Solved

Where to place the SSL Encryption: IIS or Application (SAS) level?

Posted on 2016-08-22
3
120 Views
Last Modified: 2016-11-12
If you had to pick a place for your SSL encryption to go, what would be the best place to place it and why? At the IIS level.....or at the application level?

We use IIS in conjunction with SAS to serve web pages to our external customers in our current environment. We currently are using SSL encryption via IIS, but are wondering if this is the best configuration or if moving forward it would be better to encrypt the web traffic at the SAS Level.

Let me know if you need any additional info. Thank you!
0
Comment
Question by:nflynn85
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 41765430
SSL is to secure pt to pt channel, it should be at service or system level - in other words, IIS. Application should handle end to end - which is is to encrypt data (preshared or appl specific keypair) and then send thru the secure SSL (certificate) channel. These provides end to end data confidentiality.

Therefore, in your case can explore if the backend server codes can do the data encryption while you maintain the existing IIS' SSL channel. SAS has File encryption for securing data at rest and SSL will be for securing data in transit.
SAS passwords and metadata-bound data sets restrict access to SAS data sets within SAS. But neither can prevent SAS data sets from being viewed at the operating environment system level or from being read by an external program. Encryption provides security of your SAS data outside of SAS by writing to disk the encrypted data that represents the SAS data. The data is decrypted by the SAS system as it is read from the disk, but is not decrypted when read at the operating system level or by external programs.
http://support.sas.com/documentation/cdl/en/lrcon/68089/HTML/default/viewer.htm#n1s7u3pd71rgunn1xuexedikq90f.htm
0
 

Author Comment

by:nflynn85
ID: 41767189
That's basically what we are doing now.....EFS for at rest encryption and then IIS for SSL
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 41767205
If that is the case, that will already suffice with secure SSL channel done.
0

Featured Post

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question