Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I have come across a web application that a company has asked me to rebuild. Aft

ID: 656316 • Letter: I

Question

I have come across a web application that a company has asked me to rebuild. After all the implementation is said and done I will deploy on a private server, and the database will be on its own private server. I will manage the communication between the two with firewalls and the both of the servers data and web will be behind a load balancer. My question is this, the data that is being collected is extremely sensitive data, do I pick out the columns of sensitive information and enrypt them, because before now they have not been done so, or would this just be overkill. I want to securely store the information however I can be a bit intense when it comes to my concerns.
If the answer is no, that's great and I'm glad I asked. However if the answer is yes, does anyone know how I would go about updating the information to the newly necessary encryption.

The steps would need to be selecting all of the information, converting the columns from varchar to varbinary, encrypting the data, and finally inserting it back into the database.

The development stack for code to data I'm using is java/mysql.
Overkill or appropriate?

Thanks in advance guys

Explanation / Answer

The communication channel between the browser and your server (basically any channel across the internet) should be encrypted with TLS. This encrypts and provides a secure, authenticated channel.

After the data has safely reached your database server, you should employ encryption in the disk storage since you have a responsibility to protect client sensitive information. You could explore full disk encryption (FDE) for your server as it should be more secure than just encrypting the database only (the OS itself should be encrypted). Add in a layer of physical security (door locks, security guards), and you have a professional environment. Encryption mainly protects against offline attacks, e.g. the server is physically compromised, but the data remains unreadable.

After implementing FDE, you probably don't need to further encrypt the individual database columns because there will not be much more benefit. In a realistic setup, your database doesn't just encrypt only. It should also decrypt the information on demand when it is needed. A malicious attacker can exploit your web server somehow to fool your backend into producing the decrypted information anyway. Things like sql injections, cross site scripting, and other "online" attacks which are arguably more common and more deadly. Check out the top 10 threats here from The Open Web Application Security Project.

Related Questions

I have been working on this problem for hours upon hours and have not figured ou
Question #3632022
I have been working on this problem for quite some time now and I can\'t seem to
Question #3940975
I have been working on this problem for too long! I can not get the correct answ
Question #2138423
I have been working on this problem since last night. Istill can\'t figure it ou
Question #686972
I have been working on this problem, and I am stuck. The problem is: Use the def
Question #2026674
I have been working on this program for roughly a week, for computer science. I
Question #3631107
I have been working on this project and have run into a roadblock. I purposely d
Question #3569559
I have been working on this project for about a week and a half now and I am at
Question #3574179
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I have come across a few Android apps that provide various features for communic
Next
I have come to see you, the doctor, because I was feeling a bit ill. The first t

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.