What is the best way to protect user's information in a cloud software?


I'm developing a cloud sofware and I have some doubts about what's the best way for protecting the login. I'm looking for some scheme that could defend the database information in case of an attack via users. The software is being developed with Codeigniter.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

While it's good that you're concerned about security, you really don't want to learn security WHILE you're developing software. There are a lot of things that will affect HOW you design the software before you start coding.

You really should take the time to really design the security model prior to coding anything. Go through different tutorials. I'd say the key things to know are:

1. Determine how you will decide to trust an end user. Are you okay with just them having a session and not worrying about session hijacking? Do you want to require a client certificate? Things like that.

2. Understand how sessions are stored - what is stored on the server vs. what is stored on the end user's computer, and ask yourself if that data could be accessible in a way that you don't want. For example, if the sessions are stored on a server and you're on a shared hosting server, that might be a problem for you.

3. Learn about common code vulnerabilities - SQL injection, XSS, and so on, and then make sure YOU know how to execute the attacks (try them out) so you can know how to prevent them.

4. Learn about techniques using hashing/checksums/signatures on data to prevent tampering (e.g. if your software allows someone to go to fetch_sensitive_record.php?id=123, then make sure they can't just change 123 to 124 and get someone else's data).

5. Learn what HTTPS does and does not do.

6. Learn about at-rest encryption if you're working with data that has high compliance standards (social security numbers, credit cards, government data, etc...) and ensure your hosting platform has it.

7. Learn about PCI compliance and how to achieve it.

8. If you're going to encrypt data, learn which algorithms to use and how to protect the keys.

There are probably other topics to learn, but any good programmer should know a LOT about security - as much as they know about coding.
Ray PaseurCommented:
Only one addition to @gr8gonzo's excellent summary.  Dump CodeIgniter right now and never look back.  It's 2014 and nobody starts a project with CodeIgniter any more.  Invest some of your time and energy to learn Laravel instead.  

Here's why:
I wouldn't necessarily dump CodeIgniter as an option. It may not be as new and thriving as other frameworks, but it's still one of the fastest pure-PHP frameworks. It's the underlying engine for several enterprise products, including knowledge bases for companies / organizations like American Express, Sony, Black & Decker, Walmart, USDA, Overstock, Ticketmaster, and so on. I work with and on CI-powered sites every day and it handles large quantities of requests per second.

Laravel is more fully-featured, but doesn't always perform as well as CI. A large part of that is how you use it, of course.

If you want something that just flies and you're willing to take extra steps to ensure that performance is a priority, then Phalcon is your best option, but it's not pure PHP.


It also has a built-in CSRF module, which is good for security.

Just my $0.02.
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Schuyler DorseyCommented:
Here is more of a high level approach to get you going in the right direction.

1. Technical controls. Follow what gr8gonzo posted. Ensure you have the right technical controls in place to protect the code and software. Put good NGFW/WAFs in place. Consider DLP is the information stored is going to be sensitive.

2. Look at non-technical controls. There is where most cloud vendors get slammed in reviews/audits. So look at operational controls. Here are some questions to get you started.

Who in the IaaS program is going to have access to your systems?
Who in the SaaS program is going to have access to client data?
 a. Take a strong look at your own employees and who will have access to your client's data. Ensure you are following least privilege and role based access control. SaaS vendors often get black balled because they allow all of their internal employees access to client production data.
Where are your servers? What datacenters? How many datacenters?
What is the physical security of those data centers?
What is the long term business outlook for those datacenters or your IaaS?
Does the datacenter have any certifications? (SSAE-16, ISO27001)
Consider getting your SaaS/cloud program certified. A good option is FedRAMP.

Purchase a SIGv8 (will be SIGv9 next year) document and complete it. This document will list many technical and operational controls needed. Many of your clients may also require seeing this document before doing business with you.

Get a SOC 2 Type 2 doc. Again, many of your clients may require seeing this document before doing business with you.
Schuyler DorseyCommented:
You could also look at Cloud Security Alliance CCM.. but it's hit and miss how much weight your clients may put into it. Some consider it to be a very self-serving framework.

But regardless, even if you don't strive to certify against CSA, it's a good framework and starting point.
I wasn't trying to overwhelm him with acronyms off the bat, but you also have to consider the data you're protecting. A lot of what Schuyler just listed is great when you need to be in compliance with different standards, but there's a cost/benefit ratio to everything. For example, a web service that generates memes probably doesn't need to worry about a lot of these things.

In most cases, unless you're setting up your own hardware and infrastructure, you just need to examine what the hosting provider offers in terms of security. "Who has access to what" is a huge overlapping question in different compliance standards.

Just bear in mind that the more sensitive the data, the more strict the security needs to be.
Ray PaseurCommented:

But give yourself some time to "get into it."  IT Security is a full-time, four year college major today.  And if you find that way to defend the database against attacks, I'm sure you can sell it to Sony!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.