Web Security – Your Responsibilities as a Service Provider
Everybody is aware that as a consumer, you must be careful with supplying your identity details on an online form, pay by your credit card online via secured connections only and selecting random cryptic passwords for all your logins (tongue in cheek). Having said that, online service providers do indeed have a duty of care to follow good security practices (and some rigid industry standards in a few cases) to ensure that the details of their clients are not compromised. After all, it is the service providers that set the standard in secure online communications that our customers end up with. This article will explain some of steps providers can and need to take to ensure good security practices.
Do you have any of these features?
If you do have any of these features on your website, you would qualify as an online service provider and would definitely need to consider the security needs of your clients.
• An online shopping cart;
• A login to a restricted section of your website;
• Collection of credit card details;
• A form that collects personal identity information;
• An interaction facility for your clients.
If your website serves as anything beyond an online brochure for your company, you probably need to consider this further.
Some practices are outlined below.
Most online service providers have some sort of a login form for clients. In the section of the online facility that requires users to choose their preferred password, it is a good practice to enforce a cryptic password. Some checks could include minimum length, minimum count of number characters, a mix of letters in both lower and upper cases etc. Of course, this may be a inconvenient for users who would prefer to use the word “password” as their password.
Although it is highly unlikely that somebody will launch a sophisticated dictionary attack on a typical e-commerce provider to brute force the login of one specific customer, it is nevertheless a good practice.
SSL and Public Key Cryptography
A website that is geared to use a secure connection via Secure Sockets Layer (SSL) is not quite mandatory unless the service provider collects credit card details. However, a lot of online service providers have recently elected to make entire websites accessible via secure connections only. It is a good future-proof practice that ensures all communications of the online service provider with their clients remain secure.
A connection via SSL will ensure that all data that is transferred between two end points (service provider and client) is encrypted and serves no purpose to the intruder if it is somehow intercepted. It is a very effective protocol and all that is needed to implement it on your online facility is the purchase and configuration of an SSL certificate from a Certificate Authority (CA).
For more information on this topic research SSL and Public Key Cryptography.
Storage and Collection of Personal Identity Details
In respect to the collection of data, the aforementioned SSL protocol is an excellent way to protect personal information that your clients may enter in a form on your online facility – e.g. a registration form.
With storage of client data, it is highly likely that it would be stored in some sort of a database in Plaintext (i.e. stored in a decrypted format). While storage of this information in an encrypted format on the online service provider servers would definitely be preferred, it would rarely be the case in practice. In this scenario, it is crucial that the applicable server software is kept up to date and that proper company security protocols are in place such that access to these sensitive customer details are limited to specific authorised staff.
Storage of Credit Card Details
Storage of credit card details is a serious matter. We do not recommend online service providers to store credit card details unless the online facility in question is well designed and has undergone rigorous testing.
Credit card storage is enforced by a strict industry standard called Payment Card Industry Data Security Standard (PCI DSS). There are a lot of rules to adhere to should an online server provider elect to store credit cards on their servers.
Collection of Credit Card Details
Just like storage of credit card details, collection of the same online is also guarded by the aforementioned PCI DSS. I always recommend to all of my clients to use a third-party gateway that is already compliant as a first option. If there is indeed a solid case for a custom standalone processing facility, there is a long design and development process to go through in order to develop a custom transaction system. A secure connection (SSL) to collect credit card details from customer will be mandatory, followed by another secure connection to a bank or other processing endpoint via some sort of a custom application programming interface (API).
Open Source Content Management Systems
If an online facility uses an Open Source CMS as a base system, one needs to be extremely proactive with security patches and look out for security holes. Online facilities that use Open Source CMS are subject to exploits – a process where automated pieces of software that reside and run in various parts of the world scan various websites and attempt to exploit websites that may use an out of date Open Source CMS.
The reason for this is that exploits in these types of systems are quickly made public and taken advantage of.
While your web hosting provider will generally be on top of security updates for software that forms the core of the web hosting services (e.g. web server applications, email server applications, database management systems), there may be no automatic process in place that will keep the software that runs your online facility up to date. If a proper security patch is not applied promptly, the security of the online facility may be at risk.
by Daniel Moisyeyev