In our everyday lives we all want to keep our possessions secure. We have deadbolts and padlocks at home, and RFID locks at work. But no matter how secure the lock, it is only as strong as the key we use to unlock it and way we store that key (hopefully not taped to the front door).
GOOD SECURITY DOESN’T JUST MEAN COMPLEX PASSWORDS
This is also true for websites. From the moment you create a website on a content management system platform, like WordPress or Drupal, you start creating an infrastructure of accounts, passwords and keys all requiring passwords. Connecting to a database requires a password, setting up an administrator account requires a password as well. Drupal, for example, even creates a unique salt to be used for password management.
Any security expert will tell you that good security starts with secure passwords, but a password only secures only the perimeter. A lock on the front door doesn’t mean that you shouldn’t have a safe to secure the valuables inside the house.
HIDE YOUR KEYS, SECURE YOUR VALUABLES
Content management systems like Drupal and WordPress have some really great security features, but shouldn’t be the only tool in your arsenal which protects the valuable data you collect, process and store. There are several things, if left in your database, that could cause you or your business great harm if discovered by the wrong hands:
API keys — the things used to authenticate your website to other sites and services, like MailChimp, AWS, PayPal, and even Bitcoin — are a special class of password which many people don’t realize they need to protect until its too late.
API keys aren’t the only precious things sitting in your database worth protecting. A separate strategy in security is encryption, but encryption comes with keys as well. Those are also stored in your website’s database. Security, encryption and account credentials are simply a sitting duck inside your database, waiting for the right person with the wrong intentions to find and take advantage of unless you find the right tools to keep them secure.
For example, perhaps you stumbled upon this tutorial on how easy it is to find secret API keys in Github, or maybe you read about how developers, probably accidentally, left API credentials in the Verizon Hum website source code. Perhaps you’ve just had all of your bitcoin stolen like Mt Gox.
GET A SAFE DEPOSIT BOX FOR YOUR WEBSITE’S VALUABLES
So what do you do about your vulnerable database? Well take extra measures to secure what matters, and for that we stand by the philosophy of “Defense in Depth.” Think three deadbolts, a pit bull and a portcullis on your front door. To learn more about our Defense in Depth philosophy, watch our session at DrupalCon Barcelona:
Often the best method of protecting data is to deepen levels of security, and in the best cases completely remove yourself from its handling and storage. In the case of your valuables, you might get a safe deposit box rather than keep a safe in your own home. You can put your keys in a safe deposit box with Lockr, but you won’t have to go to the bank to get them. Set up Lockr and your site will securely and easily retrieve your keys when and where you need them.