Jump to content

ProcessWire & Data Security


Vineet Sawant
 Share

Recommended Posts

Hello,

I've created an enterprise management system with ProcessWire where employees login to system and perform various tasks, such as creating invoices, adding client information, creating/answering support tickets etc.

Client is very much concerned about the data security and data alteration by unauthorized person.

So I've been asked to make sure the system is very secure and there's no way to alter or leak the company information anyway.

While I'm already doing the required validation & making sure the user is authorized by making them login into system, whatelse should I be consider to make the system more safer?

Just wanted to have better understanding of ProcessWire's security mechanism & how to make it better.

Thanks everyone.

  • Like 1
Link to comment
Share on other sites

That sounds like a really interesting project :)

Some measures you can consider:

  1. Session inactivity timeouts.
  2. Force regular password changes and/or use 2-factor authentication.
  3. Use SSL.
  4. Ensure users can only access the data they are allowed to. Not just through interface options, but URLs as well.
  5. Look at the hosting infrastructure. Credentials to access it. Who has access? What about your provider? Where is your database is stored? (Shared hosting? Easy to guess credentials?)
  6. Look at how data is imported and exported within the system. Is it possible to bypass any validation or auth checks?
  7. Forms. They should definitely be using CSRF protection.
  8. Can user input be overloaded? That is, can I submit additional form values that the system doesn't check or expect, but still get saved to the DB.
  9. Logging. Log as much as you can in order to provide an audit trail. It is guaranteed that somewhere down the line, someone will ask the question "When did this record change to this value and who made the changed?"
  10. Backups. Hopefully the data will be backed up. How easy and quick can this be restored? What granularity?
  11. User education. Some users may need it explaining to them that sharing usernames and passwords, or writing them down, is not good practise.

There are probably some additional things - that could start getting into the realms of penetration testing - but that's a summary things I can think of in a short time :)

  • Like 15
Link to comment
Share on other sites

@Craig A Rodway, you covered the essentials very good.

The client/company should have in existence a written, well documented and enforceable Data Access Policy.  This covers what are the approved or disapproved uses of the system.  The policy would also state explicitly most of what Craig A Rodway has already written.

A good system would have initial training on Data Access (Policy manual, Video Review, Classroom training) where the main points are gone over.  You would have a signature of acceptance and provide either semi-annual or annual recertification of the user's acknowledgement of understanding the Data Access Policy.

Where logging is concerned, there needs to be a policy where someone actually reviews the logs (to include a written certification of review).

The same goes for testing the backup/restore process.  It must be a valid and frequently tested system (to include a written certification of acceptable testing results).

Make sure that users who use the system but also have backend administrative responsibilities, have separate accounts for each function.

Setup alerts/alarms for certain critical administrative actions that report the action being taken.  These alerts/alarms would go to the system administrator and other trusted individuals who are outside of the normal system administration realm.  The system administrator needs to know the alert/alarm system is working,  Someone other than the system administrator(s) needs to be aware of what critical changes are being made to the system  This alleviates anyone gaming or deliberately sabotaging the system.

Basically a good system is based on trust and adequate verification techniques.

Good luck on your project because the human factor is the achilles heel of any information system.

  • Like 8
Link to comment
Share on other sites

Hello Craig,

Thank you very much for your answer.

I suppose you've covered almost everything, this should be a standard security checklist. :)

Right now the system is on shared hosting, but we'll be moving it to VPS probably (if client agrees to pay for that :P).

I've already  set roles so employees can only see the content created by them and allowed to them. Also the content editing has been restricted.

I've used sanitizer for forms. I've to read more about CSRF protection.

2-factor authentication & forcing passwords change every alternate week is something I should be implementing on priority.

Thanks again for teaching me new things today.

Have a great day.

Edited by Vineet Sawant
Link to comment
Share on other sites

Hello @Vineet,

I'd like to advocate against forcing frequent password changes if I may. IMHO it encourages poor password choice by users as the frequency of changes either causes them to repeat a simple pattern of passwords (like 'password1' one week, then 'password2' the following week and back to 'password1' after that) or it forces them to write down the password on a post-it note on their desk if your policy only allows diverse or strong passwords.

