# Securing a CS:Govern Database ![](/files/bV66cgZUHAhsDBXbIqYV) ## How to Secure A CS:Govern Database **This article is about securing your CopyStorm data at the field level using CS:Govern, as well as recommendations on securing the target CopyStorm database. Fundamentally, the basic essential steps are the following:** 1. **Manage access to the Database. This is an action taken by the Database Administrator.** 2. **Manage access to specific fields within a table through users and roles. These are actions taken by the CopyStorm/CS:Govern user.** 3. **Remove all access to the Encryption Keys. This is an action taken by the Database Administrator.** **It is suggested that the customer use their own Security Standards and Knowledge to append and/or replace the basic Security Architectural Design offered in this article.** Securing a CS:Govern database is the process of ensuring that only database users granted rights by CS:Govern can access decrypted values of fields. For any user to be able to access decrypted data (where they have CS:Govern rights), execute access to a single function (per table with encrypted data) is required. * To access decrypted data in table “Contact” a user will need execute rights on the function *guardContact\_GET*(). * By default, CS:Govern grants public execute rights to all generated \_GET functions and hides others. * Each \_GET function enforces access policies set up by CS:Govern . * If a user accesses an encrypted field WITHOUT using the corresponding \_GET function, they will always get the masked value for the field. As an example of how to use the \_GET function (sometimes referred to as the *getter*) here is how one would include the Contact.Email field in a typical SQL SELECT statement (in this example we are using SQL Server): SELECT id, guardContact\_GET(id, ‘Email’, Email) FROM Contact; --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://learn.capstorm.com/cs-govern/best-practices/securing-a-csguardian-database.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.