Home » Categories » Multiple Categories

How Secure is Our Patron Information?

We are often asked the question, “How secure is our patron data?”, and "Is my data kept private?”  We realize a simple response of “Very secure” will not satisfy most.  We also know that a highly technical (read: boring) response will be difficult to relay to your concerned patrons.  It is for this reason, we wrote this article.  We hope your patrons will find it both informative, and fun.

 

Security ≠ Privacy

Before we proceed, we feel it is important to address a common misnomer.  Security and Privacy are not interchangeable terms.  Security is about mitigating risks to data.  Privacy is about using data responsibly.  However, privacy exposure may result as a lack of proper security.  In that respect, this article will cover the “Shared Responsibility” model.  The first half will cover some of the measures we take to ensure your patron data is secure.  In the last half, we offer some recommendations for ways you can prevent a breach of privacy.

 

OUR PART

It is important not to discount expertise and knowledge when it comes to securing data.  To provide world-class security, a company requires some of the smartest minds in the world in the fields of networking, systems administration, security, etc.  And guess what?  They don't work for us - which is why we rely on the experts at AWS (Amazon Web Services).

"AWS is knowledge commoditized."

If you're not at all familiar, AWS is a collection of remote computing services that make up a cloud computing platform.  AWS is not amazon.com; although, that website is hosted in AWS, along with many other popular sites and platforms, such as Netflix, Instagram, Reddit, and Dropbox.

Just like with the field of medicine, there are specialists in the field of IT.  These specialist do not work at your local library, or even small-to-medium businesses like Evanced.  They work for Fortune 500 companies, and mega-cloud computing platforms like AWS.  We benefit from the volume of customers AWS supports.  AWS is knowledge commoditized, and that means we don't need to locally staff a team of SysAdmins, and a separate team of NetSec experts.  We can instead focus our time on our applications, and our customers.

AWS officially launched in 2006, making them the oldest, and most experienced cloud computing platform.  Another thing they're known for is militant commitment to security.

We'll start with their data centers - the geography of which are unpublished.  These centers are staffed 24x7 by trained security guards, and access is authorized strictly on a 'least privileged' basis.  The guards, as an example, would not have access to the cabinets where the servers are stored.

We follow the same principle of 'least privilege' ourselves when it comes to the access our own employees have within our AWS account.  Employees are given access only to the specific sections of the application that are explicitly required for their job.  Furthermore, we require multi-factor authentication as a measure to assure logins cannot be shared. 

 

 

 

When a hard drive is pulled from production, AWS degausses and then shreds the drive.

 

 

 

When it comes to our applications, we follow the AWS best practice of isolating our database servers from our web servers by firewall (within AWS security groups).  Should, as an example, a hacker discover a zero-day exploit to gain access to a web server, they would not find any customer data within that machine.

Countermeasures are in place to ban offending IP addresses that attempt SQL injections on our applications.  Bots are indiscriminate when it comes to the sites they attack.  System Admins who feel their apps are safe because they're not big or important enough to be a target are fooling themselves.  Up to 80% of website traffic comes from bots.  Every website is a target.

"Good security means layers of security"


Good security means layers of security.  Listing every layer of security, however, is a fast way to make your article boring - so, quickly, here are just a few more, and then we'll move on.

  • API Endpoints are protected by SSL.
  • We offer secure HTTPS access for all of our hosted applications.
  • Unauthorized port scans are detected and blocked.
  • Hypervisor separation prevents one AWS customer from using packet sniffing on another AWS customer's instance, even if both instances are running on the same physical hardware. 


AWS makes security paramount.  We don't expect you to take our word for it, alone, though.  Instead, examine the absurd number of third-party security audits and reviews AWS has undergone.  Our own applications have undergone their own third-party audits.   

 

YOUR PART

We recommend the following:

Use SSL

SSL encrypts the traffic between a patron's browser and our servers.  Our newest applications (SignUp, Spaces, and D!BS sites) provide SSL by default.  SSL can be requested at no additional cost for classic applications (Events, Room Reserve) as well.

Our inclusion of SSL by default makes it very easy to simply link to the HTTPS URL on your website.  As an example, if the link to your application on your website looks like this:  http://libraryname.evanced.info/spaces

Simply update the link to this:  https://libraryname.evanced.info/spaces

 

Do not share staff logins

This is covered in a nice blog post.  Also covered, ‘Enable auditing’, and ‘Use strong passwords and change them regularly’.

 

Limit fields

Limit the fields required to register for a program or event.  Only collect data that is absolutely necessary.  The less data you collect, the less impact a privacy breach will cause.

 

Review our Privacy Policy

General Privacy Policy

Custom Fields
  • Applicable To: All Users
  • Attachments: No
  • Summary: How secure is patron data
5 (1)
Article Rating (1 Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
Attachments Attachments
There are no attachments for this article.
Comments Comments
There are no comments for this article. Be the first to post a comment.
Related Articles
Editing SignUp Events with setup/teardown time overlapping Spaces Reservation
Viewed 401 times since Tue, Jun 27, 2023
Facebook is not displaying the image of the event I liked
Viewed 10993 times since Mon, Feb 20, 2012
Displaying events in NoveList Select
Viewed 10754 times since Mon, Feb 20, 2012
How do I print an attendance sheet for a recurring event?
Viewed 10161 times since Thu, Oct 6, 2011
Authentication in Evanced Products
Viewed 12614 times since Tue, Apr 1, 2014
How do I generate emails for Room Reservation changes
Viewed 4208 times since Thu, Oct 6, 2011
Events/Room Reserve Version 7 History
Viewed 637857 times since Tue, Sep 27, 2011
Report of Organizations using our Room Reserve System
Viewed 3110 times since Mon, Feb 20, 2012
How to Add a Custom Footer URL to Public Views
Viewed 927 times since Wed, May 18, 2022
Appointment Events
Viewed 10494 times since Mon, Oct 28, 2019