My client wants to have subscribers transfer identity data from their service to his as part of a service agreement. They'll get a service in return. I am under NDA and am not permitted to explain anything more about why. It will be everything but passwords. He plans to get certified and audited every year to be in compliance with USA and international standards such as Sarbanes-Oxley and other security standards.
What is the best practice way to transfer identity data with PHP? What encryption standard is supported by the most hosts in 2010? What compression? What web service API would you recommend? What other security practices should we use?
Unfortunately I don't often get a chance to do contracts dealing with data security, compression, encryption, and web services. I'm mostly building web tools for clients or mom and pop small business websites. So, I'm needing advice to help me catch up with the industry. I mean, I haven't made a SOAP call since the 1990s with Visual Basic, following an example out of an MSDN Magazine, so I lack some experience on what the latest techniques are.
Best Way To Secure Identity Data Transfers?
Moderator: General Moderators
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: Best Way To Secure Identity Data Transfers?
I would think that SSL/HTTPS would be the most obvious and available encrypted protocols. Many higher level protocols use those for the actual transfer.
(#10850)
- volomike
- Forum Regular
- Posts: 633
- Joined: Wed Jan 16, 2008 9:04 am
- Location: Myrtle Beach, South Carolina, USA
Re: Best Way To Secure Identity Data Transfers?
Well, yes, but then do I also require zip compression and RSA encryption be applied on the package that is sent over? Do I want to require that the sender server provide a static IP to me so that I can make an accept/deny list? Do I want to use a special XML data type?
I'm thinking that I'll want them to compose an XML document with the identity data in a way that we prefer, and we can even provide them a PHP code snippet that reads a database and does this. Once it has this, it compresses this huge file into a zip file and then RSA encrypts it. The server is on our authorized connection list of static IPs, so it sends us the package. Our server then decrypts, unzips, parses the XML, and writes it into a database for further processing on our end.
And then I think I'll have to review the Sarbanes-Oxley security steps and ensure that these are followed. SOX is pretty stiff, so I imagine that it will comply with international standards. We can then come back and address the international standards later.
That's what I'm thinking, anyway.
I'm thinking that I'll want them to compose an XML document with the identity data in a way that we prefer, and we can even provide them a PHP code snippet that reads a database and does this. Once it has this, it compresses this huge file into a zip file and then RSA encrypts it. The server is on our authorized connection list of static IPs, so it sends us the package. Our server then decrypts, unzips, parses the XML, and writes it into a database for further processing on our end.
And then I think I'll have to review the Sarbanes-Oxley security steps and ensure that these are followed. SOX is pretty stiff, so I imagine that it will comply with international standards. We can then come back and address the international standards later.
That's what I'm thinking, anyway.
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: Best Way To Secure Identity Data Transfers?
I don't see why you would need to double encrypt? Any compression would be an application specific decision unrelated to security. If you are going the XML route then why not use SOAP or XMLRPC? SOAP has what your are looking for probably.
(#10850)