Ask HN: Best practices for ASPs handling Enterprise customer data?
As an ASP-model business, some of our enterprise clients will want to audit our data security, integrity, and privacy practices. Any pointers to best practices?
We do standard things like: always use SSL, hashed passwords, daily backups, proper privacy policy and TOS, software firewall, testing for SQL injection, using a reputable data-center. We will be adding data scrubbing, hot backups, and XSS protection. But what am I missing? What is critical and what is optional?
Ideally I would like a comprehensive checklist, of the type that would satisfy a multinational client in the hi-tech industry. The data includes names, email addresses, and physical home and work addresses. We currently store no payment information or SSNs.
Btw our platform is currently Linux/PHP/Postgres, medium-term we will move from PHP to Python. Many thanks!
2 comments
[ 3.0 ms ] story [ 17.2 ms ] threadSeparation-of-duties among your employees.
If your ASP involves a webapp, consider a web application gateway/firewall that 'knows' your app and what the valid input should be.
If your webapp runs apache, run, do not walk, to mod_security and mod_evasive.
IPS.
Encrypt sensitive data using strong encryption (AES-256 or better for symmetric side). Guard access to the private keys: make a realistic, detailed policy about who gets access to them, and audit to be sure it's really being followed.
Take a look at the PCI DSS (google it) -- even if you're not storing credit card data, it's a way to get a good idea about realistic, solid security.