[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

follow-up to secure data encryption / identity theft question

Posted on 2006-06-02
3
Medium Priority
?
348 Views
Last Modified: 2010-04-11
If my e-commerce site is hosted on Crystal Tech, or another service, in a shared environment, where or how can data be stolen and make us liable if we are using SSL from our website to the host to transmit personal information.  How can this e-commerce site be liable if SSL is used?  Some of this personal data will be transmitted from CT to our server via email.

I am only asking so I can give the client answers--I've already gotten the approval to use Authorize.net--still trying to figure out the 'pros' and 'cons' of using Authorize.net, if our website is not even on an in-house server?

Thanks.
twostep
0
Comment
Question by:texastwostep
3 Comments
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 16820621
well email sent un-ecrypted is your weak point. Use PGP or another form of email encryption for the transfer of that sensitive data.
0
 
LVL 32

Expert Comment

by:jhance
ID: 16822862
Remember that SSL only protects the sensitive information while it's being communicated between the client web browser and the web server.  As soon as the data reaches the web server it is decrypted and vulnerable.  To be useful, you must store or re-transmit this data again.  That's usually the weak link in security.  If you store it, the store can be hacked and the data disclosed.  If you transmit it, the transmission can be sniffed or intercepted and again the data is disclosed.

In my opinion the best scenario is to immediately re-encrypt the data upon recept by the web server before you store or re-transmit it.  Many encryption schemes are possible but I prefer to use a public/private key scheme so that the de-cryption key is NOT anywhere to be found on the web server.  The data can then only be decrypted when it reaches the point of processing the data.  These days there are two main public key encryption schemes, Diffie-Helman and RSA.  Both are now publicly available since the patents have long since expired.  Both, assuming you use a long enough encryption key an avoid the use of a "weak" or easily-guessable key are cryptographically strong in today's world.  The biggest disadvantage to either of these schemes is the compute intensive encryption/decryption process.  This can make the processing of information slow and is one reason why PGP was developed.

The scheme used in PGP is a combination of RSA to encrypt the key and a symmetric algorithm (like DES or another) to encrypt the data itself.  This give the best of both worlds since as long as the key is safe, a symmetric algorithm (of which there are several to choose from) is strong.

For e-commerce you typically only have a small amount of data to encrypt (account numbers, name, address, etc.) and so the processing burden of RSA is not usually a big deal and so it's simpler to use it alone without having to to the whole PGP thing.

RSA and Diffie-Helman are both available on Windows platforms through the CryptoAPI.  PGP is not so you need to use a 3rd party library.  You can license it from PGP Corp. but it's quite expensive.  There are open-source implementations of PGP or PGP-like schemes out there.  The one I'm most familiar with is the GNU GPG.  See:

http://www.gnupg.org/
0
 
LVL 5

Accepted Solution

by:
kevinf40 earned 2000 total points
ID: 16841939
Hi twostep

As aluded to by jhance, the communication between the client browser and the webserver is only one piece of the puzzle....

Things to consider - where is data stored  -
- temp files
- log files (you'd be surprised how often data ands up here)
- database
- mail server
- file server etc

where is data transferred -
- web server - mail server
- web server to DB
- web server to application servers
- application servers to DB etc etc

anywhere sensitive information is stored or transported the security of that data must be considered.

If you are in a shared environment this means that there is potential for other unrelated busnesses to have access to your files or data on the network - you should be especially careful to ensure your data security covers the end to end process, not just the browser to web server communication.

cheers

Kevin
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question