Encryption really isn’t the sexiest topic, certainly not as interesting or thrilling as something like Ashley Madison, a site that promises you discrete encounters no matter your marital status.
Their entire premise is “Life is short. Have an affair!”. This presents a general use case that we as web developers must look at more closely. Encryption for the web isn’t just for passwords any more. It really should be about EVERYTHING else, because the “devil is in the details”.
What data was leaked?
Well according to Wired Magazine we know that the hackers released 36 million records of the following pieces of data:
- Last 4 digits of credit card numbers
- Billing information
- Transaction History
In the world of Healthcare IT all of this information would be considered protected information and subject to protection in flight and at rest. But in the general web development community encrypting and securing the row by row data is mundane. I just want to build cool apps really fast MOFO!
How do we secure the data?
Glad you asked sammy, there are a few of options.
- Secure the data row by row using encryption at the database layer.
This solution is great because you offload the task to encrypting and decrypting the data to the database. You would probably need to access the data using a stored procedure or something similar as there are two functions: one for decrypting and the other encrypting.
In MySQL 5.7 they offer support for AES encryption and decryption. (Cite 2)
Postgres supports PGP, DES and AES right out of the box. See more at their docs page. Mysql Encryption Doc Page Postgres Encryption Doc Page
- Encrypt the data at the application level. An Gem Hot Like sauce comes to mind.
Rails options for encrypting data
In Rails there are a couple of options to encrypt the data. The main way to encrypt the data using a row level, model method using a gem such as Hot Like Sauce or attr_encrytped. There’s a really good article by Mike Countermarsh about this topic.
There aren’t very many options to encrypt data for Node or MongoDB. MongoDB currently doesn’t support encryption of the data expect through application or file system level encryption.
With Node you can encrypt the data before you save it into the database like you would in a Rails application. Two tools come to mind: Node-cryptojs-aes and bcrypt-nodejs.
File system encryption
Now that you’ve covered the data at rest, the other thing you might consider is how you encrypt the data when its stored completely cold, on the file system. There are a number of options, such as Filevault which comes with the mac or bitlocker which comes with Windows. Even with Ubuntu you can create an encrypted home directory.
Handling data in flight
Typically you will want to deliver the data over HTTPS. You could go even further and custom encrypt the data before you fire it away to the customer, and decrypt on the client. This would ensure that only authorized users could view it with their keys and prevent a man in the middle attack.