|
While it is right to consider carefully the security implications of storing your organization's data online, we believe the benefits of using Endis far outweight the potential risks.
The Weakest Link?
A system as a whole is only as secure as its most vulnerable point, and it is often weaknesses in human processes rather than in the technology that provide the greatest vulnerabilities. For example it is far easier to guess someone's password (try first names, or the name of their pet) than it is to set up technical mechanisms to try and intercept those passwords. In a similar way, the transmission of credit card numbers over a secure connection on an online store is much more secure than the transmission of a credit card by a waiter to a till in the back of a restaurant, out of sight of the card's owner.
For a system to be used it has to be accessed, and our most serious security "flaw" is that we want people to use the site, and so we have to trust users with the ability to manage permissions effectively and apply good password policy.
Relative Risks
It is important to keep any risks in perspective. For example, the move to an online address book is often met with apprehension, but to see if it is right for you it should be compared to the alternative. By having an address book online you can control access to that information to consenting members of that address book (i.e. a trusted, closed community). In many ways this is more secure than having many paper copies floating around - as your organization may be able to control who first receives those copies, but not who reads them. The personal details that are stored on the system can be easily obtained from other sources i.e. the phone book.
Appropriate Controls
A key principle of designing secure systems is to consider the motivations of why someone would try to circumvent security, as the strength of motive is directly proportional to the amount of effort that will be expended in trying to break the security.
For this reason, although safeguarding and protecting personal information can be done with the same techniques as protecting financial information, it is important to remember that no credit card numbers or financial information are stored on Endis. The rewards of breaking security to obtain address lists or administrative permissions on a church web site are nowhere near as lucrative as obtaining credit card numbers, hence the bad guys will be less persistent - and this is a factor when selecting appropriate security mechanisms.
Building Trust
Probably the most important consideration for us is the perception of security. Everyone is naturally afraid of what they don't understand, and online security is technical, out of sight, poorly understood and hence feared. The way to reduce the perception of fear is not to add extra security as this often has the opposite effect - but to build trust through understanding.
Security is wider than any single technical mechanism, and the system has to be considered as a whole to produce a level of assurance that is acceptable for Endis, your organization and your members. Endis (our commercial parent) has roots in financial software (www.endis.com) and we have development and operational experience of financial applications where security and correctness are vital.
Practical Techniques
We use a MS SQL2000 database platform, running on Windows 2000 with the latest security patches applied. It is housed in a secure co-location facility in Cambridge, behind a managed switch and hardware firewall. Server management and off-site backups are administered remotely through a secure VPN connection. This is all industry standard operating procedure.
In terms of application level security, passwords are stored in the database encrypted with a one-way algorithm, and all transmission of passwords is protected by SSL encryption and/or a challenge-response authentication technique. We also enforce explicit authentication before using the Web Office, so that administrators cannot simply leave the 'Remember Login' box checked. This applies a greater level of security to those who have administration privileges.
|
