Home » Categories » Multiple Categories

How Secure is Our Patron Information?

We are often asked the question, “How secure is our patron data?”, and "Is my data kept private?”  We realize a simple response of “Very secure” will not satisfy most.  We also know that a highly technical (read: boring) response will be difficult to relay to your concerned patrons.  It is for this reason, we wrote this article.  We hope your patrons will find it both informative, and fun.


Security ≠ Privacy

Before we proceed, we feel it is important to address a common misnomer.  Security and Privacy are not interchangeable terms.  Security is about mitigating risks to data.  Privacy is about using data responsibly.  However, privacy exposure may result as a lack of proper security.  In that respect, this article will cover the “Shared Responsibility” model.  The first half will cover some of the measures we take to ensure your patron data is secure.  In the last half, we offer some recommendations for ways you can prevent a breach of privacy.



It is important not to discount expertise and knowledge when it comes to securing data.  To provide world-class security, a company requires some of the smartest minds in the world in the fields of networking, systems administration, security, etc.  And guess what?  They don't work for us - which is why rely on the experts at AWS (Amazon Web Services).


"AWS is knowledge commoditized."


If you're not at all familiar, AWS is a collection of remote computing services that make up a cloud computing platform.  AWS is not amazon.com; although, that website is hosted in AWS, along with many other popular sites and platforms, such as Netflix, Instagram, Reddit, and Dropbox.


Just like with the field of medicine, there are specialists in the field of IT.  These specialist do not work at your local library, or even small-to-medium businesses like Evanced.  They work for Fortune 500 companies, and mega-cloud computing platforms like AWS.  We benefit from the volume of customers AWS supports.  AWS is knowledge commoditized, and that means we don't need to locally staff a team of SysAdmins, and a separate team of NetSec experts.  We can instead focus our time on our applications, and our customers.


AWS officially launched in 2006, making them the oldest, and most experienced cloud computing platform.  Another thing they're known for is militant commitment to security.


We'll start with their data centers - the geography of which are unpublished.  These centers are staffed 24x7 by trained security guards, and access is authorized strictly on a 'least privileged' basis.  The guards, as an example, would not have access to the cabinets where the servers are stored.


We follow the same principle of 'least privilege' ourselves when it comes to the access our own employees have within our AWS account.  Employees are given access only to the specific sections of the application that are explicitly required for their job.  Furthermore, we require multi-factor authentication as a measure to assure logins cannot be shared.





When a hard drive is pulled from production, AWS degausses and then shreds the drive.





When it comes to our applications, we follow the AWS best practice of isolating our database servers from our web servers by firewall (within AWS security groups).  Should, as an example, a hacker discover a zero-day exploit to gain access to a web server, they would not find any customer data within that machine.


Countermeasures are in place to ban offending IP addresses that attempt SQL injections on our applications.  Bots are indiscriminate when it comes to the sites they attack.  System Admins who feel their apps are safe because they're not big or important enough to be a target are fooling themselves.  Up to 80% of website traffic comes from bots.  Every website is a target.


"Good security means layers of security"


Good security means layers of security.  Listing every layer of security, however, is a fast way to make your article boring - so, quickly, here are just a few more, and then we'll move on.


  • API Endpoints are protected by SSL.
  • We offer secure HTTPS access for all of our hosted applications.
  • Unauthorized port scans are detected and blocked.
  • Hypervisor separation prevents one AWS customer from using packet sniffing on another AWS customer's instance, even if both instances are running on the same physical hardware.


AWS makes security paramount.  We don't expect you to take our word for it, alone, though.  Instead, examine the absurd number of third-party security audits and reviews AWS has undergone.  Our own applications have undergone their own third-party audits.  Most recently, we received Privo certification for our new Wandoo Reader application.




We recommend the following:


SSL encrypts the traffic between a patron's browser and our servers.  Our newest applications (SignUp, Spaces, D!BS, Wandoo Reader, and most Summer Reader sites) provide SSL by default.  SSL can be requested at no additional cost for classic applications (Events, Room Reserve) as well.

Our inclusion of SSL by default makes it very easy to simply link to the HTTPS URL on your website.  As an example, if the link to your application on your website looks like this:  http://libraryname.evanced.info/spaces

Simply update the link to this:  https://libraryname.evanced.info/spaces


Do not share staff logins

This is covered in a nice blog post.  Also covered, ‘Enable auditing’, and ‘Use strong passwords and change them regularly’.


Limit fields

Limit the fields required to register for a program or event.  Only collect data that is absolutely necessary.  The less data you collect, the less impact a privacy breach will cause.


Review our Privacy Policy

General Privacy Policy

Wandoo Reader Privacy Polciy


Custom Fields
  • Applicable To: All Users
  • Attachments: No
  • Summary: How secure is patron data
0 (0)
Article Rating (No Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
Attachments Attachments
There are no attachments for this article.
Comments Comments
There are no comments for this article. Be the first to post a comment.
Related Articles
Facebook is not displaying the image of the event I liked
Viewed 3607 times since Mon, Feb 20, 2012
Server Requirements
Viewed 4699 times since Wed, Sep 28, 2011
Report of Organizations using our Room Reserve System
Viewed 1196 times since Mon, Feb 20, 2012
How can patrons see what programs they have registered for?
Viewed 5146 times since Thu, Oct 27, 2011
FAQ: Why does Wandoo Reader Require a Parental Consent Email for Children who Register On-line?
Viewed 12229 times since Mon, Jan 26, 2015
FAQ: Wandoo Reader and Themed Banners
Viewed 529 times since Mon, Mar 9, 2015
Summer Reader Language/Text Troubleshooting
Viewed 2055 times since Wed, Jan 23, 2013
Room Reserve - Patron Records
Viewed 2078 times since Wed, Sep 28, 2011
Is There A Way To Track No Shows in Room Reserve?
Viewed 1347 times since Tue, Dec 13, 2011