the best approach for 'indirect' access to secure data.

I have a secure SQL DB that contains user data that is needed for login authentication by a web app.  The web app is being developed by a third party, and we do not want to allow their app to authenticate login data with our secure DB directly.

What is the best approach to provide the authentication (verify the user is in our DB) without allowing a direct connection to our server and DB?  The only thing I can think of is to develop a Windows 'service' that would run all the time and look for inbound login request packets.  Then the 'service' would query the DB and return a 'pass/fail' packet for subsequent pickup by the web app.

I am sure there are a number of approaches, but I can think of only the one.

Answer : What is the best approach for 'indirect' access to secure data.

mdreed,

Alternatively, you could house the SP's on a separate server that has a connection to the target DB and the SP's would, in effect, be using a separate connection string to get to the actual data.  However, at some point, the target database's data has to be access to some extent, otherwise, what's the point of the exercise.

If you take the Dev/Prod approach, the 3rd party developer doesn't know anything about the connections to the Prod database, even though they might know something about the Dev database connections.

For the specific example you cited, you can either house the basic merchandise information or the SP's to access that data (from the secured database) on a less secure database and still do the authentication (using the SP trick) from the main, secured database.