website security

[kalos]

hello!

I am thinking to build a part of a website, where clients will login to view some info about their accounts, etc, although I have no web buililding experience at all

I am willing to learn, but what bothers me is that website security looks hard to achieve, since I see all that major websites been hacked etc

so, there is no simple and totally secure way to achieve this?

thanks!

[KynloStephen66515]

Nothing is ever 100% secure

The basic rule of thumb is...if its online...people can access it.

Best not to think to much about it...but also best to write some pretty long privacy policies and disclaimers to avoid any possible legal actions from break-ins

[kalos]

any other method to make info for each client available to him on request?

for example, automated email replies containing the requested info, when I receive their email messages?

any other idea?

[40hz]

hello!

I am thinking to build a part of a website, where clients will login to view some info about their accounts, etc, although I have no web buililding experience at all

I am willing to learn, but what bothers me is that website security looks hard to achieve, since I see all that major websites been hacked etc

so, there is no simple and totally secure way to achieve this?

thanks!

-kalos (February 15, 2012, 03:00 PM)

In a nutshell? No. There isn't

With all due respect, web and network security is not something you can just casually get into as an amateur (or student) and expect to be able to thwart professional hackers and other cyber-criminals. With some education and experence you could probably stop most script-kiddies and other amateur hackers. But you don't stand a chance against the real baddies - most of whom have extensive technical education and experience to fall back on.

Security is such a rapidly changing and challenging field that even network professionals frequently farm out some or all of their network security requirements to specialists.

Wish it were otherwise, but that's the basic reality of the connected world we live in.

[mouser]

Stephen and 40hz are right -- there is no 100% guaranteed security.  And 40hz advice is on the money -- if this is really sensitive information -- it's just not something that you or even a normal web host/admin is qualified to deal with.

I think the first question you have to answer is how sensitive is this information -- how much fallout would there be if someone did get access to the info?  How desirable is the information to an attacker?

[40hz]

any other method to make info for each client available to him on request?

for example, automated email replies containing the requested info, when I receive their email messages?

any other idea?

-kalos (February 15, 2012, 03:11 PM)

You could do that. But it would probably be a good idea to encrypt those emails since they can also be intercepted or gotten off your client's machines.

Then there's the issue of how to be very sure the request is only coming from the person the information belongs to. End-users are notoriously lax when it comes to picking good passwords for their accounts so passwords don't provide enough security by themselves.

[40hz]

Just an addendum: depending on where you plan on doing this, and what business you're in, there may be legal requirements governing data transmissions like yours. I work with clients in the home mortgage industry. Both the federal and state government regulatory agencies have extensive guidelines and requirements for the type of data mortgage lenders are allowed to transmit and how it is to be transmitted. Failure to comply with these regulations can result in fines and imprisonment.

So (in keeping with what mouser said earlier sensitivity and fallout) something you absolutely need to find out is whether there are things you're legally obligated to do if you're going to be sending out what you're planning. Just from working with my clients I was amazed at the number of things they're required to do if they need to send an email containing somebody's personal information. (Hint: authorization from the client, message encryption, allowed transmission methodologies, message retention, secure message archiving, security breach reporting, rules governing client advisement in the event of a breach or other loss of data...it just goes on and on.)
 

[kalos]

Well, it's neither that crucial, nor desirable, it's biochemical data for patients

[40hz]

Well, it's neither that crucial, nor desirable, it's biochemical data for patients

-kalos (February 15, 2012, 03:58 PM)

In the USA that information probably falls under HIPAA privacy and security rules if the information relates to specific individuals and the information was obtained through some sort of medical examination or testing procedure.
 

Here's part of HIPAA. Be sure you're sitting down!

Administrative Requirements

HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the flexibility and scalability of the Rule are intended to allow covered entities to analyze their own needs and implement solutions appropriate for their own environment. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.

Privacy Policies and Procedures. A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule.64

Privacy Personnel. A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.65

Workforce Training and Management. Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity).66 A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions.67 A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule.68

Mitigation. A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule.69

Data Safeguards. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.70 For example, such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes. See additional guidance on Incidental Uses and Disclosures.

Complaints. A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule.71 The covered entity must explain those procedures in its privacy practices notice.72

Among other things, the covered entity must identify to whom individuals can submit complaints to at the covered entity and advise that complaints also can be submitted to the Secretary of HHS.

Retaliation and Waiver. A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule.73 A covered entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.74

Documentation and Record Retention. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.75

Fully-Insured Group Health Plan Exception. The only administrative obligations with which a fully-insured group health plan that has no more than enrollment data and summary health information is required to comply are the (1) ban on retaliatory acts and waiver of individual rights, and (2) documentation requirements with respect to plan documents if such documents are amended to provide for the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO that services the group health plan.76

[KynloStephen66515]

I'm pretty sure it would be covered under similar terms in most Western Countries also...seems like something that should be as private as possible, especially if data can be linked to specific people.

[40hz]

^Hey look! Stephen's got a new AVATAR!!!