Where to place the SSL Encryption: IIS or Application (SAS) level?

If you had to pick a place for your SSL encryption to go, what would be the best place to place it and why? At the IIS level.....or at the application level?

We use IIS in conjunction with SAS to serve web pages to our external customers in our current environment. We currently are using SSL encryption via IIS, but are wondering if this is the best configuration or if moving forward it would be better to encrypt the web traffic at the SAS Level.

Let me know if you need any additional info. Thank you!
nflynn85Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
SSL is to secure pt to pt channel, it should be at service or system level - in other words, IIS. Application should handle end to end - which is is to encrypt data (preshared or appl specific keypair) and then send thru the secure SSL (certificate) channel. These provides end to end data confidentiality.

Therefore, in your case can explore if the backend server codes can do the data encryption while you maintain the existing IIS' SSL channel. SAS has File encryption for securing data at rest and SSL will be for securing data in transit.
SAS passwords and metadata-bound data sets restrict access to SAS data sets within SAS. But neither can prevent SAS data sets from being viewed at the operating environment system level or from being read by an external program. Encryption provides security of your SAS data outside of SAS by writing to disk the encrypted data that represents the SAS data. The data is decrypted by the SAS system as it is read from the disk, but is not decrypted when read at the operating system level or by external programs.
http://support.sas.com/documentation/cdl/en/lrcon/68089/HTML/default/viewer.htm#n1s7u3pd71rgunn1xuexedikq90f.htm
0
nflynn85Author Commented:
That's basically what we are doing now.....EFS for at rest encryption and then IIS for SSL
0
btanExec ConsultantCommented:
If that is the case, that will already suffice with secure SSL channel done.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Statistical Analysis System (SAS)

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.