Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


What is the best way to protect user's information in a cloud software?

Posted on 2014-12-17
Medium Priority
Last Modified: 2015-01-12

I'm developing a cloud sofware and I have some doubts about what's the best way for protecting the login. I'm looking for some scheme that could defend the database information in case of an attack via users. The software is being developed with Codeigniter.

Question by:dimensionav
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 35

Assisted Solution

gr8gonzo earned 1000 total points
ID: 40505949
While it's good that you're concerned about security, you really don't want to learn security WHILE you're developing software. There are a lot of things that will affect HOW you design the software before you start coding.

You really should take the time to really design the security model prior to coding anything. Go through different tutorials. I'd say the key things to know are:

1. Determine how you will decide to trust an end user. Are you okay with just them having a session and not worrying about session hijacking? Do you want to require a client certificate? Things like that.

2. Understand how sessions are stored - what is stored on the server vs. what is stored on the end user's computer, and ask yourself if that data could be accessible in a way that you don't want. For example, if the sessions are stored on a server and you're on a shared hosting server, that might be a problem for you.

3. Learn about common code vulnerabilities - SQL injection, XSS, and so on, and then make sure YOU know how to execute the attacks (try them out) so you can know how to prevent them.

4. Learn about techniques using hashing/checksums/signatures on data to prevent tampering (e.g. if your software allows someone to go to fetch_sensitive_record.php?id=123, then make sure they can't just change 123 to 124 and get someone else's data).

5. Learn what HTTPS does and does not do.

6. Learn about at-rest encryption if you're working with data that has high compliance standards (social security numbers, credit cards, government data, etc...) and ensure your hosting platform has it.

7. Learn about PCI compliance and how to achieve it.

8. If you're going to encrypt data, learn which algorithms to use and how to protect the keys.

There are probably other topics to learn, but any good programmer should know a LOT about security - as much as they know about coding.
LVL 111

Expert Comment

by:Ray Paseur
ID: 40506063
Only one addition to @gr8gonzo's excellent summary.  Dump CodeIgniter right now and never look back.  It's 2014 and nobody starts a project with CodeIgniter any more.  Invest some of your time and energy to learn Laravel instead.  

Here's why:
LVL 35

Assisted Solution

gr8gonzo earned 1000 total points
ID: 40507219
I wouldn't necessarily dump CodeIgniter as an option. It may not be as new and thriving as other frameworks, but it's still one of the fastest pure-PHP frameworks. It's the underlying engine for several enterprise products, including knowledge bases for companies / organizations like American Express, Sony, Black & Decker, Walmart, USDA, Overstock, Ticketmaster, and so on. I work with and on CI-powered sites every day and it handles large quantities of requests per second.

Laravel is more fully-featured, but doesn't always perform as well as CI. A large part of that is how you use it, of course.

If you want something that just flies and you're willing to take extra steps to ensure that performance is a priority, then Phalcon is your best option, but it's not pure PHP.

It also has a built-in CSRF module, which is good for security.

Just my $0.02.
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

LVL 10

Assisted Solution

by:Schuyler Dorsey
Schuyler Dorsey earned 500 total points
ID: 40507239
Here is more of a high level approach to get you going in the right direction.

1. Technical controls. Follow what gr8gonzo posted. Ensure you have the right technical controls in place to protect the code and software. Put good NGFW/WAFs in place. Consider DLP is the information stored is going to be sensitive.

2. Look at non-technical controls. There is where most cloud vendors get slammed in reviews/audits. So look at operational controls. Here are some questions to get you started.

Who in the IaaS program is going to have access to your systems?
Who in the SaaS program is going to have access to client data?
 a. Take a strong look at your own employees and who will have access to your client's data. Ensure you are following least privilege and role based access control. SaaS vendors often get black balled because they allow all of their internal employees access to client production data.
Where are your servers? What datacenters? How many datacenters?
What is the physical security of those data centers?
What is the long term business outlook for those datacenters or your IaaS?
Does the datacenter have any certifications? (SSAE-16, ISO27001)
Consider getting your SaaS/cloud program certified. A good option is FedRAMP.

Purchase a SIGv8 (will be SIGv9 next year) document and complete it. This document will list many technical and operational controls needed. Many of your clients may also require seeing this document before doing business with you.

Get a SOC 2 Type 2 doc. Again, many of your clients may require seeing this document before doing business with you.
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40507254
You could also look at Cloud Security Alliance CCM.. but it's hit and miss how much weight your clients may put into it. Some consider it to be a very self-serving framework.

But regardless, even if you don't strive to certify against CSA, it's a good framework and starting point.
LVL 35

Expert Comment

ID: 40507567
I wasn't trying to overwhelm him with acronyms off the bat, but you also have to consider the data you're protecting. A lot of what Schuyler just listed is great when you need to be in compliance with different standards, but there's a cost/benefit ratio to everything. For example, a web service that generates memes probably doesn't need to worry about a lot of these things.

In most cases, unless you're setting up your own hardware and infrastructure, you just need to examine what the hosting provider offers in terms of security. "Who has access to what" is a huge overlapping question in different compliance standards.

Just bear in mind that the more sensitive the data, the more strict the security needs to be.
LVL 111

Accepted Solution

Ray Paseur earned 500 total points
ID: 40508431

But give yourself some time to "get into it."  IT Security is a full-time, four year college major today.  And if you find that way to defend the database against attacks, I'm sure you can sell it to Sony!

Featured Post

The top UI technologies you need to be aware of

An important part of the job as a front-end developer is to stay up to date and in contact with new tools, trends and workflows. That’s why you cannot miss this upcoming webinar to explore the latest trends in UI technologies!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
A look at how technology has changed storm coverage and how it can help in the aftermath.
This is an introductory video for CloudBerry Managed Backup. You will learn how to sign up with the service and get started in a few minutes.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question