eDiscovery/Safe Harbor: Countries that might protect my customers data - data-protection

Hi I hope someone may help,
my customer is based in the european union and would like to protect its data from any eDiscovery/Safe Harbor agreements.
Is there any country left which would be the real Safe Harbor ;-)
Well Switzerland also signed an agreement with the US, and I don't trust the North-Korean or Cuban data protection laws ... so where is a safe place?
Thanks and regards,
Tobi

if you are (like me) looking for PaaS hosting platforms, a safe bet is to rely on European PasS providers.
Some examples of EU PaaS services from my researches:
http://www.clever-cloud.com/en/ (France)
http://www.anynines.com/ (Germany)

Related

Webfaction illegal in EU due to judgment in Case c-311/18?

Our data protection officer, in relation to the judgment c-311/18 (https://edpb.europa.eu/news/news/2020/statement-court-justice-european-union-judgment-case-c-31118-data-protection_pl), questioned the possibility of storing personal data on Webfaction's machines:( Unfortunately their DATA PROCESSING ADDENDUM in point 9 - Transfers of Personal Data (https://www.webfaction.com/local_media/WebFactionDPA.pdf) mentions the possibility of transferring data to the US under the EU-US Privacy Shield Frameworks, which was challenged by the aforementioned judgment.
In the opinion of our DPO, it is not possible to use the webfaction services until this provision is changed. Do any of you also have this problem? Maybe a different legal opinion?
Not a good answer, but I'll give it anyway.
Before being acquired, I believe that Webfaction was based in the UK, and you could request servers in Europe. I don't know whether this is still true or relevant.
You might want to consider Opalstack as an alternative. It's a lot of what Webfaction used to be pre-aquisition, and I believe has servers in Europe. I've been exploring switching to them, and have been happy so far. However, I believe that their ownership is technically in the United States.
I am not a lawyer, an expert, or anyone who can offer an opinion on this. I'm just offering some additional information and options for you to consider.

User security in the database of my website

Lets say i have a website mysite.com that will store some sensitive personal data (bank related)
On this website i have an oracle database with a USERS tables that will store the logins and passwords of users from mysite.com
I have a few questions :
How should i store passwords,encryption of course, but which ?
What should be the process for registration ? send an email to confirm is really necessary ?
Any good advices on login processes in general ?
For information, i m using Oracle APEX
You're storing bank related sensitive personal data. Don't hack your own solution. Use an existing, proven solution. Most likely you will also be running into all kinds of security and privacy laws, regulations and liabilities when dealing with such data. Find someone who knows these regulations and who can help you and advise you.
Don't try to do this yourself. "Anyone can build a security system they they themselves cannot break." - I think that's a Bruce Schneider quote. Heed it.
Edit to react on comment:
Even when dealing with private finance software you're probably dealing with bank account numbers, social security numbers, etcetera. So you are probably still running into various kinds of regulations.
Systems like OpenID and Oracle SSO only cover authentication. Regulations also dictate minimum security measures on how you should store data in your database, how you should treat backups, how you should deal with people (e.g. developers) accessing the database, etcetera, etcetera. If you don't follow these and something goes wrong, you're liable.
I really urge you to seek help from someone knowledgeable in the field. Explain them what you want to do, what you want to store, etcetera. They can tell you what (if any) regulations apply. Only then can you start looking at how you are going to implement this and what off-the-shelf components you can use.
Under no circumstance should a password be encrypted. The use of encryption implies that there is a decryption function and that would be a violation of CWE-257. Passwords must always be hashed, and SHA-256 is an excellent choice. The password should be salted with a cryptographic nonce. Authentication systems are highly simplistic when taking into consideration the other security systems you rely on.
You must be VERY CAREFUL to make sure that your system is free of SQL Injection. I recommend obtaining a copy of Acunetix($) NTO Spider ($$$) or wapiti(open source). In any case parameterized quires is the way to go.
Take a look at the answers to this question.
Passwords should be stored as a salted hash. Use a unique salt for each. For hashing there are better alternatives but SHA1 is alright for many purposes (its available via DBMS_CRYPTO). Even better go for SHA256 (using http://jakub.wartak.pl/blog/?p=124).
User registration confirmation really depends on the site. If you want to get users in quickly then you could allow them in after registration for a limited time until they click the activation link. All the activation really gets you is a real email address to associate with the user. Also consider captcha to prevent automated/scripted sign-up.
Login should enforce temporary lockout after some invalid attempts (and alert admins when successive lockouts are hit). Enforce a password complexity too.
OWASP has very good general advice on secure web app design.
Wikipedia has some information on Oracle Apex Security. Another comment suggested a web testing tool such as Acunetix or NTO Spider (I would suggest Burp instead), there is also a tool for testing the security of Apex applications through analysis of the source (ApexSec) - (disclosure, I work for this company).
You could also consider a third-party view on you application, be that penetration testing or code review. A Web Application Firewalls can provide some value depending on your context.

