Link to home
Create AccountLog in
Avatar of photoman11
photoman11Flag for United States of America

asked on

Any ideas on how to maintain security while having subcontractors performing maintenance for my website

I have a commercial website that uses a number of tools on an ongoing basis. Just from my personal workload standpoint, I now need to have subcontractors help maintain a few of my more sensitive data categories, and I'm hoping to get some advice from Expert Exchange as to how to do so with minimal risk.

I have used a number of "providers" from oDesk in the past and have managed to have them work on different projects in a way which avoided them having access to sensitive information. However, I now need assistance in these areas and cannot figure out how to implement it without potentially leaving myself very vulnerable.

There are 3 specific areas that I would like subcontractors to help in:

1. The product is DL Guard (http://www.dlguard.com/dlginfo/index.php). I sell a number of digital products on my site and use PayPal to process the payment. I'm transitioning from E-junkie to DL Guard, as my software to securely have the Digital Products stored and processed, in addition to having the resulting sales data maintained.

DL Guard does not provide any way to restrict access to their software (which is loaded on Bluehost, the server I use for PHP and other things). I would need to provide my login information which would basically give subcontractors access to all of my digital products, the code used for directing customers to PayPal, and setting product pricing, among other things.

2. Virtual Smart Agent (http://www.virtualsmartagent.com/sq1.php) is software that provides the means for me to offer a "last chance" offer to prospects who have decided to leave my sales pages without purchasing.

Like DL Guard, Virtual Smart Agent also does not provide any type of restricted access. Once in Virtual Smart Agent, the subcontractor could direct my prospects anywhere they wanted, as well as set prices for my "2nd chance" offers.

3.  I have a domain on Bluehost, which is the server I have loaded DL Guard and Virtual Smart Agent on. Bluehost DOES have the means to restrict access to only certain parts of my domain, which is good. The most "exposure" I have regarding subcontractors accessing Bluehost is their access to all my digital products.

I don't know if this would be pertinent, but from a process standpoint as well as a system standpoint, there is a relationship between DL Guard and Bluehost; and  between Virtual Smart Agent and Bluehost. There is no such relationship between DL Guard and Virtual Smart Agent.

Does anyone have any advice for how I can have subcontractors help me in these areas and still limit my exposure?

Thank you one and all.
ASKER CERTIFIED SOLUTION
Avatar of Knightsman
Knightsman

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of photoman11

ASKER

You may not be in the outfield, but you're definitely on the warning track.

You are accurate in your assumption however. I am selling digital products that the customer buys as a result of visiting my primary website (for sake of discussion, consider that to be on the SBI server).

The processing of the payment is done through PayPal. However, the digital products reside on a different server-the  Bluehost server. I use DL Guard to maintain security such as not allowing 100 people to download my product after one person pays on it and gets the link to the product. They do other things, but that is not germane to this conversation.

Virtual Smart Agent is another tool that I host on Bluehost.

I want to have subcontractors help me by doing some relatively easy clerical functions, however the catch is, I can't figure out any way to have them help me,  without giving them access to DL Guard and Virtual Smart Agent. Using a very exaggerated analogy, it's like having a cleaning crew come into your bank vault where there is cash laying around, to do dusting and polished the furniture, without me being present or having a security camera to monitor them.

I hope that explains it better.
Avatar of Michel Plungjan
That sounds like a recipe for disaster. If they are to do development work, have them do development work on a dummy setup with a sandbox paypal account. Once they are done, you implement their stuff on a parallel system with access to production data and test that it works before switching over.
They will never have the passwords or access to actual production data
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Thanks to everybody for your response.

Let me first ask you something to make sure we're on the same track: when you say "development work," I get the impression that, that means testing out changes in software and functionality. If this is accurate (a big if), then that is NOT what I mean.

On the other hand, if you're using it to signify ANY KIND OF WORK that is performed in the environments where the work will need to take place, then we are on the same track because all I'm really talking about is data entry and clerical/detail work.

I am not even in the same universe as you guys when it comes to talking about setting up dummy setups and sandbox accounts. The only thing I recall which may be what you are talking about (please confirm) is this:

Several weeks ago, I contacted the tech department of DL Guard, asking them basically the same question that I asked you. As memory serves, they suggested that I create something like a duplicate or separate SQL database, have the contractor then put information into that database, and upon completion of their work, transfer the information over to my live system.

All I recall is that after my head stopped spinning, I raised my arms in surrender and ran from the room screaming like a little girl. The point is, I have no idea how to do any of that and it struck me that in the long run, it might be easier for me to do all the clerical work myself (definitely-not my desire) than it would be to try to figure out with others helping me, how to set up everything subcontractors can help me.

Before we go much further into this technical maze, is there a way that you can provide some insight as to whether that assumption is even slightly accurate? If it is, then I have my answer, although not the one I want; namely-it would be better off in the long run if I do the work myself.

Thanks for your help and patience with somebody way out of your technical lead.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Lo-Tan,

Typical tasks would be:

IN DL GUARD –

–Updating and setting up new products, which entails:
Having access to all the original files of my products
Loading them on my Bluehost server domain
Inputting my PayPal e-mail address, number of downloaded temps and hours to download type of data
Product cost

By doing all of the above, they also have access to the content and parameters of how I use the download instructions and e-mails to my customers, all products set up on my shopping cart, discounts, customer information and sales statistics.



In Virtual Smart Agent –

Tasks would be things like updating the discount offers that I am providing, and everything that goes with it.

Changing messages that the system uses to interact with prospects

By doing so, they would have access to all of my statistics and information regarding one-time offers, by product, and the ability to change offers or prices.

That's about it.
Avatar of Knightsman
Knightsman

Do you not have a database on your main computer that you upload to your server to update this stuff?

Sounds like that might be the issue.  See if your online database is compatible with comma delimited or .csv files?

if thats all they are doing have them update your local database and you upload it to the server.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Thanks for everyone's help. If think it's probably going to be easier if I just do it myself.