Securing data over the web within an O4W solution


There are three main areas of consideration when securing Linear Hash data over the web as part of an O4W based solution.  Those are the data that resides on the web server (or data server), the data whilst in transmission and then the data displayed within the browser.

Whilst these notes are written with an O4W solution in mind, it should be recognised that the provision for securing your data actually resides outside of the O4W system itself.

Liner Hash
It is worth mentioning that most hackers are familiar with relational data of the SQL type and understandably most people would prefer to work with data that they understand.  With MultiValue database driven solutions (like OpenInsight and O4W’s linear Hash) the data structure is usually unfamiliar to many hackers and therefore a lesser target in itself.

However, if you are running a high profile system, such as a bank with client financial details, a clinical system with patient data and the like, then you will still want to consider the security of your data and to do everything that you can to avoid those nightmare news headlines.

Data at rest
One of the first considerations that you will be faced with is where exactly should you house your data.  Locating it on the web server is usually fairly easy, it’s local, there are no networking (path) issues to consider and you can easily backup the whole system.  However, locating the data on the web server itself comprises a potential security risk in itself.

It is therefore recommended that a separate Data Server be used to locate the application’s data.  This server can then be hidden behind one or  more firewalls, so if your web server is compromised in anyway, the hacker will have more than one large hurdle to overcome.

Furthermore, with Revelation Software, you can utilise a Universal Driver between the web server and the data server and configure the system so that only access to the data is permitted through the Universal Driver.  Now that provides any external or internal hacker with yet another problem to overcome.

For those who need their data secure whilst it is residing on the data server, industry standard encryption tools can be used to encrypt the data to 128-bit encryption levels, for example.  A Google search for 128-bit encryption will provide you with plenty of information and solutions for  Advanced Encryption Standard (AES) and Data Encryption Standard (DES).

In addition, from OpenInsight 9.3, the toolset itself will support Data Encryption At Rest, making it even easier for Revelation developers to secure their data in single use, LAN, WAN and Web based solutions.

Data in transit
One of the weakest points before the data reaches the browser is during transmission.  Your precious data contained within one or more data packets is passed through countless networks, computers, hubs, etc. and at anytime these packets could be intercepted and interrogated.  If you have decrypted the data within the O4W application ready for it to be read by the user, then anyone could hijack it.

Fortunately, Hyper Text Transfer Protocol Secure (HTTPS) is your friend here.  HTTPS has been around for many years and it is well known as the industry standard for secure transmission of data over the web.  It has been supported since Internet Explorer 2 was around, so that really highlights that we are talking about a technology that is well tried and very well tested.

HTTPS is a secure version of the Hyper Text Transfer Protocol (HTTP) which allows for secure ecommerce transactions, such as online banking.  The technology effectively brings together HTTP and the SSL/TLS protocol to provide encrypted communication and secure identification of a network web server.

It is usually the System Administrator (or whoever has overall responsibility for the Web server) who configures the server to use HTTPS.  This is usually simply as case of acquiring a public key certificate for the web server from a trusted certificate authority.  This certificate must be signed by that authority for the web browser to accept and use the certificate.

It is also possible for the system to be configured for client authorisation.  Configuring a system in this way can limit access to a web server and thereby only permit authorised users.  This is achieved by the System Administrator creating a certificate for each user and this certificate is then loaded into the user’s browser during the session.  The certificate usually contains some identifying information (e.g. name and email address) and this is automatically verified by the server on each reconnect.

Web browsers such as Internet Explorer (IE) and Firefox display a padlock icon to indicate to the user that the website is secure.  In addition, the web address (URL) begins with https:\\, rather than http:\\.  When a user connects to a website via HTTPS, the site encrypts the session with a

digital certificate before any data is transmitted to the user’s browser.  O4W supports HTTPS, so transmitting your data using 128-bit encryption levels is super easy.  System Administrators can find a lot more information about the acquisition and use of public key certificates by running a Google search.

Data in the browser
So, we have our data encrypted at rest on our data server and we are using HTTPS to secure the data during transmission.  What about data in the browser?

Securing data in the browser is a tough one, mainly because the user needs to view the data in human readable format on the screen.  Or do they?

