If i am using a content management system to run my website and decide to hold data in its database in order to run a password protected area, what if any data protection considerations do i need to take into account? The data held will be Email, First Name and Surname, and of course username and password.
Holding email data on a content management system for a marketing website?
June 30, 2009 // Posted in Security
If i am using a content management system to run my website and decide to hold data in its database in order to run a password protected area, what if any data protection considerations do i need to take into account? The data held will be Email, First Name and Surname, and of course username and password.
This entry was posted on June 30, 2009 at 7:59 am and is filed under Security (Tags: Content Management System, Course Username, Email Management, Surname). You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Comments (2)
need more information. what country are you in? If in the US what state (39 states have specific privacy laws), what CMS are you using? What DB are you using? I’m guessing MySQL
The main thing is to make sure that the exchange of data between the user and the server is protected (i.e, logging in). You should use SSL on those pages. This will require you to get a server certificate for your site, but there are many ways to do this freely or cheaply. You web host might have one available that you can use. There are also sites that will create one for you for free.
You only need to make those pages with data you wish to protect SSL enabled, not the entire site.
Make sure that there’s adequate protection on the database holding the information. Web hosts do a good job of this in most cases, but if you’re hosting your own web server and the database lives on that, apply all security patches keep it maintained properly for security.
The CMS will need to access the database in the background, so make sure you create a specific user account with a difficult password for that access. Do ont use a regular user account (even your own) for this purpose.
You can add an additional level of protection to your sensitive data by encrypting it in the database table itself. Most database products (MySQL, Oracle) have built-in functions that can encrypt data as it inserts it in the table, and can reverse it when you need to access it. You can leave the user’s name unencrypted, but encrypt the password and email address.
One other thing: set and enforce lengths on user names and passwords. Longer passwords == more security for the user. And make sure you verify all data coming in on login or other data entry forms before it gets used or inserted into the database tables. if you’re using a language like PHP, there are many functions available for testing strings for unwanted characters.