Author Topic: Storing sensitive information on an online CiviCRM drupal install (Read 2171 times)

Durruti · August 11, 2010, 07:01:45 am

Hello all,
I use CiviCRM for a couple of online directories and I love it. What I'm being asked for now uses many more of CiviCRMs capacities, so I'm looking for a little advice.
I administer a directory of refugee organisations as part of a drupal website and the organisation would now like to start using CiviCase to register asylum advice cases, there is a lot of crossover between the groups on the current database and the CiviCase users and users are already familiar with the setup, so the easiest thing would be to enable it as part of the current install. What are your thoughts on securing sensitive data online, is it even possible?
We have SLL support from our host but how vulnerable is data stored online?
Any opinions or pointers?
Many thanks,
Durruti

xavier · August 11, 2010, 07:52:44 am

If you trust the people having access to civicrm and they use strong passwords, it should be ok. However, beware that if you need some users having access to civicrm but that can't access all the contacts or this or that, the access rules are easier to be worked around.

In short, your main line of defence (beside SSL) is the "access to civicrm" rule (I'm assuming you're on drupal). If you can live with the limitation that whoever has access to civicrm can probably access most of the content knowing that whoever hasn't can't access anything, that's should be ok.

This being said, something online is probably always easier to get access to that the files you lock in your safe, and you should focus on security training (what to do with the passwords, where (not) to store them, never give your password, even if this is the "tech support" guy that asks, protect access to your email account...). I wouldn't assume the social workers (or any human being) having access to your civicrm are really that good about online security.

X+

Durruti · August 11, 2010, 08:04:32 am

Hi Xavier,
Thanks so much for the reply. We've been through training about password usage and all users use password vault and strong passwords. However in terms of the 'access to civicrm'; as the same database is used for public directory these setting allow access to anonymous users, they obviously won't have access to 'access all cases and activities' permissions which is where the sensitive data will be stored, but it seems your suggesting that giving any access at all to civicrm will be a weakness(?)
In going through the permissions I've noticed that I also have 'access all custom data' for anonymous users and I get the impression from the documentation (http://wiki.civicrm.org/confluence/display/CRMDOC32/Security+Considerations) that this overrode the civicrm ACLs, is this correct and how much should I be relying on the ACLs?
Many thanks again,
Durruti

Hershel · August 11, 2010, 08:08:24 am

Quote from: Durruti on August 11, 2010, 07:01:45 am

We have SLL support from our host but how vulnerable is data stored online?

Security on your server is only as good as your host. SSL is a security risk, without question. Allowing remote MySQL access is also a security risk. Even with these disabled, there is always a risk that your FTP or sFTP passwords can be compromised by a virus on your local machine. This can and does happen.

My professional opinion is that while there are certainly risks, they can be minimized (SSL and remote MySQL access can be disabled) and the rest is a function of your host. If you feel you can rely on the host, then I feel it's acceptable to store sensitive data online. There is of course no guarantee, but I think the risks are small enough to outweigh the benefits of using a system like CiviCRM.

xavier · August 11, 2010, 08:46:37 am

Quote from: Durruti on August 11, 2010, 08:04:32 am

as the same database is used for public directory these setting allow access to anonymous users, they obviously won't have access to 'access all cases and activities' permissions which is where the sensitive data will be stored, but it seems your suggesting that giving any access at all to civicrm will be a weakness(?)
In going through the permissions I've noticed that I also have 'access all custom data' for anonymous users and I get the impression from the documentation (http://wiki.civicrm.org/confluence/display/CRMDOC32/Security+Considerations) that this overrode the civicrm ACLs, is this correct and how much should I be relying on the ACLs?

You shouldn't have to grant access to civicrm for a public directory, using profiles should be good enough.

Yes, I know at least one potential access right escalation vulerability, where someone having "access to civicrm" might see/do more than you'd want. I don't know if this is an issue for access to case or not (don't think this is, but not sure).

@hershel,

Are you saying ssl is a security vulnerability and should be disabled ? Confused, I'd say the opposite.

X+

Hershel · August 11, 2010, 08:49:58 am

Quote from: xavier on August 11, 2010, 08:46:37 am

@hershel,

Are you saying ssl is a security vulnerability and should be disabled ? Confused, I'd say the opposite.

Oh, my. Yes, you are quite right. I mean to write ssh not ssl. Seems my comment is actually somewhat irrelevant as the OP didn't even mention ssh. I misread his original post.

My mistake.

Durruti · August 12, 2010, 09:28:20 am

Thanks for the advice folks!
Xavier, I have a fair bit of trust in my host, but he is recommending I go for a Virtual Private Server option, so that I'm not compromised by any of the other users on the shared host. This would then give me the ability to limit access to the mysql database (for example by IP address) but I'd then have to split the civicrm data between 2 databases (one for public, the other for private), so would involve lots of modification. Any opinions?
You are absolutely right about me not needing to give users 'access civicrm' rights, but as the directory contains custom data I do need to give them 'access all custom data'. Am I right in my understanding that this will override any ACL's I set and is there anyway around this.
Many thanks again,
Durruti

Dave Greenberg · August 12, 2010, 10:04:51 am

Several sites using CiviCase for politically sensitive or personal / medically sensitive issues do keep their CiviCase/CiviCRM install separate and on a VPS. One of them (Physician Health Program British Columbia) also uses a Crypto-key Token integrated with Drupal login for extra security:
http://civicrm.org/node/541

xavier · August 12, 2010, 10:57:05 am

Quote from: Durruti on August 12, 2010, 09:28:20 am

Xavier, I have a fair bit of trust in my host, but he is recommending I go for a Virtual Private Server option, so that I'm not compromised by any of the other users on the shared host. This would then give me the ability to limit access to the mysql database (for example by IP address) but I'd then have to split the civicrm data between 2 databases (one for public, the other for private), so would involve lots of modification. Any opinions?

I'd even go for a dedicated server, not that expensive... but you have to secure it yourself. I'd suggest to hire a sysadmin to do the initial configuration.

I doubt the split is going to improve the security. As dave said, going on a server on a VPS certainly helps.

X+

demeritcowboy · August 13, 2010, 01:58:51 pm

Actually the Physician Health server that runs civicrm/civicase is a dedicated server not a VPS.
There is also a VPS for the public / informational web site.

So yes there is a cost to separating those two types of data, either the large modification like you say or by purchasing separate server offerings. In your case maybe you could do two VPS's?

CiviCRM Community Forums (archive)

News:

Author Topic: Storing sensitive information on an online CiviCRM drupal install (Read 2171 times)

Durruti

Storing sensitive information on an online CiviCRM drupal install

xavier

Re: Storing sensitive information on an online CiviCRM drupal install

Durruti

Re: Storing sensitive information on an online CiviCRM drupal install

Hershel

Re: Storing sensitive information on an online CiviCRM drupal install

xavier

Re: Storing sensitive information on an online CiviCRM drupal install

Hershel

Re: Storing sensitive information on an online CiviCRM drupal install

Durruti

Re: Storing sensitive information on an online CiviCRM drupal install

Dave Greenberg

Re: Storing sensitive information on an online CiviCRM drupal install

xavier

Re: Storing sensitive information on an online CiviCRM drupal install

demeritcowboy

Re: Storing sensitive information on an online CiviCRM drupal install