[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Trying to secure an internal web app that will go public - certificates?

Posted on 2012-08-22
Medium Priority
Last Modified: 2012-08-27
We are looking to inherit a web application that will be hosted internally within our network. It will have to be made public so external users can use it, but management wants to avoid VPN. The application will host many private information, so I need to be sure that the web server is completely secure to my best ability. Need some helpful tips from experts to give me a good scope of what might need to be done. Here are my ideas:

- Install a SSL certificate to encrypt external to internal
- Look into Secure ID type method where we could manipulate certificates?
     - So we can issue certs to those that need to connect
     - Revoke certs that are no longer needed
     - Only those with certs will be able to view the URL link (such as https://webapp.com), if no cert the link would be blocked...?

Anyone of any best practices that would help me setup this scenario?
Question by:Techneut
1 Comment
LVL 10

Accepted Solution

tdlewis earned 500 total points
ID: 38322698
SSL will protect the data as it is transmitted over the Internet from the server to the client. Using SSL is a best practice for all web pages that contain confidential information.

However, you also need to protect the private information in storage. First, you should separate the data from the web server by storing all the private information on an internal server that is not directly accessible from the Internet. Your web server will connect to that internal server to access the private information.

Second, you must ensure that the web server has a hardened configuration. If you do not have the internal expertise to ensure that there are no problems with the web server configuration, you should hire a security professional to help you get that right.

Third, you must apply all relevant security patches and have a mechanism in place to evaluate and apply new security patches as they are released.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question