Sign in to follow this  
Rasterman

[web] Your company financial data on a 3rd party webserver

Recommended Posts

I have hosted my own server for 10 years and want to move to shared hosting or a VPS. My main concern is having all of my order history on a server that admins of the host will have access to. Is there a way to protect my company financial and customer data? Should I be worried about this?

Share this post


Link to post
Share on other sites
If you store it on a third party server and need to view it from that server, e.g. From a web app, remember that you would need to decrypt it there so all neccessary info to decrypt it will be there anyway and this will only be a minor fly in the ointment to any intruder. Consider encrypting the info using a users ssl fingerprint hash as a salt or such, so that even if a hacker gains access to the database the info within is useless without also having a specific ssl certificate file which you can distribute to a subset of trusted employees (eg accountants and director) - would this be of use?

Share this post


Link to post
Share on other sites
Um SSL certs are installed on the server end so they're "available" to everyone, technically. However, you should definitely implement some sort of user authentication/authorization scheme. If you can't afford to utilize physical RSA tokens you could set up a random code that gets generated every day and then made available to the appropriate managers who can then dole them out as need via paper or somesuch so a user would need their own personal login credential as well as this code to log in. That should make it relatively secure. But yes, force ALL interactions with this server to be done over SSL. I just didn't go into this kind of explanation in my first post because you mentioned already having had a server but am wondering about hosting it on a 3rd party server so you *should* already have something like this in place already.

Share this post


Link to post
Share on other sites
Well, you wouldnt give the certs to people via the internet. The best way to do this would be to meet in person giving them a CD or usb stick or such with the certificate file on it.

Failing that, you can have them generate their own certs, have them tell you just the fingerprint id of their generated cert (over skype or such) then use a combination of all the fingerprints as the encryption key of your data.

Of course this means that if an employee leaves you have to revoke their cert and then re-encrypt all the company data either without their key, or with a new key of the new starter.

Maybe that's going a bit overboard though... :rolleyes: after all, they must install that certificate into their web browser and if their PC is infected with a trojan the certificate files may be taken, and [i]maybe[/i] the password could be bruteforced from the certificate, so in the end it would all count for squat.

Share this post


Link to post
Share on other sites
[quote name='braindigitalis' timestamp='1306952929' post='4818386']
Well, you wouldnt give the certs to people via the internet. The best way to do this would be to meet in person giving them a CD or usb stick or such with the certificate file on it.

Failing that, you can have them generate their own certs, have them tell you just the fingerprint id of their generated cert (over skype or such) then use a combination of all the fingerprints as the encryption key of your data.

Of course this means that if an employee leaves you have to revoke their cert and then re-encrypt all the company data either without their key, or with a new key of the new starter.

Maybe that's going a bit overboard though... :rolleyes: after all, they must install that certificate into their web browser and if their PC is infected with a trojan the certificate files may be taken, and [i]maybe[/i] the password could be bruteforced from the certificate, so in the end it would all count for squat.
[/quote]
My SSL comment was more about a man-in-the-middle attack where someone is sniffing packet data. They could easily intercept the cert verification info and be able to "be you."

Share this post


Link to post
Share on other sites
surely, they cannot intercept the certificate validation. to do so would be a flaw in the ssl protocol so vast that it would make all ssl authentication by client certificate completely useless.
I am referring to proper diffie-hellman style key exchange that is at the lowest level of the ssl protocol, client and server certificates are exchanged in the same way and validated in the same way. Therefore if they were able to man-in-the-middle your client cert they could do the same to the server cert, making it completely pointless :-)

Here is a page documenting what i mean and why it is as secure as you'll get, and avoids all issues of writing risky encryption and authentication yourself: http://it.toolbox.com/blogs/securitymonkey/howto-securing-a-website-with-client-ssl-certificates-11500

Share this post


Link to post
Share on other sites
Thanks for the discussion guys, I need to explain some more: my customer data on my server is name, email, address, order amount, products bought, etc. What I don't want is anyone other than myself access to this data, I am mainly concerned with financial data (the total sales history of my products) the issue I have is customers can request their registration code or change their email in my system, so I can't remove the data that is old, or encrypt it because it will need to be encrypted/decrypted with each database query wouldn't it, if that is even possible? Even so the encryption keys would need to be on the server, and if they have access to the server they have access to the keys.

One idea I had is to simply remove all of the dates and price information from my database on the server, and keep a database with the dates locally, then do a sync every month or so removing the older dates on the server. This wouldn't remove all of my historical sales data but would remove two important factors, timing and pricing.

I'm not really _that_ worried about it, but would like to protect it is possible.

Share this post


Link to post
Share on other sites
[quote name='Rasterman' timestamp='1307333267' post='4819972']
Thanks for the discussion guys, I need to explain some more: my customer data on my server is name, email, address, order amount, products bought, etc. What I don't want is anyone other than myself access to this data, I am mainly concerned with financial data (the total sales history of my products) the issue I have is customers can request their registration code or change their email in my system, so I can't remove the data that is old, or encrypt it because it will need to be encrypted/decrypted with each database query wouldn't it, if that is even possible? Even so the encryption keys would need to be on the server, and if they have access to the server they have access to the keys.

One idea I had is to simply remove all of the dates and price information from my database on the server, and keep a database with the dates locally, then do a sync every month or so removing the older dates on the server. This wouldn't remove all of my historical sales data but would remove two important factors, timing and pricing.

