Someone asked on the wdvl-talk email list (lists.wdvl.com) about securing your server to process sensitive information.

I’m not an expert by any means, however I thought I’d post my advice here in case anyone else wants it.

Personally, I do not believe that you will ever have completely secure data, however one way you could do it is as follows:

  1. Use Linux [0]
  2. Purchase a copy of “Hardening Linux” and “Hardening Apache” [1]
  3. Use LUKS or similar to encrypt the hard-disk of the server so that even if the physical disk is stolen, the data is useless
  4. Install everything you can from source by yourself and after you have verified that it came from the person that it says it has (the above books tell you how to do this!)
  5. Make sure that all of your data is carried over SSL, from login to data retrieval.
  6. If you need to have the system run over more than one server, run the connections between the Apache/PHP (front-end) and the MySQL (backend) servers over an ssh tunnel or VPN [2]
  7. Make sure that you have documented what you have done and put an escape clause in the contract saying that you cannot guarantee the security owing to the potential ingenuity of computer crackers [3] however you are 99% certain that the system is secure. [4]
  8. If all else fails, speak to the bunker (http://www.thebunker.net) and see if one of their managed hosting options fits your budget!

Let me know what you think in the comments below.

PF.

[0] Seriously, use it. I don’t care what people say, there is a reason why more and more multinational organisations are switching to Linux, there are at least two multinational mobile phone companies here in the UK that run their entire billing platform including customer’s bank details on Linux, and they don’t do it for a laugh.

[1] These books are brilliant, they are available from Amazon and all good book stores!

[2] There are numerous tutorials on how to do this on the internet, ssh-tunnels are far easier than VPNs IMHO.

[3] I mean Crackers – hackers are people who tinker with computers and make them do things that they probably shouldn’t, crackers are malicious and will be after personal data to commit ID fraud

[4] If they know anything about security, especially computer security, they will acknowledge that this statement means you know what you are talking about. Out of a choice between someone who guarantees me 100% security and another who says “every so often, it may well f**k up”, I’ll take the second every time and appreciate their honesty. The other is just a liar.