• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 497
  • Last Modified:

Sensitive information in non secured environment.

Hello friends,

Can you please let me know how critical it is to collect the Social Security number in non secured environment. I mean collecting the SSN in a webpage that has a web address starting with http.

Is this OK to to have this approoach or there is any standard to be followed to protect the sensitive information.

1 Solution
It is not recommended to accept such information over an unsecure connection.
It is recommended to use an https connection (which will encrypt the data
from the user to the server) and use a secure inaccessible database to store
the data - usually in encrypted form.

You can receive a free SSL certificate at www.cacert.org
you should try to avoid non secure way to collect sensitive information
also when using SSL ,try to use best encryption method to make the data secured and if possible protect user information off-line too
It would not be recommended.

You should read through the privacy act.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Hi run2004

Encrypting all sensitive data both in transit (e.g. from client to web server, from web server to app server etc) and anywhere it is stored (e.g. Database) is the sensible option.

Precedent’s have been set in this regard with the FTC having charged companies with negligence where data has been lost that wasn't encrypted.

It's all about taking reasonable precautions to ensure that any customer data you hold is not easily available to malicious individuals.

You don't mention what other data you are requesting / storing - this also has bearing as the more uniquely identifiable information you collect the more critical the requirement for encryption becomes.  If no other customer data were ever collected and for some reason a system just used a social security number as a unique way of identifying it's users then this would actually hold little value as it would be difficult for a malicious person to link the SS number to anything else such as name and address - this is I suspect a somewhat unlikely scenario...

As a final note bear in mind that encryption is not a 'silver bullet' - the implementation around it is just as important as the actual algorithm used - follow best practices for the whole infrastructure - e.g. harden server O/S's, secure your web servers, ensure that simple gotchas are covered off (e.g. a new CTI solution planned to be implemented at my place of work would log customer data into text log files by default - now amount of transit and DB encryption would have blocked this gaping hole...)



Dear run2004,

Is any further assistance needed ?
If not please close the topic and assign
me the points.

Thank you

kaerez - a somewhat cheeky comment...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now