Safest Method for Communincating Data to WebServer?

What is the most secure and safest method for communicating data to a web servers?  We are considering using a 3rd web hosting vendor and application that will require a daily transmission of sensitive data from our internal network server.  Can you provide me with some suggestions on how we can secure this data.  The volume of data is very small.  What is the best protocol to use?  SOAP?  XML? SSL? Web Service?  Any sugestions would be appreciated.
HojoformoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jhanceCommented:
Install an SSL server certificate and use HTTPS to upload your data to the web server.  While you could certainly use other schemes, since this is a web server to start with, HTTPS using SSL is it's native tougue for encryption.
ppfoongCommented:

You mean, you want to transmit the data FROM your internal server TO the hosted web server.

If you can use SSH, then SSH protocol such as SCP, SFTP can be used.

If you want to transmit with a web form on the web server, SSL is a good choice, provided your hosting supports HTTPS.

Whatever way the transmission it is, the most secure and safest way is to keep the data in encrypted form. Then, even you transmit in plain form is still OK. If data is transmitted in safe form, but stored on the web server in plain form, it is still not secured.

Can make use of the mcrypt function to encrypt and decrypt your data. If you are using PHP on the web, mcrypt is one of the supported scripting module.

gtkfreakCommented:
SSL is the choice for secure web browser to server communications. You can get certified by Verisign or any other third party CA. Your web clients can therefore, be assured that they are communicating with your web server. Also, all traffic using the SSL will be encrypted.

Another way, is to generate your own certificate using openssl. But this will not be as trustworthy as using Verisign or any other third party CA.
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

ahoffmannCommented:
> .. require a daily transmission of sensitive data from our internal network server.
I'd vote for ssh too, 'cause you only need to push the data.
If you do it by SSL, you have to configure your web server too to allow it too (CGI, WebDAV, etc.).
jhanceCommented:
>>But this will not be as trustworthy as using Verisign

That sounds like Verisign marketing baloney.  If this is just _you_ doing the uploading, then "trust" is not the issue and a self-made CA is perfectly secure.  Trust and security are two different things.

The "trust" associated with an SSL cert has to do with 3rd parties trusting YOU.  Having a cert from a reputable CA means, in theory at least, that THEY vouch for who you are.  So if you trust the CA you trust anyone they issue a cert to implicitly.

But for "in-house" use, you (obviously) trust yourself and so a self-made cert is perfectly safe since CA generated cert of self-made certs use the same level of encryption.
jakosysadminCommented:
Hojoformo, please provide the gentlemen here some information about your computing platform (including web server and database engine) so that we can make more precise and more suitable suggestions.

otherwise my gut feels that you've gone the M$ way and might feel awkward implementing cygwin and sshd on your hosted server.
HojoformoAuthor Commented:
Thanks eveyone for the quick response.  Here is a little more information about this request.  The 3rd party company we are looking at informed us the data is to be accessible from the data source via an XML webservice which receives a single variable (“sessionKey”) which uniquely identifies the customer and recorder. This customer-side (our side) webservice should accept GET, POST or SOAP-formatted requests from the 3rd party application server and returns the XML in the format specified herein.  

This is a two way communication.  First they call our server for authentication using the sessionkey, then if authenicated, we will transmit data back to them (very small volume of data but sensitive data).  Our platform is Windows NT server 2000.  

So it sounds like we are limited to using either GET, POST or SOAP.  SOAP I understand is the better choice.  Any suggestions or should we be conerned?  
jhanceCommented:
Regardless of GET, POST, or SOAP, the data itself can still be encrypted/protected using the HTTPS vs. HTTP protocol.  As mentioned you will need a SERVER CERTIFICATE.  If this is strictly PRIVATE (i.e. only you and a select select others) access then a self-made certificate will be adequate.  If access is public, however, you may want to use a certificate from a well known CA like Verisign, GeoTrust, Thawte, etc.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rich RumbleSecurity SamuraiCommented:
Right, XML by default is plain-text, but can be encrypted via HttpS, SFTP, SCP/SSL. SOAP is also plain-text typically over Http, but can be used over httpS
http://en.wikipedia.org/wiki/SOAP  Also, get and post are simply http commands/actions/request (also ftp).
Sounds like your already going with this 3rd party.

Personally I preffer off-site storage services that house our back-up data, we give them a backup tape each day, week, month, whatever the schedule, they store it off site in fireproof vaults etc.. These same companies allow you to SCP smaller amounts of data to them, and they back up the data you send, and store it on a tape for you. IronMoutain is one such vendor, there are dozens of others. You never know what your really getting, so it may be prudent to encrypt the data before sending it, you can use 7zip, winzip, winrar, TrueCrypt and many others to do this.

Depending on the industry your in, HealthCare, or simply a Publicly traded company, you may need to take some extra steps in securing and retaining that data. HIPAA rules may apply to you, as well as SOX
http://en.wikipedia.org/wiki/HIPPA#The_Security_Rule
http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act#Internal_controls  http://www2.cio.com/ask/expert/2004/questions/question1921.html
-rich
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.