And herein lays the answer.

If the user needs to view the sensitive data in the browser, then you will have to revert to good old education.  Don’t leave your screen showing the data when you leave your desk, run your password protected screen saver before leaving your desk and, if you are near a customer facing position, make sure no unauthorised person can see your screen.

However, if the data does not need to be humanly read in the browser, why display it in the first place?  Leave the data on the data server and use some other form of key to interact with that sensitive data on the server, behind your firewall.  Many systems use this approach for user IDs.  The system maintains a cookie in the user’s browser and this contains some form of unique identifier – it could simply be a random number;  1234657684346846 (a session token of some kind).  It is this non-descript information that is then passed backwards and forwards over the web to identify the user.  When this key is received by your web application, you have code that takes the key, reads it and matches it to the user’s record.  Your program code can then use the sensitive login data to run the application on the web server as required.

To summarise
As an O4W web developer, you’ll want to concern yourself with protecting sensitive data within your specific application.  For example, credit card details; you will need to both protect a credit card field and audit who has access to the field and when it is accessed.  This is usually achieved by the developer including access controls to protect fields and the display of sensitive information.  As a conscientious developer, you may want to encrypt each record individually so that it can only be decrypted with a pin number that only the user knows and you’ll want to run a check to verify that user is legitimate.

This level of security in the application is good because it prevents an administrator from potentially stealing information from the system.  However, this does present new obstacles because the developer now has to code around the in ability to freely access all of the fields. How do you report on fields you can’t decrypt? What if the user forgets their pin, can the data be reset and re-encrypted or will the loss of data be irreversible?

The developer has to choose a balance in the application’s design between ease of access to data and the level of security. More security inevitably creates complexity so it’s important consider the risks and benefits of exposing the data.

The System Administrator should be responsible to ensure the underlying environment that the application runs on will be secure. If an attacker can gain administrator access in the operating system then the entire applications security protections could be rendered useless.  By protecting the environment (server, network, and client) at the operating system level the system administrator will be protecting the application.

Developers and administrators handle different levels of security that complement each other. The developer should be responsible for the application level access to the data while an administrator should be responsible for system level access.

But O4W helps . . .
Whilst you ‘could’ leave the question of data security up to someone else, effectively passing the problem on, there are ways that O4W can help.

From OpenInsight version 9.3, Revelation Software plan to introduce data encryption at rest.  This will be delivered through a new encryption service’ that system administrators can deploy to encrypt OpenInsight (OI) and O4W data on a field by field level.  The data will naturally be encrypted using industry standard encryption routines (DES, AES, TRIPLEDES, etc.).  This encryption service will use the Windows Communication Foundation (WCF) to communicate, thus ensuring that the data is also encrypted in transit.

In terms of protecting data in O4W ‘specifically’, O4W (in 9.2.1 and above) encrypts the user passwords when stored in OpenInsight, and never transmits any password information between the browser and the server.  When validating user information, O4W encrypts the user-entered password in the browser itself, and then returns only an impenetrable hash which the server then uses in its own calculations to determine if this is a valid logon.

In addition, the O4W programming paradigm is to ‘never’ send sensitive data to the browser if it can be helped.  Instead, temporary, unique records are created with the sensitive information, and stored on the server, and only the unique identifiers for these records are transmitted back and forth to the browser.

Of course, with the 9.3 release, the encryption service can apply encryption to any fields in the OpenInsight database, including those that are used by O4W, so by using https:// and the encryption service ‘any’ record and ‘any’ field can be protected all the way from “at rest” in the server,  through the engine server, through the web server, and to the browser.

My thanks to Bryan Shumsky (Revelation Software, Inc.) and Andrew McAuley (Sprezzatura) for their help and advice without which this posting would not have been completed.

Advertisements

O4W – Did you know?


Did You Know, that within O4W, you have the option to turn on dynamic reporting?

Located on the Forms/Reports tab in the O4W Configuration module, the options enable O4W developers to specify a number of O4W Form and Report-specific choices.

