What is the best way to protect user's information in a cloud software?

Posted on 2014-12-17
Last Modified: 2015-01-12

I'm developing a cloud sofware and I have some doubts about what's the best way for protecting the login. I'm looking for some scheme that could defend the database information in case of an attack via users. The software is being developed with Codeigniter.

Question by:dimensionav
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 35

Assisted Solution

gr8gonzo earned 250 total points
ID: 40505949
While it's good that you're concerned about security, you really don't want to learn security WHILE you're developing software. There are a lot of things that will affect HOW you design the software before you start coding.

You really should take the time to really design the security model prior to coding anything. Go through different tutorials. I'd say the key things to know are:

1. Determine how you will decide to trust an end user. Are you okay with just them having a session and not worrying about session hijacking? Do you want to require a client certificate? Things like that.

2. Understand how sessions are stored - what is stored on the server vs. what is stored on the end user's computer, and ask yourself if that data could be accessible in a way that you don't want. For example, if the sessions are stored on a server and you're on a shared hosting server, that might be a problem for you.

3. Learn about common code vulnerabilities - SQL injection, XSS, and so on, and then make sure YOU know how to execute the attacks (try them out) so you can know how to prevent them.

4. Learn about techniques using hashing/checksums/signatures on data to prevent tampering (e.g. if your software allows someone to go to fetch_sensitive_record.php?id=123, then make sure they can't just change 123 to 124 and get someone else's data).

5. Learn what HTTPS does and does not do.

6. Learn about at-rest encryption if you're working with data that has high compliance standards (social security numbers, credit cards, government data, etc...) and ensure your hosting platform has it.

7. Learn about PCI compliance and how to achieve it.

8. If you're going to encrypt data, learn which algorithms to use and how to protect the keys.

There are probably other topics to learn, but any good programmer should know a LOT about security - as much as they know about coding.
LVL 110

Expert Comment

by:Ray Paseur
ID: 40506063
Only one addition to @gr8gonzo's excellent summary.  Dump CodeIgniter right now and never look back.  It's 2014 and nobody starts a project with CodeIgniter any more.  Invest some of your time and energy to learn Laravel instead.  

Here's why:
LVL 35

Assisted Solution

gr8gonzo earned 250 total points
ID: 40507219
I wouldn't necessarily dump CodeIgniter as an option. It may not be as new and thriving as other frameworks, but it's still one of the fastest pure-PHP frameworks. It's the underlying engine for several enterprise products, including knowledge bases for companies / organizations like American Express, Sony, Black & Decker, Walmart, USDA, Overstock, Ticketmaster, and so on. I work with and on CI-powered sites every day and it handles large quantities of requests per second.

Laravel is more fully-featured, but doesn't always perform as well as CI. A large part of that is how you use it, of course.

If you want something that just flies and you're willing to take extra steps to ensure that performance is a priority, then Phalcon is your best option, but it's not pure PHP.

It also has a built-in CSRF module, which is good for security.

Just my $0.02.
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

LVL 10

Assisted Solution

by:Schuyler Dorsey
Schuyler Dorsey earned 125 total points
ID: 40507239
Here is more of a high level approach to get you going in the right direction.

1. Technical controls. Follow what gr8gonzo posted. Ensure you have the right technical controls in place to protect the code and software. Put good NGFW/WAFs in place. Consider DLP is the information stored is going to be sensitive.

2. Look at non-technical controls. There is where most cloud vendors get slammed in reviews/audits. So look at operational controls. Here are some questions to get you started.

Who in the IaaS program is going to have access to your systems?
Who in the SaaS program is going to have access to client data?
 a. Take a strong look at your own employees and who will have access to your client's data. Ensure you are following least privilege and role based access control. SaaS vendors often get black balled because they allow all of their internal employees access to client production data.
Where are your servers? What datacenters? How many datacenters?
What is the physical security of those data centers?
What is the long term business outlook for those datacenters or your IaaS?
Does the datacenter have any certifications? (SSAE-16, ISO27001)
Consider getting your SaaS/cloud program certified. A good option is FedRAMP.

Purchase a SIGv8 (will be SIGv9 next year) document and complete it. This document will list many technical and operational controls needed. Many of your clients may also require seeing this document before doing business with you.

Get a SOC 2 Type 2 doc. Again, many of your clients may require seeing this document before doing business with you.
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40507254
You could also look at Cloud Security Alliance CCM.. but it's hit and miss how much weight your clients may put into it. Some consider it to be a very self-serving framework.

But regardless, even if you don't strive to certify against CSA, it's a good framework and starting point.
LVL 35

Expert Comment

ID: 40507567
I wasn't trying to overwhelm him with acronyms off the bat, but you also have to consider the data you're protecting. A lot of what Schuyler just listed is great when you need to be in compliance with different standards, but there's a cost/benefit ratio to everything. For example, a web service that generates memes probably doesn't need to worry about a lot of these things.

In most cases, unless you're setting up your own hardware and infrastructure, you just need to examine what the hosting provider offers in terms of security. "Who has access to what" is a huge overlapping question in different compliance standards.

Just bear in mind that the more sensitive the data, the more strict the security needs to be.
LVL 110

Accepted Solution

Ray Paseur earned 125 total points
ID: 40508431

But give yourself some time to "get into it."  IT Security is a full-time, four year college major today.  And if you find that way to defend the database against attacks, I'm sure you can sell it to Sony!

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
The viewer will learn how to count occurrences of each item in an array.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question