Solved

What is the best way to protect user's information in a cloud software?

Posted on 2014-12-17
7
204 Views
Last Modified: 2015-01-12
Hi,

I'm developing a cloud sofware and I have some doubts about what's the best way for protecting the login. I'm looking for some scheme that could defend the database information in case of an attack via users. The software is being developed with Codeigniter.

Regards!
0
Comment
Question by:dimensionav
  • 3
  • 2
  • 2
7 Comments
 
LVL 34

Assisted Solution

by:gr8gonzo
gr8gonzo earned 250 total points
ID: 40505949
While it's good that you're concerned about security, you really don't want to learn security WHILE you're developing software. There are a lot of things that will affect HOW you design the software before you start coding.

You really should take the time to really design the security model prior to coding anything. Go through different tutorials. I'd say the key things to know are:

1. Determine how you will decide to trust an end user. Are you okay with just them having a session and not worrying about session hijacking? Do you want to require a client certificate? Things like that.

2. Understand how sessions are stored - what is stored on the server vs. what is stored on the end user's computer, and ask yourself if that data could be accessible in a way that you don't want. For example, if the sessions are stored on a server and you're on a shared hosting server, that might be a problem for you.

3. Learn about common code vulnerabilities - SQL injection, XSS, and so on, and then make sure YOU know how to execute the attacks (try them out) so you can know how to prevent them.

4. Learn about techniques using hashing/checksums/signatures on data to prevent tampering (e.g. if your software allows someone to go to fetch_sensitive_record.php?id=123, then make sure they can't just change 123 to 124 and get someone else's data).

5. Learn what HTTPS does and does not do.

6. Learn about at-rest encryption if you're working with data that has high compliance standards (social security numbers, credit cards, government data, etc...) and ensure your hosting platform has it.

7. Learn about PCI compliance and how to achieve it.

8. If you're going to encrypt data, learn which algorithms to use and how to protect the keys.

There are probably other topics to learn, but any good programmer should know a LOT about security - as much as they know about coding.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 40506063
Only one addition to @gr8gonzo's excellent summary.  Dump CodeIgniter right now and never look back.  It's 2014 and nobody starts a project with CodeIgniter any more.  Invest some of your time and energy to learn Laravel instead.  

Here's why:
http://www.sitepoint.com/best-php-frameworks-2014/
0
 
LVL 34

Assisted Solution

by:gr8gonzo
gr8gonzo earned 250 total points
ID: 40507219
I wouldn't necessarily dump CodeIgniter as an option. It may not be as new and thriving as other frameworks, but it's still one of the fastest pure-PHP frameworks. It's the underlying engine for several enterprise products, including knowledge bases for companies / organizations like American Express, Sony, Black & Decker, Walmart, USDA, Overstock, Ticketmaster, and so on. I work with and on CI-powered sites every day and it handles large quantities of requests per second.

Laravel is more fully-featured, but doesn't always perform as well as CI. A large part of that is how you use it, of course.

If you want something that just flies and you're willing to take extra steps to ensure that performance is a priority, then Phalcon is your best option, but it's not pure PHP.

http://phalconphp.com/en/

It also has a built-in CSRF module, which is good for security.

Just my $0.02.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 10

Assisted Solution

by:Schuyler Dorsey
Schuyler Dorsey earned 125 total points
ID: 40507239
Here is more of a high level approach to get you going in the right direction.

1. Technical controls. Follow what gr8gonzo posted. Ensure you have the right technical controls in place to protect the code and software. Put good NGFW/WAFs in place. Consider DLP is the information stored is going to be sensitive.

2. Look at non-technical controls. There is where most cloud vendors get slammed in reviews/audits. So look at operational controls. Here are some questions to get you started.

Who in the IaaS program is going to have access to your systems?
Who in the SaaS program is going to have access to client data?
 a. Take a strong look at your own employees and who will have access to your client's data. Ensure you are following least privilege and role based access control. SaaS vendors often get black balled because they allow all of their internal employees access to client production data.
Where are your servers? What datacenters? How many datacenters?
What is the physical security of those data centers?
What is the long term business outlook for those datacenters or your IaaS?
Does the datacenter have any certifications? (SSAE-16, ISO27001)
Consider getting your SaaS/cloud program certified. A good option is FedRAMP.

Purchase a SIGv8 (will be SIGv9 next year) document and complete it. This document will list many technical and operational controls needed. Many of your clients may also require seeing this document before doing business with you.

Get a SOC 2 Type 2 doc. Again, many of your clients may require seeing this document before doing business with you.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40507254
You could also look at Cloud Security Alliance CCM.. but it's hit and miss how much weight your clients may put into it. Some consider it to be a very self-serving framework.

But regardless, even if you don't strive to certify against CSA, it's a good framework and starting point.
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 40507567
I wasn't trying to overwhelm him with acronyms off the bat, but you also have to consider the data you're protecting. A lot of what Schuyler just listed is great when you need to be in compliance with different standards, but there's a cost/benefit ratio to everything. For example, a web service that generates memes probably doesn't need to worry about a lot of these things.

In most cases, unless you're setting up your own hardware and infrastructure, you just need to examine what the hosting provider offers in terms of security. "Who has access to what" is a huge overlapping question in different compliance standards.

Just bear in mind that the more sensitive the data, the more strict the security needs to be.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 125 total points
ID: 40508431
OWASP

But give yourself some time to "get into it."  IT Security is a full-time, four year college major today.  And if you find that way to defend the database against attacks, I'm sure you can sell it to Sony!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
How can I do this in Pyhton? 12 72
advertisement module in core php 4 89
Cubby replacement 6 40
Datepicker in PHP 9 14
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now