• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 324
  • Last Modified:

website encryption to protect information

I am building an external website which requirements are to have a way of encryption  128-bit, https, or someway of encrypting students information.

I never have done this in the past, and I wondering what is required to do this, what do I have to consider on my code and pages? What do I need to configure in the server? how do I set the pages be an https site?

My server is xampp  and my web appplication is joomla.

Please advise!
0
TonyReba
Asked:
TonyReba
4 Solutions
 
Steve BinkCommented:
Since you are using Joomla, I'm assuming you are working with PHP.  

There are three main considerations for safeguarding sensitive data:

1) Transmission.  This is normally handled with SSL certificates, and configuring your site to use SSL encryption.  This is pretty simple these days.  The first step is to generate a private key.  This is done on the server that will eventually receive the certificate.  You use the private key to create a certificate request.  The certificate request goes to a certificate authority, or CA, for signing.  There are many CAs to chose from, such as VeriSign, Geotrust, etc.  You receive the public key (the certificate) from the CA, and configure your site to use it.  For a more detailed explanation of how to do this, see these links for Windows/IIS and Apache.

2) Data storage.  Once you receive sensitive information, you need to keep it safe from prying eyes.  This means encryption in the storage medium, and should include physical security concerns as well.  There are multiple choices available for encrypted storage.  The main "branches" are disk-level, which includes technology such as Bitlocker or EFS, and application-level, which could be in the database itself (encrypted MSSQL databases) or in the application manipulating a database (such as PHP's OpenSSL extension).  Your approach should be guided by your security concerns, though there are some industry standards, such as PCI Compliance (Payment Processing).  If you're working with an educational institution, they may have a security standards policy in place already.

3) Access control.  Some of this area overlaps with the physical security concerns in (2), but electronic access is usually the larger concern.  Is your application secure?  Is the database secure?  Have you been exploit tested?  Do you employ a scanning company, such as McAfee Secure?  How do you authenticate a user?  How do you control that user's access?  Generally, this area is the source of the majority of "gotcha" moments in security.  It is a rare thing to hear about a physical breach, but sometimes it seems as though every other news story is about the next company that just got hacked.  

The third item is, by far, the most complicated of your worries.  As a developer, it is often difficult to see the forest for the trees.  You know how your application should work, and your testing of it is biased in that regard.  Also, there is fair bit of unknown involved.  As a prophet named Murphy once related: "You can't make anything foolproof because fools are so damn ingenious."

Remember, as applications grow in complexity, it becomes harder and harder to ensure they are safeguarding their data properly.  Make sure you have only one entrance/exit in your application...simpler is better.  Also, developers tend to implement "convenience" code - backdoors and such - to make their job easier.  Be sure these items are removed before moving to production.  You should probably review this thread - all of the responses are relevant here as well - and search EE for similar past questions.  

One thing I cannot stress enough: TRUST NOTHING.  When your application receives a piece of information, VERIFY IT IS WHAT YOU THINK IT SHOULD BE.  That means white-listing, not black-listing, and hard failure if verification does not succeed.  "But I just got this information from this trusted source."  Then verifying it should not present a problem.  "But I don't want to spend the time verifying every silly little thing."  Explain that to your clients when they ask you why they now have 30 different loan accounts spread across Africa and the Pacific Rim.  

Good luck!
0
 
vinsvinCommented:
I have enclosed a document, this should help you in setting up a secured IIS website
Installing-and-Securing-IIS-Serv.doc
0
 
Rich RumbleSecurity SamuraiCommented:
XAMPP is Apache, not IIS :) Purchase a SSL certificate, then -> http://www.digicert.com/ssl-certificate-installation-apache.htm Creating a encrypted database isn't needed unless your bound by law/regulation to do so. If you are, I'd hire a professional or find a product that is suited for your needs. This is not something someone with little to no experience should be doing, period. Talk to other colleges or education institution's with pages or setups like your needing, and find out who they hired for the job. If your housing PII data (social security numbers, credit card numbers, drivers license) you need a professional. If it's just class data, teachers/students names, nothing special is needed.
-rich
0
 
btanExec ConsultantCommented:
0
 
TonyRebaAuthor Commented:
Thank you all for the advice.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now