Latest Article...
HTML5/CSS3 site update
I had a few spare hours a couple of weekends ago so I decided to add some real life HTM5 and CSS3 to the site homepage
Ask any seasoned IT professional about storing personal information and he'll whistle through his teeth and then spend the next hour telling you that its a big mine field.
Related Links
Data retention - how to get it right
June 3, 2011So how did the government manage to lose hundreds of thousands (in some cases millions) of records of personal data a couple of years ago? I mean this is the government right? These guys should know what they're doing, shouldn't they?
The problem is that doing data security is hard, really hard. And when you are dealing with many thousands of records of data within really huge organisations then its even harder still because security is only as strong as its weakest link.
Its worth remembering that the private sector suffers from exactly the same issues, just look at the recent Sony PSN debacle. Any company that holds a significant amount of private information has a duty and legal obligation to ensure to the best of their abilities that that information is kept safe and secure. Any recruitment or social networking site has to deal with this problem on a daily basis.
Threats range far and wide because the stakes are high. With a sufficient amount of a persons personal information any number of frauds can be committed. Its quite possible to open bank accounts, insurance policies, even gain passports and driving licenses if you have enough information to verify your identity as someone else.
This data can be obtained through carelessness (as with the government incidents) or it can be taken through hackers illegally gaining access to online databases or social engineering their way through your security.
So with that in mind what can we do to stop, prevent or minimise loss of personal information from our websites?
What you don't have, they can't take! - Store only as much personal information as you need, it might seem tempting to get date's of birth and ethnic background for marketing purposes but you must be careful about how you collect it and once collected, how its stored.
Anonymise where possible - If the data you are collecting doesn't need to be associated with actual names and addresses then you can anonymise it. That way if it's ever stolen the damage is very limited.
Encrypt everything you can - One good way to keep data secure is to encrypt it. There are two types of encryption, one way and two way. One way is good for verification purposes, i.e. passwords and usernames, etc. Two way is harder to get right and should be used if you ever need to do anything meaningful with the data.
Regularly delete data you don't need - Never store data that you don't need because you 'might' use it one day for 'something'. If the data you are holding is past its immediate use to you then get rid of it.
Be careful who you trust - Don't give away the keys to the kingdom, only trust access to the people who really need it, and only put those people in that position if you really trust them. Make sure they know who is and isn't supposed to have access to what and any relevant procedures.
Never, ever, store credit card data unless you absolutely have to.
There are many technical measures you can take to secure data but the rules above are a good starting point and enable the technical measures to work well. If you're building a website which is going to store personal data, make sure you at least consider these points as well as getting advice on current best practice and any legal requirements you will have to meet.
No comments posted yet... be the first!