We are often asked the question, “How secure is our patron data?”, and "Is my data kept private?” We realize a simple response of “Very secure” will not satisfy most. We also know that a highly technical (read: boring) response will be difficult to relay to your concerned patrons. It is for this reason, we wrote this article. We hope your patrons will find it both informative, and fun.
Security ≠ Privacy
Before we proceed, we feel it is important to address a common misnomer. Security and Privacy are not interchangeable terms. Security is about mitigating risks to data. Privacy is about using data responsibly. However, privacy exposure may result as a lack of proper security. In that respect, this article will cover the “Shared Responsibility” model. The first half will cover some of the measures we take to ensure your patron data is secure. In the last half, we offer some recommendations for ways you can prevent a breach of privacy.
It is important not to discount expertise and knowledge when it comes to securing data. To provide world-class security, a company requires some of the smartest minds in the world in the fields of networking, systems administration, security, etc. And guess what? They don't work for us - which is why we rely on the experts at AWS (Amazon Web Services).
"AWS is knowledge commoditized."
If you're not at all familiar, AWS is a collection of remote computing services that make up a cloud computing platform. AWS is not amazon.com; although, that website is hosted in AWS, along with many other popular sites and platforms, such as Netflix, Instagram, Reddit, and Dropbox.
Just like with the field of medicine, there are specialists in the field of IT. These specialist do not work at your local library, or even small-to-medium businesses like Evanced. They work for Fortune 500 companies, and mega-cloud computing platforms like AWS. We benefit from the volume of customers AWS supports. AWS is knowledge commoditized, and that means we don't need to locally staff a team of SysAdmins, and a separate team of NetSec experts. We can instead focus our time on our applications, and our customers.
AWS officially launched in 2006, making them the oldest, and most experienced cloud computing platform. Another thing they're known for is militant commitment to security.
We'll start with their data centers - the geography of which are unpublished. These centers are staffed 24x7 by trained security guards, and access is authorized strictly on a 'least privileged' basis. The guards, as an example, would not have access to the cabinets where the servers are stored.
We follow the same principle of 'least privilege' ourselves when it comes to the access our own employees have within our AWS account. Employees are given access only to the specific sections of the application that are explicitly required for their job. Furthermore, we require multi-factor authentication as a measure to assure logins cannot be shared.
When it comes to our applications, we follow the AWS best practice of isolating our database servers from our web servers by firewall (within AWS security groups). Should, as an example, a hacker discover a zero-day exploit to gain access to a web server, they would not find any customer data within that machine.
Countermeasures are in place to ban offending IP addresses that attempt SQL injections on our applications. Bots are indiscriminate when it comes to the sites they attack. System Admins who feel their apps are safe because they're not big or important enough to be a target are fooling themselves. Up to 80% of website traffic comes from bots. Every website is a target.
"Good security means layers of security"
Good security means layers of security. Listing every layer of security, however, is a fast way to make your article boring - so, quickly, here are just a few more, and then we'll move on.
- API Endpoints are protected by SSL.
- We offer secure HTTPS access for all of our hosted applications.
- Unauthorized port scans are detected and blocked.
- Hypervisor separation prevents one AWS customer from using packet sniffing on another AWS customer's instance, even if both instances are running on the same physical hardware.
AWS makes security paramount. We don't expect you to take our word for it, alone, though. Instead, examine the absurd number of third-party security audits and reviews AWS has undergone. Our own applications have undergone their own third-party audits. Most recently, we received Privo certification for our new Wandoo Reader application.
We recommend the following:
SSL encrypts the traffic between a patron's browser and our servers. Our newest applications (SignUp, Spaces, D!BS, Wandoo Reader, and most Summer Reader sites) provide SSL by default. SSL can be requested at no additional cost for classic applications (Events, Room Reserve) as well.
Our inclusion of SSL by default makes it very easy to simply link to the HTTPS URL on your website. As an example, if the link to your application on your website looks like this: http://libraryname.evanced.info/spaces
Simply update the link to this: https://libraryname.evanced.info/spaces
Do not share staff logins
This is covered in a nice blog post. Also covered, ‘Enable auditing’, and ‘Use strong passwords and change them regularly’.
Limit the fields required to register for a program or event. Only collect data that is absolutely necessary. The less data you collect, the less impact a privacy breach will cause.