Dynamic Reports
If selected, “dynamic” reports can be automatically generated from R/List statements, which are specified within the URL. For example:

<a href="http:///oecgi3.exe/O4W_RUN_REPORT?OIREPORT=http://<yoursite>/oecgi3.exe/O4W_RUN_REPORT?OIREPORT=<reportstatement>

In the above example  <yoursite> is the full path to your O4W directory, and <reportstatement> is the full R/List-type statement that you wish to turn into an O4W Report.

For example, you may specify:

<a href="http:///oecgi3.exe/O4W_RUN_REPORT?OIREPORT=LIST">http://<yoursite>/oecgi3.exe/O4W_RUN_REPORT?OIREPORT=LIST MYTABLE WITH SOMEFIELD=”1” AND WITH OTHERFIELD=”2” SOMEFIELD1 SOMEFIELD2 TOTAL SOMEFIELD3


Dynamic Forms
“Dynamic” forms can be automatically generated by specifying the name of an existing OpenInsight form.  This is achieved by specifying the
URL as shown below:

<a href="http:///oecgi3.exe/O4W_RUN_FORM?OIFORM=http://<yoursite>/oecgi3.exe/O4W_RUN_FORM?OIFORM=<formname>

In this example, <yoursite> is the full path to your O4W directory, and <formname> is the name of an existing OpenInsight form.

If dynamic forms and reports are allowed, you may specify the permissions level needed to execute the dynamic form and report, and an O4W Form and O4W Report to use as the “template” for the dynamic form and report – the specific content of the O4W Form and O4W Report will be removed, while the menu, colour, html template, etc. will be extracted for use in the dynamic output.

In order to provide the most responsive performance possible, O4W allows you to use multiple engines to generate the O4W Form.  Each tab of the form can be “rendered” by a separate engine, allowing even very complex forms to display quickly.  You can specify the number of engines O4W should use for form generation; specify “0” for a single engine (which will generate all the tabs before returning the result to the browser), or 1 or more for asynchronous rendering.

REVELATION USERS’ CONFERENCE 2011


The Revelation Users’ Conference will be returning to the Rio All-Suite Hotel and Casino in Las Vegas, Nevada.  The conference dates are Tuesday, October 4th – Friday, October 7th, 2011.  Check out RevelationConference.com for complete conference details.

Knowledge is Power, take your seat for learning.

 

NEW TO THIS CONFERENCE  –  Individual Exhibitor Stations

This year Revelation are providing developers and VARs with an opportunity to show off their latest and greatest programming.  For information on exhibiting in a traditional format or one of our new stations, contact us at info@revelationconference.com.

Space is limited, so please don’t delay.

O4W – Proof of Concept Application Video.


As some of you will know, I have recently been spending a lot of my spare time working on an O4W proof of concept application.  This was both to help to further my knowledge of the toolset and to help one of my VARs in Ireland to move forward with their plans – no pun intended, but a Win Win for us both.

Anyway, the story begins some months ago.  I had been talking to the management at Ardbrook, one of the leading suppliers of payroll systems in Ireland, for a while about their need to create an Employee Self Service system.  We had looked at several of the OpenInsight web enabling technologies and they had attended a couple of our user group meetings in London where Mike had been showing off the benefits of O4W.

With the decision fairly much made that O4W was a good fit, it was just left for a proof of concept to be created.  Well, me being me, I decided to jump in with both feet firmly tied with half a tonne of bricks and I attempted to create that proof of concept.

I’d already got the backing of Mike, Bryan and the team at Revelation, so I knew that I was not alone in the project.  That said, whilst I did need to lean on Bryan for some code for a program to enable me to call a payslip as an OIPI report and to pass in an employee ID, that vast majority of the work was undertaken by me using the toolset.

Now for those who are not 100% familiar with my developer skills, let’s just say that I’m a code jockey at best and what I created ‘could’ have been
created by most power users and System Administrators.  Mix that with the skills of a professional programmer and we have a tool that really can get your data to the web quickly, easily and cost effectively.

Please click here for a short video of what a non-developer can create with Revelation Software’s Web 2.0 web publishing toolset – O4W.

