Security is about reducing risk. All devices connected to the Internet have to deal with reducing the risk of data being compromised while in transit or in storage. Part I of How to Secure Your Website introduced the basics of securing website data while in transit. This post will cover storage.
Computer storage is often organized into a hierarchy based on accessibility to and volatility of data. The focus of this article is on secondary storage, a hard drive or flash memory.
Just about all devices these days incorporate some form of authorization and access control. Access control is simply the process of restricting access. Authentication is the use of some sort of credential, such as a username and password. Authorization is the act of authentication for access.
Due to poor risk assessment or implementation, access control processes are routinely compromised. Worst, most data stored on these compromised devices are rarely encrypted properly, if at all.
Advocate data breach highlights lack of encryption, a widespread issue
As mentioned in Part I, there are cryptographic methods that not just encode data, but provide additional methods of authorization and access control to data. So, why isn’t all data encrypted in storage?
Similar to that of data in transit, encrypting data in storage has not always been considered a high priority. Speed is usually the focus for storage because the access time impacts the overall speed of an application. The act of encrypting data on write and decrypting the data on read requires more time and can cause a perception that the application or website is slow. Hence encryption is rarely enabled for all data in storage.
By default, Orbit’s content management system does not store credit card or other financial information
If a business case requires the storage of personally identifiable information, Orbit’s policy is to enhance the CMS to encrypt the data for storage, decrypt and viewable through a secured process and destroy the data after 30 days.
User passwords are hashed. Similar to a cipher, a hash is a method for encoding data. However, unlike a cipher, a hash is one way. A strong password, properly hashed, is difficult to guess or reverse
Does your website’s data need to be secured? That’s a risk assessment you need to make with your web developer and hosting provider. But consider, what information is collected and stored on your website:
Name, Phone Number, Email, Street Addresses
Some people are very cautious about sharing even this basic level of information with others. However, those people will opt-out of forms that ask for this information on principle
Most people share this level of information openly and, taken by itself, is optional to secure
Date of Birth, City of Birth, Mother’s Maiden Name, Alma mater, Year of Graduation, Past Residences, Gender, Ethnicity, Account/Username
On their own, this information might be considered benign. When combined with other information they form the basis of an identity
Need to secure
Social Security Number, Driver’s License ID, Bank Account Number, Credit Card Number, Account Password
This is information that is used for authentication of an identity
Of course, this list is incomplete. Perhaps you can think of something to add to it? Post it in the comments section below.
What are your thoughts?