website encryption to protect information

Posted on 2011-10-19
Last Modified: 2012-08-13
I am building an external website which requirements are to have a way of encryption  128-bit, https, or someway of encrypting students information.

I never have done this in the past, and I wondering what is required to do this, what do I have to consider on my code and pages? What do I need to configure in the server? how do I set the pages be an https site?

My server is xampp  and my web appplication is joomla.

Please advise!
Question by:TonyReba
    LVL 50

    Accepted Solution

    Since you are using Joomla, I'm assuming you are working with PHP.  

    There are three main considerations for safeguarding sensitive data:

    1) Transmission.  This is normally handled with SSL certificates, and configuring your site to use SSL encryption.  This is pretty simple these days.  The first step is to generate a private key.  This is done on the server that will eventually receive the certificate.  You use the private key to create a certificate request.  The certificate request goes to a certificate authority, or CA, for signing.  There are many CAs to chose from, such as VeriSign, Geotrust, etc.  You receive the public key (the certificate) from the CA, and configure your site to use it.  For a more detailed explanation of how to do this, see these links for Windows/IIS and Apache.

    2) Data storage.  Once you receive sensitive information, you need to keep it safe from prying eyes.  This means encryption in the storage medium, and should include physical security concerns as well.  There are multiple choices available for encrypted storage.  The main "branches" are disk-level, which includes technology such as Bitlocker or EFS, and application-level, which could be in the database itself (encrypted MSSQL databases) or in the application manipulating a database (such as PHP's OpenSSL extension).  Your approach should be guided by your security concerns, though there are some industry standards, such as PCI Compliance (Payment Processing).  If you're working with an educational institution, they may have a security standards policy in place already.

    3) Access control.  Some of this area overlaps with the physical security concerns in (2), but electronic access is usually the larger concern.  Is your application secure?  Is the database secure?  Have you been exploit tested?  Do you employ a scanning company, such as McAfee Secure?  How do you authenticate a user?  How do you control that user's access?  Generally, this area is the source of the majority of "gotcha" moments in security.  It is a rare thing to hear about a physical breach, but sometimes it seems as though every other news story is about the next company that just got hacked.  

    The third item is, by far, the most complicated of your worries.  As a developer, it is often difficult to see the forest for the trees.  You know how your application should work, and your testing of it is biased in that regard.  Also, there is fair bit of unknown involved.  As a prophet named Murphy once related: "You can't make anything foolproof because fools are so damn ingenious."

    Remember, as applications grow in complexity, it becomes harder and harder to ensure they are safeguarding their data properly.  Make sure you have only one entrance/exit in your application...simpler is better.  Also, developers tend to implement "convenience" code - backdoors and such - to make their job easier.  Be sure these items are removed before moving to production.  You should probably review this thread - all of the responses are relevant here as well - and search EE for similar past questions.  

    One thing I cannot stress enough: TRUST NOTHING.  When your application receives a piece of information, VERIFY IT IS WHAT YOU THINK IT SHOULD BE.  That means white-listing, not black-listing, and hard failure if verification does not succeed.  "But I just got this information from this trusted source."  Then verifying it should not present a problem.  "But I don't want to spend the time verifying every silly little thing."  Explain that to your clients when they ask you why they now have 30 different loan accounts spread across Africa and the Pacific Rim.  

    Good luck!
    LVL 8

    Assisted Solution

    I have enclosed a document, this should help you in setting up a secured IIS website
    LVL 38

    Assisted Solution

    by:Rich Rumble
    XAMPP is Apache, not IIS :) Purchase a SSL certificate, then -> Creating a encrypted database isn't needed unless your bound by law/regulation to do so. If you are, I'd hire a professional or find a product that is suited for your needs. This is not something someone with little to no experience should be doing, period. Talk to other colleges or education institution's with pages or setups like your needing, and find out who they hired for the job. If your housing PII data (social security numbers, credit card numbers, drivers license) you need a professional. If it's just class data, teachers/students names, nothing special is needed.
    LVL 60

    Assisted Solution

    LVL 9

    Author Closing Comment

    Thank you all for the advice.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Suggested Solutions

    Suppose you are a shopaholic and you shop online frequently from a website. That means that is obvious that you would have been registered yourself on that website. Now, once in a while that website that you always buy from becomes a victim of phish…
    If you are on a Windows computer and decide to protect a file with sensitive data, you can encrypt the file, password protect it or rely on steganography (hiding a file in an image). This technique is especially useful because unless someone knows t…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now