|Security issues for online databases|
by Todd Hollback
The potential advantages for nonprofits in integrating their donor database with their web site are significant. However, the security risks presented by online database access are potentially very serious – and these risks are the same whether you are a small nonprofit staffed by volunteers or a Fortune 500 corporation. These risks can be greatly reduced, and in many cases, eliminated altogether, when secure data access is a priority in the design, implementation, and maintenance of your online access portal.
In this article, we’d like to address some common security risks associated with online database transactions, explain some of the technology behind these interactions, and then describe steps that can be taken to mitigate the risks involved.
Secure By Design
The old cliché that “A system is only as strong as its weakest link” is certainly true when it comes to online database security. When considering connecting your donor database to the Internet, it is essential to evaluate every component in the system for security weaknesses. Your overall design approach must uphold secure data access as a primary requirement built into each component, policy, and practice. It is simply not sufficient to apply stopgap security measures as patches to an otherwise unsecured system. We’ll take a look at some designed-in risk mitigation techniques in a moment.
Maintaining Security is an Ongoing Process
Maintaining a secure online donor database will require an ongoing process of:
Many of these tasks can be automated, but part of your planning should include budgeting staff time for security reviews.
Threats to Online Databases
Most computer users are aware of the common security threats that are now unfortunately an integral part of everyday computing in the workplace – viruses/worms, adware/spyware, email spam, etc. While these threats are very real - and very dangerous - they are not the focus of this article. Rather, we want to focus on the following 5 specific types of security threats inherent in connecting an existing donor database server to the Internet:
A good first step on the road to data security is to ensure that all data transferred across the Internet is transported using a secure encryption protocol. There are many different types of transport channel encryption, but the one most commonly used is Secure Sockets Layer (SSL) – or its successor Transport Layer Security (TLS). SSL is the encryption protocol in use whenever you connect to a web page with a URL beginning with ‘https:’ instead of ‘http:’.
In a typical scenario as illustrated in the diagram above: a potential online donor browses to a nonprofit’s web site and clicks a link to the organization’s online donations page. If this page is hosted on a secure web server, the donor’s demographic data and credit card information will be transported from the donor’s computer to the web server over an SSL-encrypted channel (# 1 in the diagram). If the online donations page is not hosted on a secure area of the web server, then that donor’s private data is transferred across the Internet as clear text and is therefore susceptible to theft.
The software resident on the web server that process the donor’s information (# 3 in the diagram) must in turn pass that donor data across the Internet to a third-party merchant gateway to process the credit-card transaction (# 1 in the diagram), and also to the nonprofit organization’s donor database server (# 1 in the diagram). Each of these transport channels must also be encrypted if the details of that transaction are to remain secure.
Be sure to work with your web site developer and/or your hosting provider to guarantee that your donor’s data is always transmitted over encrypted channels.
Unencrypted database files
A nonprofit organization’s donor database physically resides on a server located either at the nonprofit’s offices (# 2 in the diagram) or on a server owned by a 3rd-party service provider. In either case, the actual database files themselves need to be encrypted in some fashion in order to provide the maximum security possible.
Unencrypted database files are subject to the same common virus and spyware attack vectors as any other file on your computer. This is true even if your donor database server is not directly connected to the Internet – as long as the database server is networked to any computer that is connected to the Internet, the possibility of an attack on the database exists.
Most database vendors provide the option for you to encrypt your database tables. This means that the data in the database is protected by encryption while “at rest” on the server. When a request comes into the database from an external web page, the database software decrypts the requested data before delivering it to the web server – using an encrypted data transport channel as described above.
Work with your system administrator, your database administrator, and/or your donor management software vendor to implement an appropriate level of encryption in your donor database.
SQL Injection Attacks
A common attack mode for malicious Web users who are trying to obtain secure information from databases is to inject (insert) database language (“System Query Language”, or “SQL”) commands into text input boxes found on Web forms. Since basic SQL command syntax is common to every modern database product, a technically savvy hacker can form SQL command fragments and enter them instead of a username or password on a login form in order to retrieve information from multiple user accounts, or to corrupt or even delete entire database tables.
The only effective prevention against SQL injection attacks is due diligence on the part of the web programmer. The programmer must insure that all text entered into HTML input fields is validated and stripped of malicious SQL content before it is sent to the database. This is an example of the “Secure By Design” philosophy described earlier. Don’t hesitate to ask your web site developer to explain the security measures she has implemented in your web site’s software to prevent SQL injection attacks.
Weak User Authentication Strategies
The “front door” to any database is its user authentication mechanism (# 4 in the diagram). Obviously, when that “front door” is left unlocked, or is only nominally secured, the contents of the database are threatened. This is especially true when the “front door” can be accessed from anywhere on the planet through a Web page! Here are a few steps you can take to ensure that the only people accessing your database are those who are welcome…
You should work with your database administrator and your web site developer to implement a strong user authentication strategy.
Unsecured Database Backups
One of the security threats that is often overlooked is the risk of compromised database backups (# 5 in the diagram). All of the file security precautions that apply to the donor database itself also apply to the backup files. One of the best prevention measures you can take would be to make offline backups onto removable storage media. Another approach would be to transfer your backups to a remote location, while of course using secure transport and storage strategies at the remote site.
Other Risk Mitigation Techniques
In addition to the techniques we have already discussed, here are a couple other mechanisms you can use to further reduce the vulnerability of your donor database:
Your network administrator, server administrator, or database administrator can work with you to establish an appropriate firewall configuration for your network infrastructure.
Work with your database administrator or donor management software vendor to establish a database log file creation and review policy that makes sense for your organization.
Although security risks do exist when connecting your donor database to the Internet, these risks can be greatly reduced or eliminated when proper safeguards and practices are built-in to your online customer portal.
Todd Hollback is a former member of the FundRaiser development team. He now does data conversion for FundRaiser customer who are moving from other software into FundRaiser.
FundRaiser Software offers non-profit organizations intuitive donor management software that is easy to learn and easy to use. Three programs, ranging from simple to sophisticated, let you choose the features you need now, while guaranteeing a built-in growth path for the future. Software flexibility, budget options, and superb technical support make FundRaiser Software uniquely adaptable to the needs of non-profit organizations whatever their mission.