Securing your system

The following highlights some of the simple steps that can be taken in order to increase the security of your system.

Ensure secure connections

Use HTTPS on your web server

Using HTTPS (Hyper Text Transfer Protocol Secure) is one of the first things you can do to increase the security of your system.  When https is enabled all traffic between the FastStats Server and the User’s application is encrypted – user ids, passwords, job requests etc.  Additionally, if you have purchased a site certificate (rather than self-certifying) when the users of your system first connect (in order to download the software) they are guaranteed that the site they are connecting to is really yours!

How to use a secured Web Service

When using HTTPS it is not necessary to have authenticated users accessing the Web Service i.e. anonymous access can be allowed.

You will need to:

  • Obtain an SSL Cerificate

  • Install the Ccertificate on site

  • Set IIS to require SSL

Ensure users are identified

  • Define a required password structure e.g. minimum 10 characters with at least 1 numeric character.

  • Apply a maximum session length (e.g. 10 minutes).

  • Apply an inactivity timeout period (e.g. 10 minutes).

The above settings (and more!) can be easily applied through the ‘Security’ tab of the Web Service Configuration for a given system.

Define appropriate user rights

  • Export/Browse/Copy & Paste

    It is possible to control the variables that can be selected, viewed, and exported from a system.  You can prevent data from being copied (and then pasted) to a separate application.

  • Determine which functions are available

    It may not be necessary for the full functionality of the application to be available to all users.

  • Determine what tables/columns/rows are available

    In a multi-source data system, it may not be necessary for all users of the system to be able to access, view and extract all the data from the system.  FastStats allows Administrators to control the data access of all users by table, column & row.

  • Ensure Administrator rights are restricted

    It is possible to assign user rights as above through either the Administrative Web Pages or through the Tools available within the FastStats application.

Encrypt sensitive data

Encrypt text fields in the system

Encrypting text variables in a system can provide an additional layer of security to sensitive data, should the build, web or system host server be compromised.  If the data files of the encrypted variables were read, they would be unintelligible.  It is not possible to use encrypted variables in a selection, so if the variables are needed for selection purposes a coded version of the variable should be created and used instead.  Encrypting text variables renders them non-readable in a data grid, preventing ‘over the shoulder’ data compromise.

To encrypt text fields, you will first need to select an encryption type and specify a password (used to encrypt the data) in the advanced settings of the system configuration tab in your design.  You can then select the ‘Encrypt’ check-box next to each text variable in the ‘Define Variables’ tab.

Require encrypted, password protected, zipped file downloads

Upon export, encrypted variables are decrypted automatically before transfer.  For this reason, if you have data in your system that is sensitive enough to require encryption you are also advised to require password encrypted, zip file transfers.  The setting for this can be found in the ‘Security’ tab within the system’s web service configuration.