Securing your system
The following highlights simple steps you can take to increase the security of your Apteco system.
Ensure secure connections¶
Use HTTPS on your web server¶
Using HTTPS (Hyper Text Transfer Protocol Secure) is one of the first things you can do to increase the security of your system. When HTTPS is enabled, all traffic between the FastStats Server and the user's application is encrypted—user IDs, passwords, job requests, and so on. Additionally, if you have purchased a site certificate (rather than self-certifying), users are guaranteed that the site they are connecting to is yours.
How to use a secured web service¶
When using HTTPS it is not necessary to have authenticated users accessing the web service—anonymous access can be allowed.
You will need to:
- Obtain an SSL certificate
- Install the certificate on site
- Set IIS to require SSL
Ensure users are identified¶
- Define a required password structure, for example: minimum 10 characters with at least 1 numeric character.
- Apply a maximum session length, for example: 10 minutes.
- Apply an inactivity timeout period, for example: 10 minutes.
Define appropriate user rights¶
-
Export / Browse / Copy & Paste—It is possible to control the variables that can be selected, viewed, and exported from a system. You can prevent data from being copied (and then pasted) to a separate application.
-
Determine which functions are available—It may not be necessary for the full functionality of the application to be available to all users.
-
Determine what tables / columns / rows are available—In a multi-source data system, it may not be necessary for all users to be able to access, view, and extract all data. FastStats allows administrators to control data access by table, column, and row.
-
Ensure administrator rights are restricted—User rights can be assigned through either the Administrative Web Pages or through the Tools available within the FastStats application.
Encrypt sensitive data¶
Encrypt text fields in the system¶
Encrypting text variables provides an additional layer of security to sensitive data, should the build, web, or system host server be compromised. If the data files of the encrypted variables were read, they would be unintelligible. It is not possible to use encrypted variables in a selection, so if the variables are needed for selection purposes, a coded version should be created and used instead. Encrypting text variables also renders them non-readable in a data grid, preventing over-the-shoulder data compromise.
Require encrypted, password-protected, zipped file downloads¶
Upon export, encrypted variables are decrypted automatically before transfer. For this reason, if you have data sensitive enough to require encryption, you are also advised to require password-encrypted, zipped file transfers. The setting for this can be found in the Security tab within the system's web service configuration.