Tell me more ×
IT Security Stack Exchange is a question and answer site for IT security professionals. It's 100% free, no registration required.
up vote 2 down vote favorite

I am doing a PHP website for a client who deals with third party financial information, and he is concerned about the developmers (me) having access to all the information, which is obviously a valid concern.

I am currently hosting on a shared hosting environment, however, I am going to recommend a dedicated server for this site.

I can build in all kinds of logging in the source code of the site, and have the code audited before the site launches, so that should prevent back-doors in the code to leak information. I am, however, concerned on how to prevent access to phpMyadmin or other administrative tools to access the database directly.

Where would I start in getting this concern out of the way? Any advice will be appreciated.

Thanks in advance!

share|improve this question
3  
There's a fundamental issue of trust here. If the client trusts the hosting company more than a developer working for him then you have a bigger issue. The hosting company could, at anytime, access the data. – Adnan Mar 27 at 9:28
Hi @Adnan, possibly, but he would ideally not have ANYONE access the data or source. Not sure if this can be prevented. If your system deals with millions of dollars of other peoples' money (like a bank), the concern is valid... Very noble people has swayed under the pressure of the ability of "cheating" a system. – Kobus Myburgh Mar 27 at 14:54
That's simply not possible. If your database is hosted somewhere then whoever manages that "somewhere" has access to it. The only solution is to host the database on your own server and put it in a safe. – Adnan Mar 27 at 15:00
Thanks @Adnan. I figure that there is only so much you can do. If I can not find a solution that exactly fits the client's requirements, then let it not be said I did not do due diligence in researching it. – Kobus Myburgh Mar 27 at 15:01

3 Answers

up vote 0 down vote accepted

PCI-DSS is the industry standard applied to most commercial websites dealing with financial transactions therefore you should be able to find the exact protocols that PCI DSS mandates in their documentation and can base your own system as per that.

While I do understand their concern of the developer having access to financial data, trust is a key issue here. Trust aside financial data should be encrypted enough to ensure that in case of a direct database dump, no plain text financial data is leaked. This will require your application source code (containing key policies, etc) or the application itself to be compromised.

As for preventing phpMyAdmin and other tools from direct database access, you can simply change the MySQL root and other passwords via command line on MySQL. This is a crude way, but will leave phpMyAdmin unable to sync with MySQL. Changing the default port of MySQL is also a secondary alternative on a dedicated server.

A more tested approach however is one deployed by systems like SAP while preventing programmers from directly accessing the database to prevent damage to the integrity of stored data. They do this by restricting applications to a single database user login, the password for which is only with the application. If any other database user attempts to access stored data, the attempt is logged and reported, generally causing any warranty to be considered void.

share|improve this answer
Thanks @Rohan. Your input about encryption is probably the way to go. I have therefore accepted your answer. PCI-DSS is something I would need to read up a bit on as well. – Kobus Myburgh Mar 27 at 14:57
up vote 3 down vote

There's a number of controls that you could put in place here to give the customer some comfort about the security of their data. Some of this could well be overkill depending on the customer but ideas nonetheless

  • Ensure that all the system passwords (e.g. OS accounts, MySQL) are set by the customer for the production system
  • Assuming that this system will be at a hosting provider as opposed to being on the client site, you could look at setting up Firewall rules at the OS level and .htaccess files at the web server level to restrict where connections can be made from for administrative tools (e.g. SSH, phpmyadmin). This would require the customer to have a fixed IP address that could be used for this purpose.
  • Documented Change process. One risk here would be that a code update adds something nasty, so if they want ongoing assurance you'd need to have a defined deployment process where each release is put into production by the customer (assuming that only they have access)
  • Logging and Monitoring. At an OS level you could log all activity more info

All this of course depends on the idea that the customer has the knowledge and resources to manage the service. If they don't and you still have admin access then really it's a trust situation as if you have root access to the box or the database you can take copies of the data.

share|improve this answer
Thanks, @Rory. Your answer is very good. Unfortunately my reputation is not high enough to upvote it, and the answer below seems more in line with what I need to do. Thanks for taking the time to answer... – Kobus Myburgh Mar 27 at 14:58
up vote 0 down vote

Yours case if i have read it right is a classical one dealing with rights and permission issues for code thats runs in production.

first as a security principal developer in no way should have access to code running in production. This is where cincept of libirarian comes in. All code after testing goes to standard libirary and then moved out from there.

Second once there you can either let your client tech team sys admin guys to take over who do the routine maintainence.

Thirdly depending upon the sensitivity and classification of data you have to prove or give necessary assurance of your system controls effectivness to block un authorized accessses. Access control should be driven by client requirements.

Logging is detective control you need to start thinking in the lines of perventive security.

share|improve this answer
Thanks, Saladin. The client can not even have his tech team access the confidential financial data. I was thinking mroe in the line of needing two people to log in together to access anything. Do you know of such a possibility? – Kobus Myburgh Mar 27 at 15:00
yes i know its called dual control. Lot popular concept for db. – Saladin Mar 27 at 15:08
Thanks, Saladin, I will search for it. – Kobus Myburgh Mar 27 at 15:36

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.