I would definitely suggest going down the 2-factor authentication route (and yes, I published a 2-factor authentication module for PW) as this significantly mitigates poor password choice on the part of users anyway.

Also, I don't think your client should be running a service with any sensitive data on a shared host. VPSs are pretty cheap these days.

  • Like 6
Link to comment
Share on other sites

Hey cstevensjr, thanks for your reply.

Having Data Access Policy as well as disaster recovery plan is something I should be giving added attention to.

Right now there's no written document of how the data should accessed or handled and a very basic disaster recovery plan as I've just implemented the system and it's being used by just the main branch, others will start using it once main branch gives it green signal, but that's going to happen very soon.

I've set up Text & mail alerts for errors, system failures and invalid data entry cases where the forms are well validated. More will be set up once I collect more information as well as understanding about system and it's possible use as well as abuse.

 Basically a good system is based on trust and adequate verification techniques.

the human factor is the achilles heel of any information system.

Both of these statements are very true, completely agree with you! :)

Thanks again and have a great day!

  • Like 1
Link to comment
Share on other sites

Hello netcarver,

You've got a point about forcing users to change their password frequently, I agree completely, cause I do the same myself.

I've to really checkout your 2 factor authentication module. I was about to write my own mechanism but I guess you've saved me the effort, thanks a lot for that!

About the VPS, would you suggest using AWS instead of shared hosting? I'm not very bright when it comes to hosting! :P

Thanks a lot for the module & suggestion, I really appreciate your help!

Link to comment
Share on other sites

<snip/>

About the VPS, would you suggest using AWS instead of shared hosting? I'm not very bright when it comes to hosting! :P

<snip/>

@Vineet I've never used Amazon's AWS offerings (only Amazon MWS - which is quite different.)  I recently posted about my VPS experiences here. You do need server admin skills if you are going to go down the VPS route unless the client can provide those or self-host their service. You might also look at something like turnkey linux's hosted services or even bitnami's new PW bundle (though I've never used these myself.) 

A quick note on learning server admin skills: there are some great documentation resources (like how-tos) over on the slicehost and linode websites for learning these sort of things but don't buy their services just to learn how to admin your system - simply install virtualbox on your desktop machine and install something like a Ubuntu server 12.04 LTS client and learn how to do the things you need locally first. Once you know how to setup the server and keep it ticking then you can progress to a paid-for-VPS.

Forgot to say, that I've heard really good things about Linode and Slicehost when it comes to more up-market hosting. Never needed them myself.

  • Like 4
Link to comment
Share on other sites

Hi Vineet

Just passing some random thoughts along...

I once signed up with Linode just to have a look see. I too am a real novice when it comes to server administration and wanted to learn more. The plus point with Linode is that they have great documentation that can really help you along. That's great!

Since integrity of data is important to you, I recall reading that Linode was hacked once. I recall that some people were very upset about this as they claimed that Linode tried to conceal the fact that they were hacked. Whatever the truth is there, I suggest that you at least look into that story and make your own judgement as to how secure your data would be with them.

I had a look at their forums once and was saddened to see that the spirit there is much unlike that here in the ProcessWire forum. In fact I would say that the ProcessWire forum is an amazing world class showcase of what a forum should be. In Linode land forums I saw some very reasonable questions asked and they were greeted by such sarcasm from the smarts there.

If you want to sign up for something affordable to learn server skills check out https://digitalocean.com/ I highly recommend having a play with Digital Ocean. Their "recipes" as in how tos are getting better all the time!

Last year I attended a talk by AWS here in Malaysia. They are a very security conscious outfit indeed. For example all the engineers who came there to talk about AWS, they themselves don't know where their data centers exact locations are. Much there operates on a strictly need to know basis.

When asked how to get started, what one of their engineers told me to do was to look for someone appropriate on elance.com and hire them to set things up for you or at least guide you. This way the entry barrier of complexity can be overcome... and possibly you can get him to be system admin as well?

All just rambling thoughts for you mate!