I'm not really _that_ worried about it, but would like to protect it is possible.
[/quote]
If you want to control the access of data to just yourself then what braindigitalis propsed would work well for just restricting access to the data. I wonder why you think you can't encrypt the data. Just because the email address field changes it's value doesn't necessarily mean the encryption keys change. So, is this server a repository or something that customers access by placing an order on your system?

Share this post


Link to post
Share on other sites
If you don't trust the admins don't use their services. There is no technological way to protect your database from the root user.

Share this post


Link to post
Share on other sites
[quote name='krez' timestamp='1307371420' post='4820092']
If you don't trust the admins don't use their services. There is no technological way to protect your database from the root user.
[/quote]

Seconded!

I think you are worrying too much. Bare in mind that most hosting companies will have hundreds, if not thousands of servers, with multiple clients on each one. I'm sure the admins have better things to do than look through everyones database looking at their financial details.

You may as well keep all cash you receive under your mattress to stop the bankers looking through your accounts and seeing how much you make...

Share this post


Link to post
Share on other sites
[quote name='gavco98' timestamp='1307437181' post='4820437']
[quote name='krez' timestamp='1307371420' post='4820092']
If you don't trust the admins don't use their services. There is no technological way to protect your database from the root user.
[/quote]

Seconded!

I think you are worrying too much. Bare in mind that most hosting companies will have hundreds, if not thousands of servers, with multiple clients on each one. I'm sure the admins have better things to do than look through everyones database looking at their financial details.

You may as well keep all cash you receive under your mattress to stop the bankers looking through your accounts and seeing how much you make...
[/quote]
That's a fairly naive outlook, honestly. Why do they care? There are several reasons why they might mettle in his data. They could sell it to his competitors, hold it hostage, use it against him in a competing business of their own, etc. Corporate espionage is a serious matter. The recent RSA hacks give a clear indication what lengths people will go to in order to get access to data including hacking military systems. What makes his company special? None of us know but it shouldn't just be discounted. I'm just putting this out there as a general warning to not take it lightly. Data security is one of my personal soapboxes because I have the belief that if a company asks for and stores certain data they should be accountable to take reasonable measures to protect that data and if they don't have the means to protect said data then they should ask for it or store it in any form. I was the principal developer for a company's e-commerce platforms and management liked to generally play fast and loose with data security and it was my job to make sure proper protections were in place. As far as I know we were never hacked in over a decade and their sites did millions per year in transactions and there were attempts so it's not like hacking groups didn't notice us. Fact is when it comes to financial data doing everything short of locking the data in a vault then encasing that vault in concrete followed by placing that in a bomb-proof steel enclosure is a "reasonable" measure.

Share this post


Link to post
Share on other sites
I would be more worried about all of the hackers out there now and not the administrators. Worry about protecting people from the outside; not the inside. For instance, take a look at what LOLZSEC has been up to.

I am not sure what you do or what kind of customer data you have, but I assure you they would go after big dogs before they touched you. What would the incentive be? The saying I always heard was "anything can be cracked, but is your data worth their time?" I'm not saying you shouldn't be worried or you shouldn't protect your IP, but I am saying not to stress over it too much.

Think of it this way too. They have administrators that does nothing but take care of your hardware, software, etc. They will keep it patched and well protected on their end. That is their company at stake and they don't want to be all over the news as the company who leaked 1,000,000 records. You take care of what you need to and they will take care of what they need to.

Don't stress over it.

Share this post


Link to post
Share on other sites
Over half of the data breaches in the past few years have involved insiders (sometimes in collaboration with outside hackers and other criminals).

But security is a trade-off. The cost of better security (in money and work / time) gives diminishing returns, and at some point it isn't worth it anymore. So don't leave everything out in the open, but you have to figure out how much time and money is reasonable to protect your data sufficiently. You will never be 100% secure, but hopefully you can do a good enough job that nobody finds it worth the time and money to beat you. So don't store unencrypted credit card info or SSNs, and don't taunt Anonymous :)

Perhaps you should inquire about the security protections in place at whatever hosts you are considering, and bring up your concerns with them.

Share this post


Link to post
Share on other sites
[quote name='Rasterman' timestamp='1306770239' post='4817549']
I have hosted my own server for 10 years and want to move to shared hosting or a VPS. My main concern is having all of my order history on a server that admins of the host will have access to. Is there a way to protect my company financial and customer data? Should I be worried about this?
[/quote]
As an illustrative example, netflix is hosted on amazon web services. If you are not working on top secret things and choose a reputable host, you will be fine.

Share this post


Link to post
Share on other sites
Being a web developer (hi) when ever we do anything that requires customer data we do the following.


1. Have a static server that is meant just for that data. You can use a VPS, a Dedi or a shared really it does not matter.
2. Have a seperate server that connects to that data only. The best way is VPS to VPS or dedi to VPS, etc. If you are working with a shared information server you run the risk of not being able to connect to it.

We usually work with people using WIndows so its easy to setup that without being logged into that server you cannot connect to the other server. If that didn't make sense, then imagine a remote SQL server where the only host that can connect to it is the host you define. We do it this way so that you have to know what your doing with our products on one server to get to the other server, as well as if someone injects inside or xss the main host it won't pull up the information since the validation won't be there from the main server.

-Mayple

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this