Hojoformo
asked on
Safest Method for Communincating Data to WebServer?
What is the most secure and safest method for communicating data to a web servers? We are considering using a 3rd web hosting vendor and application that will require a daily transmission of sensitive data from our internal network server. Can you provide me with some suggestions on how we can secure this data. The volume of data is very small. What is the best protocol to use? SOAP? XML? SSL? Web Service? Any sugestions would be appreciated.
Install an SSL server certificate and use HTTPS to upload your data to the web server. While you could certainly use other schemes, since this is a web server to start with, HTTPS using SSL is it's native tougue for encryption.
You mean, you want to transmit the data FROM your internal server TO the hosted web server.
If you can use SSH, then SSH protocol such as SCP, SFTP can be used.
If you want to transmit with a web form on the web server, SSL is a good choice, provided your hosting supports HTTPS.
Whatever way the transmission it is, the most secure and safest way is to keep the data in encrypted form. Then, even you transmit in plain form is still OK. If data is transmitted in safe form, but stored on the web server in plain form, it is still not secured.
Can make use of the mcrypt function to encrypt and decrypt your data. If you are using PHP on the web, mcrypt is one of the supported scripting module.
SSL is the choice for secure web browser to server communications. You can get certified by Verisign or any other third party CA. Your web clients can therefore, be assured that they are communicating with your web server. Also, all traffic using the SSL will be encrypted.
Another way, is to generate your own certificate using openssl. But this will not be as trustworthy as using Verisign or any other third party CA.
Another way, is to generate your own certificate using openssl. But this will not be as trustworthy as using Verisign or any other third party CA.
> .. require a daily transmission of sensitive data from our internal network server.
I'd vote for ssh too, 'cause you only need to push the data.
If you do it by SSL, you have to configure your web server too to allow it too (CGI, WebDAV, etc.).
I'd vote for ssh too, 'cause you only need to push the data.
If you do it by SSL, you have to configure your web server too to allow it too (CGI, WebDAV, etc.).
>>But this will not be as trustworthy as using Verisign
That sounds like Verisign marketing baloney. If this is just _you_ doing the uploading, then "trust" is not the issue and a self-made CA is perfectly secure. Trust and security are two different things.
The "trust" associated with an SSL cert has to do with 3rd parties trusting YOU. Having a cert from a reputable CA means, in theory at least, that THEY vouch for who you are. So if you trust the CA you trust anyone they issue a cert to implicitly.
But for "in-house" use, you (obviously) trust yourself and so a self-made cert is perfectly safe since CA generated cert of self-made certs use the same level of encryption.
That sounds like Verisign marketing baloney. If this is just _you_ doing the uploading, then "trust" is not the issue and a self-made CA is perfectly secure. Trust and security are two different things.
The "trust" associated with an SSL cert has to do with 3rd parties trusting YOU. Having a cert from a reputable CA means, in theory at least, that THEY vouch for who you are. So if you trust the CA you trust anyone they issue a cert to implicitly.
But for "in-house" use, you (obviously) trust yourself and so a self-made cert is perfectly safe since CA generated cert of self-made certs use the same level of encryption.
Hojoformo, please provide the gentlemen here some information about your computing platform (including web server and database engine) so that we can make more precise and more suitable suggestions.
otherwise my gut feels that you've gone the M$ way and might feel awkward implementing cygwin and sshd on your hosted server.
otherwise my gut feels that you've gone the M$ way and might feel awkward implementing cygwin and sshd on your hosted server.
ASKER
Thanks eveyone for the quick response. Here is a little more information about this request. The 3rd party company we are looking at informed us the data is to be accessible from the data source via an XML webservice which receives a single variable (“sessionKey”) which uniquely identifies the customer and recorder. This customer-side (our side) webservice should accept GET, POST or SOAP-formatted requests from the 3rd party application server and returns the XML in the format specified herein.
This is a two way communication. First they call our server for authentication using the sessionkey, then if authenicated, we will transmit data back to them (very small volume of data but sensitive data). Our platform is Windows NT server 2000.
So it sounds like we are limited to using either GET, POST or SOAP. SOAP I understand is the better choice. Any suggestions or should we be conerned?
This is a two way communication. First they call our server for authentication using the sessionkey, then if authenicated, we will transmit data back to them (very small volume of data but sensitive data). Our platform is Windows NT server 2000.
So it sounds like we are limited to using either GET, POST or SOAP. SOAP I understand is the better choice. Any suggestions or should we be conerned?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Right, XML by default is plain-text, but can be encrypted via HttpS, SFTP, SCP/SSL. SOAP is also plain-text typically over Http, but can be used over httpS
http://en.wikipedia.org/wiki/SOAP Also, get and post are simply http commands/actions/request (also ftp).
Sounds like your already going with this 3rd party.
Personally I preffer off-site storage services that house our back-up data, we give them a backup tape each day, week, month, whatever the schedule, they store it off site in fireproof vaults etc.. These same companies allow you to SCP smaller amounts of data to them, and they back up the data you send, and store it on a tape for you. IronMoutain is one such vendor, there are dozens of others. You never know what your really getting, so it may be prudent to encrypt the data before sending it, you can use 7zip, winzip, winrar, TrueCrypt and many others to do this.
Depending on the industry your in, HealthCare, or simply a Publicly traded company, you may need to take some extra steps in securing and retaining that data. HIPAA rules may apply to you, as well as SOX
http://en.wikipedia.org/wiki/HIPPA#The_Security_Rule
http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act#Internal_controls http://www2.cio.com/ask/expert/2004/questions/question1921.html
-rich
http://en.wikipedia.org/wiki/SOAP Also, get and post are simply http commands/actions/request (also ftp).
Sounds like your already going with this 3rd party.
Personally I preffer off-site storage services that house our back-up data, we give them a backup tape each day, week, month, whatever the schedule, they store it off site in fireproof vaults etc.. These same companies allow you to SCP smaller amounts of data to them, and they back up the data you send, and store it on a tape for you. IronMoutain is one such vendor, there are dozens of others. You never know what your really getting, so it may be prudent to encrypt the data before sending it, you can use 7zip, winzip, winrar, TrueCrypt and many others to do this.
Depending on the industry your in, HealthCare, or simply a Publicly traded company, you may need to take some extra steps in securing and retaining that data. HIPAA rules may apply to you, as well as SOX
http://en.wikipedia.org/wiki/HIPPA#The_Security_Rule
http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act#Internal_controls http://www2.cio.com/ask/expert/2004/questions/question1921.html
-rich