Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 220
  • Last Modified:

What is the best way to protect user's information in a cloud software?

Hi,

I'm developing a cloud sofware and I have some doubts about what's the best way for protecting the login. I'm looking for some scheme that could defend the database information in case of an attack via users. The software is being developed with Codeigniter.

Regards!
0
dimensionav
Asked:
dimensionav
  • 3
  • 2
  • 2
4 Solutions
 
gr8gonzoConsultantCommented:
While it's good that you're concerned about security, you really don't want to learn security WHILE you're developing software. There are a lot of things that will affect HOW you design the software before you start coding.

You really should take the time to really design the security model prior to coding anything. Go through different tutorials. I'd say the key things to know are:

1. Determine how you will decide to trust an end user. Are you okay with just them having a session and not worrying about session hijacking? Do you want to require a client certificate? Things like that.

2. Understand how sessions are stored - what is stored on the server vs. what is stored on the end user's computer, and ask yourself if that data could be accessible in a way that you don't want. For example, if the sessions are stored on a server and you're on a shared hosting server, that might be a problem for you.

3. Learn about common code vulnerabilities - SQL injection, XSS, and so on, and then make sure YOU know how to execute the attacks (try them out) so you can know how to prevent them.

4. Learn about techniques using hashing/checksums/signatures on data to prevent tampering (e.g. if your software allows someone to go to fetch_sensitive_record.php?id=123, then make sure they can't just change 123 to 124 and get someone else's data).

5. Learn what HTTPS does and does not do.

6. Learn about at-rest encryption if you're working with data that has high compliance standards (social security numbers, credit cards, government data, etc...) and ensure your hosting platform has it.

7. Learn about PCI compliance and how to achieve it.

8. If you're going to encrypt data, learn which algorithms to use and how to protect the keys.

There are probably other topics to learn, but any good programmer should know a LOT about security - as much as they know about coding.
0
 
Ray PaseurCommented:
Only one addition to @gr8gonzo's excellent summary.  Dump CodeIgniter right now and never look back.  It's 2014 and nobody starts a project with CodeIgniter any more.  Invest some of your time and energy to learn Laravel instead.  

Here's why:
http://www.sitepoint.com/best-php-frameworks-2014/
0
 
gr8gonzoConsultantCommented:
I wouldn't necessarily dump CodeIgniter as an option. It may not be as new and thriving as other frameworks, but it's still one of the fastest pure-PHP frameworks. It's the underlying engine for several enterprise products, including knowledge bases for companies / organizations like American Express, Sony, Black & Decker, Walmart, USDA, Overstock, Ticketmaster, and so on. I work with and on CI-powered sites every day and it handles large quantities of requests per second.

Laravel is more fully-featured, but doesn't always perform as well as CI. A large part of that is how you use it, of course.

If you want something that just flies and you're willing to take extra steps to ensure that performance is a priority, then Phalcon is your best option, but it's not pure PHP.

http://phalconphp.com/en/

It also has a built-in CSRF module, which is good for security.

Just my $0.02.
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
Schuyler DorseyCommented:
Here is more of a high level approach to get you going in the right direction.

1. Technical controls. Follow what gr8gonzo posted. Ensure you have the right technical controls in place to protect the code and software. Put good NGFW/WAFs in place. Consider DLP is the information stored is going to be sensitive.

2. Look at non-technical controls. There is where most cloud vendors get slammed in reviews/audits. So look at operational controls. Here are some questions to get you started.

Who in the IaaS program is going to have access to your systems?
Who in the SaaS program is going to have access to client data?
 a. Take a strong look at your own employees and who will have access to your client's data. Ensure you are following least privilege and role based access control. SaaS vendors often get black balled because they allow all of their internal employees access to client production data.
Where are your servers? What datacenters? How many datacenters?
What is the physical security of those data centers?
What is the long term business outlook for those datacenters or your IaaS?
Does the datacenter have any certifications? (SSAE-16, ISO27001)
Consider getting your SaaS/cloud program certified. A good option is FedRAMP.

Purchase a SIGv8 (will be SIGv9 next year) document and complete it. This document will list many technical and operational controls needed. Many of your clients may also require seeing this document before doing business with you.

Get a SOC 2 Type 2 doc. Again, many of your clients may require seeing this document before doing business with you.
0
 
Schuyler DorseyCommented:
You could also look at Cloud Security Alliance CCM.. but it's hit and miss how much weight your clients may put into it. Some consider it to be a very self-serving framework.

But regardless, even if you don't strive to certify against CSA, it's a good framework and starting point.
0
 
gr8gonzoConsultantCommented:
I wasn't trying to overwhelm him with acronyms off the bat, but you also have to consider the data you're protecting. A lot of what Schuyler just listed is great when you need to be in compliance with different standards, but there's a cost/benefit ratio to everything. For example, a web service that generates memes probably doesn't need to worry about a lot of these things.

In most cases, unless you're setting up your own hardware and infrastructure, you just need to examine what the hosting provider offers in terms of security. "Who has access to what" is a huge overlapping question in different compliance standards.

Just bear in mind that the more sensitive the data, the more strict the security needs to be.
0
 
Ray PaseurCommented:
OWASP

But give yourself some time to "get into it."  IT Security is a full-time, four year college major today.  And if you find that way to defend the database against attacks, I'm sure you can sell it to Sony!
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now