Ardbrook & Merit Software Embrace Social Media


For sometime, I have been an advocate of social media for getting more company and product exposure online.  Many of you will know that I use Twitter for just in time snippets of news, this blog for larger articles (news items, technical info, etc.) as they come to my attention, LinkedIn to get the Revelation brand noticed, alerts to see when people are talking about Revelation and OpenInsight, etc.

In recent months, we have seen many of the key online social media resources opening up opportunities to host company and product pages.  Revelation have several such pages, Sprezzatura has been running a tech blog for a while (providing a more technically deep resource than I could ever hope to achieve) and I’m pleased to find my alerts flagging up some of our VARs first steps into using social media.

Just recently, I have had alerts for Ardbrook’s (Ireland) LinkedIn company and products pages and also those for Merit Software (Wales).  Ardbrook are also making good use of their blog for news items

Both companies have also begun using Twitter, with Merit just announcing the forthcoming launch of their new website and with Ardbrook announcing their new LinkedIn pages as they were published.

Many organisations of all sizes are seeing the business benefits of these resources and it is good to see some of our clients embracing these new opportunities.  Oh, and it does not have to take over your life as there are a wealth of monitoring tools available to bring all of the information together.

Please comment below if your organisation uses any social media resources: LinkedIn, Twitter, Facebook, a Blog, a YouTube channel, etc.

martynphillips.tel


Not totally RevSoft related, but I can now be found at martynphillips.tel.

This central web resource contains my About.Me link, my business and personal contact information (personal screen to all but .tel friends) and links to various blogs, my YouTube Channel, Twitter feed and other social networking sites.

So, until .tel accounts find their way onto your smartphone and other business directories, please bookmark martynphillips.tel and you’ll always know where to find me and how to find what I’m up to, what I’ve published about RevSoft, etc.

Application ‘Not Responding’ on Windows 7


Since moving to Windows 7 ultimate I have had occasional instances where some of my applications get flagged up as “Not Responding”.  I have also been asked about this several times over the last few weeks and a formal support request this morning prompted a discussion internally.  As a reminder to myself and for future reference, I thought that I’d write this blog posting.

If the offending application then tries running a long process (one that will run for more than 5 seconds, I believe), Windows 7 gets excited and reports the application as ‘not responding’.  This notification is normally through a discreet note at the top of the window and sometimes a more noticeable message asking whether to close the application or wait.

Fortunately, my OpenInsight 9.2.1 runs very quickly on my Windows 7 laptop and I don’t run into the issue too much.  However, if you (or your clients) are seeing this with your OpenInsight applications please keep the following in mind:

  1. The issue appears to be down to a process that is running (looping) for more than 5 seconds and Microsoft picks this up and flags it as a possible ‘non responding’ program and informs the user accordingly.  Despite the warnings, the process continues and the application usually gets flagged as responding again once the process has finished.  However, if you get the message popup on your screen and you click cancel, Windows 7 will try to terminate the application and this ‘could’ cause data loss or other nastiness.
  2. To manage your user’s expectations, simply make sure they are aware of this Windows 7 behavior and advise them to leave the application to run for a short while.
  3. Make sure that you are using one of the later versions of OpenInsight and the latest Universal Driver.  If configured correctly, this should ensure that your OpenInsight application is running as optimally as possible.  If in doubt, give me a call and book a health check wit hone of the developers.
  4. Most importantly, make sure that you code to address this Windows feature.  In OpenInsight, this can be as simple and easy as using a YIELD( ) within your programs that are likely to take any length of time (more than a few seconds).

Yield ( ) checks for pending events in the Windows event queue and executes them.  It then returns control as soon as the event queue is empty.  All pending events will be executed, including OpenInsight and Windows events.  It is therefore good practice to handle process dependent conditions (such as a CLOSE event0 after a Yield( ) call.

Example syntax for Yield ( ) is:

done = FALSE$
 Loop
 ReadNext ID Else done = TRUE$
 Until done
 * Allow for an event, such as CLICK
 Yield()
 * Process ID record
 Repeat

Legacy Applications
It is usually best to address this issue within your OpenInsight application and thereby maintain control.  However, for legacy systems there is another (which I would consider a last resort) option which makes use of Microsoft’s Application Compatibility Toolkit.  You can get further details about that by clicking here.