[Air-l] re IRBs vs. secure technologies
elijah wright
elw at stderr.org
Tue Mar 23 05:43:37 PST 2004
> result, we turn away fewer respondents. It is odd though that people
> are concerned about sending a survey via the Internet, when it would
> take very specialized equipment to intercept the data and make sense out
> of it,
not very much specialized equipment required at all - off the shelf
hardware and software will do perfectly well.
> respondents information, the potential for a problem is much larger. I
> can't pretend to talk about this area, as it truly requires somone who
> really knows about network security, and that is not I. But certainly,
> any researcher conducting Web-based research must have something in
> place to protect their "back end" databases from attack or theft.
the ideal scenario for a database server to hold 'sensitive' survey (or
other) results:
* the database is the only service running on the machine
* no other ports are open or services are running, period ["perhaps" SSH
is a reasonable thing to allow, for maintenance purposes, but that
carries its own risks as well..]
* the database server is on an isolated network segment [and hopefully the
web server as well]
* the database has an adequate set of firewall rules and a
security-hardened kernel installed [this, obviously, implies that the
database server not be a windows machine...]
* clients connecting to the database server are forced to use SSL-enabled
versions of the DB client protocols
* client connections to the database are restricted to only those machines
which the survey implementors are running their survey on - probably
just their web server.
this is probably unreasonably paranoid, but it would almost certainly pass
any 'rules' that HIPPA or other compliance would impose upon you.
[there aren't a whole lot of ways left to make such a machine more secure-
unfortunately, the requirement regimes that legislators like to impose
tend to PREVENT you from actually implementing something 'correctly'...]
--elijah
More information about the Air-L
mailing list