Identity and Access Management (IAM):  Securing Sensitive Data

Information has value in this day and age. Personal information like names, addresses, credit card numbers and even e-mail addresses have value and, as such, this information must be protected.

As a site owner – especially a commercial site owner – you have valuable information stored both on your business system and on your web host’s server. Therefore, to develop real security that won’t be breached by a 12-year-old, both business and host must do their jobs.

What Can You Do?

Your business system contains information on your customers – including credit card information, PINs and other red meat to the hacker community. And, because you’ve created a web site that sells stuff, hackers and other black hats know that your computer’s hard drive is a repository for solid gold information that can be stolen and sold on the Internet – in a matter of minutes.

As a responsible businessperson, you have an obligation to protect information that customers have entrusted to you – their most precious information – their identities. So, what steps can you take.

Analog Steps

It doesn’t have to be fancy to be effective. Here are a few analog steps you can take to protect the critical data on your system. 

First, don’t use your business computer as your family’s home computer. You’re asking for trouble. Kids will download anything (they’re very trusting) including viruses, Trojans and other forms of hacker intrusion. And guess what – you might not even know it.

Ever hear of key logger software? It’s all legal and legit and it logs every keystroke you make. A hacker can attach key logger software to a game download and while your child is happily zapping aliens, that hacker can now record every keystroke you make – including personal data from clients or customers. Sound scary? It should. It could easily destroy your on-line business.

Another simple analog step? Create robust passwords to protect sensitive data. A robust password is one that includes letters, numbers and symbols. For example, pa$$word1809 – now that’s a robust password. The importance, here, is that some hackers employ brute force attacks or dictionary attacks. They attach the dictionary alphanumeric software to your online doorway and start trying one letter combination at a time – a, aa, aaa, aab, etc. until they find the password to all of that credit card information. Bingo! That hacker just struck it rich.

Never give out your password to anyone – even a loving spouse or trusted business partner. Things change and if you want to limit access to sensitive, personal information, keep your password to yourself. And change it often, too.

Digital Steps

Next, in the digital arena - backup, backup, backup. There are lots of low-cost, outboard hard drive back-ups that record changes as they’re made. Why is this such a good idea? Because motherboards fry and hard drives meltdown and that could jeopardize not only the data stored on your system, it can also destroy your business.

Finally, use a virus scanner and a firewall on your business system. You can purchase these from companies like Norton and MacAfee, but there are also plenty of high-quality, free security software that’ll run routine scans on every file on your system (daily if you want) looking for viruses, back-doors and other forms of intrusive malware.

Be sure to keep your security levels at their highest. That includes scanning every e-mail for viruses before you open them. As an online business owner, you’re bound to receive e-mail from people you don’t know. Before opening any e-mail, have it automatically scanned for dangers to protect your computer and your e-biz.

Using both analog and digital means, you’ll have a much better chance of maintaining your site’s security.

What Can Your Web Host Do?

You can have your business computer protected like Fort Knox but if your web host has lax security, you’re still at risk. Here are some possible scenarios.

If you have a shared hosting account, your enterprise is sharing disk space with up to 1200 businesses – some legit, some otherwise. Cross-side server (XSS) attacks take place at the server level. A competitor, for example, can hack your site through the host server and leave a bunch of garbage that search engines find distasteful. And in the blink of an eye, your hard-earned page rank is gone. It happens all of the time.

Server side attacks aren’t unusual. In fact, they’re common because hackers know that web servers are loaded with sensitive personal information all in one place, so to hack a sever containing 1000 different web sites is a lot easier than hacking 1000 individual sites.

So, you want your web host to be as concerned about your site security as you are. However, some of the low-end hosting companies don’t spend nearly enough time or money on server-side security as they should. 

IAM – Identity and Access Management – demands the latest in server side security. Companies like Computer Associates (CA) offer a variety of out-of-the-box IAM products. The best web hosts design their own IAM systems.

A good web host will maintain both hardware protection, in the form of a hardware firewall wired in between server access (exploitation) points and the information on your web server, and numerous software solutions, as well. Again, the better service providers develop their own security software even though it costs a lot more than an off-the-shelf software package, which isn’t cheap, by the way.

Before signing on with a web host, ask about security. What systems do they have in place – hardware and software? Look for multiple layers of security so, if a hacker gets through brick wall number one, s/he immediately encounters brick wall number two.

Also look for redundancies in IAM security – backups of backups. This is essential to keeping intruders off the server and enabling you to manage access to the critical information stored on your business system.

Site Security

It’s not an objective, it’s a process. Whatever software you install should offer regular updates as new viruses and other forms of computer attacks are developed and released by hackers. Good security software updates daily. IAM software, loaded on the sever side, should also be updated regularly especially since server access management is in the hands of lots of different techies and you want to make sure that only those entrusted with server maintenance duties have access to your data. Access must be managed.

Not only is your web site’s security a process, it’s also a collaboration between you and your web host – and there’s a lot more to it than just having a bunch of security software on your system and server. To optimize server and computer security, the computer’s security must be properly configured to work with the security on the server side. This is something that even many web hosts neglect to mention.

Sure, you’ve got virus scanners and firewalls and so does your web host. But to fully utilize that security software, the server and the computer security should be synched up for the best, most reliable results.

Your web host should be able to provide the information you need to work in tandem but if they don’t, it’s worth paying a computer security expert to configure your computer security system to function at full capacity with the software loaded on your host server.

If you don’t think this stuff is important, just remember that in recent months Bank of America, the Office of Veterans Affairs, Marriott International, Ford Motor, ABN Amro Mortgage Group and Sam's Club all were hacked, putting 55 million American’s at risk of identity theft and the endless hassles that come with compromised identity information.

And you have to figure that if these huge corporations can be hacked, your site on a shared server must be even more vulnerable – and it is. But it’s also something you and your web host can control with prudent measures on your part and the installation and maintenance of Identity and Access Management software on your host server.