How to interview dev / hosting shops?

We're looking at starting a new, specialized (customer facing) web app; there are a few paths we can take -- we can code and host in house, we can code in-house and host externally, we can have someone else do the coding and hosting, COTS, etc.
Let's assume I've reasonable ways of estimating quality of COTS and in-house development efforts.
The part I have difficulty is determining how "good" a dev / hosting shop is. What sorts of questions should I be asking them? What about a Joel Test for dev shops? I assume some of the Joel Test questions apply (since if a dev shop is good to work for, hopefully they will produce good code) but it also needs to involve things like:
1) Server architecture (assuming 99.99% uptime)
2) Customer service / QA
3) Responsiveness to service outages, etc.
4) Contract items
Some questions I can think of:
Do you have a bug database?
How do you handle new change requests / bugs?
Do you guarantee turnaround times?
Are new requests billed differently than bugs?
How do you define bugs?
Do you have testers? How many?
Do you have your own data center? Do you lease rackspace / co-loc? Dedicated NOC staff?
What is the size of your development staff? In-house or outsourced?
How many customers do you have? Can I talk with some of them?
What is your warranty period?
The last question on your list, "How many customers do you have? Can I talk with some of them?" should also translate to the viewing of a portfolio of existing products. Then do research on those particular 'products' (sites, applications, what-not).
That alone (but shouldn't be the only thing) should tell you quite a lot about the quality of their work.

Reliable and performant cheap (ish) hosting for ASP.NET 3.5 and mysql

I'm looking for someone reasonably cheap but better than the majority of budget hosts out there. I'm currently with brinkster.net and I've become increasingly annoyed at the their immense unreliability and low available resources.
Fasthosts business plan is close, but has no mysql, only has ASP.NET 2.0 and is maybe slightly more expensive than I was hoping for.
I have had several sites hosted on http://discountasp.net and have had very good results. They are on year 4 of being voted best ASP.NET host in the asp.netPRO reader's choice survey.
I have had great luck with Viux.com - their customer service is top-notch and they were quick to implement asp.net 3.5. I moved all my sites (5) to Viux now and couldn't be happier. Very reliable and I can't say enough about their super fast and friendly service! MySQL comes free with all of their plans and MSSQL is $2/month.
I have tried quite a few hosts, and these guys are my favorite. If you decide on another, just make sure it is not M6.net, their customer service was just horrendous!
GoDaddy supports .NET 3.5 and mysql on their basic hosting packages.
We've used GoDaddy at my primary employment (day job :-) for several years and have had a positive experience with them (I also recently switched my home business from Yahoo! Small Business to GoDaddy).
Regarding reliability, I haven't had any problems with downtime. As a result, I have no first hand tech support experience with GoDaddy, but from what I read on the boards their tech support is pretty good (comparable to any other tech support I guess). They offer LINUX and Windows hosting (if that matters to you), MySQL and MSSQL database support, and .NET 3.5/AJAX.
And the price was reasonable, as far as I'm concerned.
I've been with these guys for quite a bit,
http://www.webhost4life.com/
Cheap and cheerful.
Something that might interest you -- ScottGu's latest blog post mentions Amazon's EC2 is going to support ASP.NET.
http://aws.typepad.com/aws/2008/10/coming-soon-ama.html
Depending on what you plan on doing, that could be of interest. It's usually pretty cheap, as well.
Dreamhost supports stackoverflow's podcast
http://www.dreamhost.com/
Edit: It looks like they don't support ASP.NET though, that was unexpected.
Take a look at ReliableSite.Net
It is cheap and good. They even throw a free MS SQL 2005 database(1 GB- Extra DB costs $1) what other places charge $10/Month and give you less then 500MB of space.
So you can upgrade to mssql 2005(not sure if you where just using mysql because it is cheaper).
If you don't want to bother changing to mssql 2005 then you can save it for another project(you can host unlimited domains on Reliable) and use the mysql database that they also throw in for free.
I find Reliable does not nickle and dim you for every single thing and gives reasonable prices and have great coupons.
Like this coupon for 15% off for life: "aspforum"
Planet Small Business http://www.planetsmb.com/ are pretty cheap, and have excellent customer service.
The only hassle I've had with them is over hosting WCF services. I wasn't able to host it as a native ASP.Net service, you have to do a bit of extra plumbing to manually add a service host, but nothing impossible, and their customer support was there ready and waiting.
Highly recommended.
I Use SmarterAsp.net to host Multiple Sites ; they have good control panel and their Price start fro $2.95/Month you can also get 60 days free trial so you can decide if it's suitable for you
http://www.SmarterASP.NET/index?r=100819197

