Its slightly scary how many systems have been hacked lately, data exposed. Data which is personal.
When we design systems we should consider the controls around sensitive data, where possible we must encrypt and segment responsibilities.
I’ve come across many such systems however very few truly segment their customer data, often its in a database un-encrypted, with only the password being one-way encrypted. In the past I’ve done the same so I also have to take a share in these types of designs.
If a hacker gains control of your server, then they can read everything that the server can read. In most cases its read access to most databases, etc. In two way encryption its likely the key will reside on the server, so your best intentions have been thwarted.
So how do we overcome this?
Gateways and threat management.
Take for instance customer data, your name, email address, and your address. How often does this need to be displayed to the user? perhaps we have it to pre-populate data, or to generate an invoice. It doesn’t need to be accessed all the time.
a) the data should be encrypted – however if we need to retrieve it then its likely this will need to be 2-way, but does our unique ID need to be ? Sure, we want to email our customers, so a 1-way encryption would prevent that, but what if we kept that data elsewhere not directly linked?
b) the data shouldn’t be directly accessible from the web server – a SOA service for instance could separate the responsibility and be responsible for fetching the data from the DB and delivering it to your application. Review how the data is stored, maybe this data shouldn’t reside on the same DB or Db Server?
c) your ESB should control and log access. Okay if your server gets compromised then the systems it connects to are exposed to, however if the ESB can detect the request pattern is out of the normal requests per second/minute/hour, then it can revoke access, the threat would be limited. (its not impossible they will do a slow attack and extract data over time)
It may only be a limited time until your SOA is breached, but segmenting your services is a step into making your systems more secure and with logging and detection you can detect these pattern and take action.
Review your data access polcies and consider how it’s structured and secured.