DB and Code Security Question

[PHPDude]

Hello Everyone,

My company currently offers a solution based on the LAMP stack to clients who will install the entire stack including our software on their server. Because of the costs associated with purchasing and deploying our software, we are looking to ease customer burden by offering our software to clients as a hosted service. But in transitioning our software we ran into a problem and I'm hoping someone can give me some clues on how to solve it.

Since the hosted application will be on a shared server, security is an absolute must (this application also falls under HIPAA regulations). What we need to do is encrypt the information in the database (MySQL) but still have it accessible to properly authenticated users. That way, if our server is hacked, the data is safe as it's encrypted.

How can I go about implementing this in the real world? Is it even possible?

Thanks,
Anthony Papillion

[448191]

I'm not really the expert on this but...

Zend offers "Zend encoder" (Zend Guard). You'll have to use a host that supports it. Also place your library files outside of your publishing directory. That should protect your code. There are companies that provide better protection, but you'll probably pay for the difference. There aren't that many hosts employing their software.

http://palisade.plynt.com/issues/2005Jun/database-encryption/

General recommendations for protecting db data: only use a decryptable algorithm on something that needs to be fetched intact. Some identifying properties (like passwords) only need to be COMPARED, not decrypted. Use an uncompromized hash algoritm like SHA256, currently bundled with php.

Next, choose an decryptable algorithm to encrypt all data at application level. That way the data is send encrypted over the network. The mcrypt extention provides you with with quite some algorithms to choose from. Again, your host has to support it.

Hope that helps a little.