How to affordably release a Web App

I am a broke college student. I have built a small web app in PHP5 and MySQL, and I already have a domain. What is an affordable way to get it online? A few people have suggested amazon's cloud services, but that seems equivalent to slitting my wrists and watching money slowly trickle out. So suggestions? Hosting companies, CIA drop sites, anything?
Update: A lot of suggestions have been for Dreamhost. Their plan allows for 5TB of bandwidth. Could anyone put this in perspective? For instance, how much bandwidth does a site with the kind of traffic StackOverflow get?
I say pay the 50-80 bucks for a real host. The classic "you get what you pay for" is very true for hosting. This will save you time, time you can spend getting those $80.
I use and recommend DreamHost for both their prices and customer service. I've hosted several sites here and performance has always been good. $5.95 a month for their basic package.
I highly recommend HostRocket. I have been with them for about 6 or 7 years now with multiple domains and have found uptime and database availability flawless. The only reason I'm leaving them is because I'm doing some .NET web apps now and HostRocket is purely LAMP based.
But without making things an ongoing ad. I will put in two "gotchas" that you'll want to be wary of when searching:
"Free" hosting services. Most of these will make you subdomain on them and worse, they'll put a header and a footer on your page (sometimes in gaudy frame format) that they advertise heavily on. I don't care how poor you are, this will not help attract traffic to your app.
A lot of the cheaper rates depend on pre-payment. HostRocket will give you $4.99 a month in hosting, but you have to pre-pay for 3 years. If you go month to month, it is $8.99. There are definitely advantages to the pre-payment, but you don't want to get caught with close to twice the monthly payment if you weren't expecting it.
I recently found a site called WebHostingStuff that seems to have a decent list of hosts and folks that put in their reviews. While I wouldn't consider it "the final authority" I have been using it as of late for some ideas when looking for a new host.
I hope this helps and happy hunting!
I have no specific sites to suggest, but a typical hosting company will charge you less than $10 per month for service. A simple Google search will turn up lots of results for "comparison of web hosts": http://www.google.com/search?hl=en&q=comparison+of+web+hosts&btnG=Google+Search
Well, Amazon EC2 is only as bad as the amount of traffic you get. So the ideal situation is to monetize your site (ads, affiliate programs, etc) so that that more traffic you get, the more you pay Amazon, but the more you make...in theory of course.
As for a budget of nothing...there's not really much you can do...hosting typically always costs something, but since you are using the LAMP stack, it's pretty cheap.
For example, hosting on GoDaddy.com for 1year can be about $50-60 which is not too bad.
I use dreamhost which costs about $80 per year, but I get MUCH more storage and bandwidth.
I agree with pix0r. With your requirements of php5 and mysql it seems that for starting out Dreamhost would be a good recommendation. You can always move it over pretty easily to ec2 if it takes off.
Dreamhost is great and cheap for a php5 mysql setup that gives you command line access. The problems come if you want to use some other web language/framework like RoR or Python/Django/Pylons. I know there are hacks to get things working, but last time I tried they were spotty at best and not supported by Dreamhost.
It may be helpful to know what kind of app we are talking about. Also what sort of traffic do you expect and to echo Adam's note what sort of business model (if any) do you have?
I've been at HostingMatters for years. They're relatively cheap, and their service is awesome. <12 hours for any support ticket I've ever had.
Additionally, since I've been with them for about ten years, they bumped me to an unmetered plan for no cost (at the same $10/month I was paying.) ....

Resources