  • Like 1
Link to comment
Share on other sites

Call me overly cautious, but I'd advice against self-managed VPS if this service needs to be highly secure and especially if you need a high level of availability.

Anyone can manage a server when things go smooth -- install updates, add a few rules to a firewall and tweak Apache/PHP/MySQL settings. The real question is how well can you handle things going wrong; someone attacking your server, hardware or software failures (hardware issues are still very real even in this age of cloud computing, I'm afraid), restoring corrupted data etc.

What about availability requirements -- do you need high availability and 24/7/365 support.. and if, can you really provide and guarantee that?

A lot of time I'd recommend going with managed solution in one form or another rather than trying to do everything yourself. It depends a lot on the requirements and the nature of the service you're running, but the bottom line here is that unless you can guarantee that you're able to handle everything yourself, don't make any promises to the client you'll end up regretting.

  • Like 9
Link to comment
Share on other sites

DigitalOcean have also had their fair share of security-related issues, the most recent being document here - DigitalOcean Security Disclosure 2014-03-30: Not destroying droplets securely, data is completely recoverable.

teppo is right - if you don't have the in-house resources (skills and time) to manage a server yourself and all of the issues that it brings - then a managed provider who can deal with all of that is the next option to consider.

Link to comment
Share on other sites

@Zahari Majini, hey, that's a really good read right there. Thanks for sharing, I really appreciate it. :)

@all,

Considering all the VPS vs Managed hosting solutions, their pros & cons, I've decided to just stick with managed hosting where there's a team of managers who are dedicated to manage my hosting. It'll be better for everyone I suppose as I'm a designer, I love to design, installing updates on server or adding new rules to firewall already sounds too technical to me, I'm better doing designing :P

I've checked a few services. Siteground has always been my favorite one and their support is awesome. So I was thinking to upgrade to their dedicated hosting in near future. Just wanted to know any feedbacks about Siteground, has anyone had any issue with their service?

I know I'm taking this little away from the actual question, sorry about that.

Link to comment
Share on other sites

This is specific to any CMS or software you might run on a server (not just ProcessWire). When it comes to the security of the hosting, I prefer something dedicated (VPS or dedicated) so that you don't have multiple websites (managed by other users) sharing the same file system. When you are dealing with a shared file system, you've got more to consider when it comes to the permissions of files and such. You need to make sure that the permissions settings you've chosen for uploaded files and such is not going to give other accounts the ability to change them. You are also likely sharing MySQL instance with other users in a shared environment as well, so there's that matter of resources being shared. You can certainly secure the shared environment just as well as the dedicated one, but it'll take more work and monitoring. Shared hosting environments also represent a bigger prize to hackers, so that seems to be where they prefer to focus their efforts. I would go with a managed dedicated or managed VPS. For example, I think all the servers available from ServInt are managed (I know this one we're on right now is). 

One other recommendation would be to isolate your software. Don't run WordPress and ProcessWire from the same account if you don't have to. WordPress is always a target, and if you get broken into that way, then you could create problems for everything else running on the same account (this is not uncommon with WordPress at least). 

  • Like 7
Link to comment
Share on other sites

Hi Vineet

Most welcome! I switched over to Siteground a couple of months ago with their Grow Big account and like it very much so far! So I hear ya!

Hi Craig!

Thanks for the Digital Ocean link. Just out of curiosity, any hosting providers or recommendations that you feel get the security aspects right n tight?

Cheers guys

Link to comment
Share on other sites

@Ryan,

Thanks Ryan. Right now I'm running two different installations of ProcessWire on same hosting, one is for their site and another is on a subdomain for the invoicing system. I'm definitely never going to run WordPress there as just like you described, I'm aware of possible security threats that WordPress comes with.

@Zahari Majini,

I like Siteground's Grow Big account, I've been using it for a couple of projects. That's a good one for all the premium services they've to offer.

@all,

Thank you all guys, I like how great this community is. A simple question leads to such knowledge sharing. Fortunate to be part of this community!  :cool:

Link to comment
Share on other sites

  • 8 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...