Secure portal, extranet

Fernando Duran liberosec-FFYn/CNdgSA at public.gmane.org
Tue Mar 15 17:11:25 UTC 2011 


----- Original Message ----
> From: William O'Higgins Witteman <william.ohiggins-H217xnMUJC0sA/PxXw9srA at public.gmane.org>
> To: tlug-lxSQFCZeNF4 at public.gmane.org
> Sent: Mon, March 14, 2011 10:01:48 PM
> Subject: Re: [TLUG]: Secure portal, extranet
> 
> On Mon, Mar 14, 2011 at 04:54:00PM -0400, David van Geest wrote:
> >>  Does anyone have any thoughts about what software to choose to set up  an
> >> extranet or secure portal for off-site people to exchange files  and
> >> information securely?  I am not finding anything obvious, and  guidance
> >> would be most appreciated.  Thanks!
> >
> >Are you  developing an application to do this, or do you just  want
> >off-the-shelf?  For OTS, we've been using Basecamp at work, it  works
> >relatively well.  The only thing I know about security in this  case is
> >that basecamphq.com provides an SSL site.
> 
> It needs to be  off-the-shelf, but I need to host it - I can't expose
> patient data on an  off-site service, no matter how secure it might be.
> Good thought though,  thanks.
> -- 


The solutions depend on a couple of requirements; mostly how complicated the 
permissions scheme and how flexible or open to new tools the users are.

I see three levels of solutions that people tend to use in these cases:

- For a simple permission scheme (everything shared in one user group), going 
with Linux users and ssh (sftp/scp) or ftp over ssl. A new software client for 
the user like winscp or cyberduck is not hard to grasp since they look like 
Windows explorer, still some end users don't like to use anything new and prefer 
to use just the browser. 

- A intermediate case of using something a little more "friendly" for 
non-technical people like WebDAV, or with other features like versioning or 
dealing with locking by using SVC software like svn.

- A "web portal" solution. A lot of people choose http://www.alfresco.com/ (I 
haven't used or looked deep into it). For critical data I wouldn't trust popular 
PHP-based web apps, they tend to have security issues 
frequently http://wordpress.org/news/category/security/ , http://drupal.org/security .
 Plus PHP is often a pain to upgrade when a vulnerability in it is discovered, 
breaking older code.

I suggest looking at encryption too (you can store encrypted data off-site and 
use a cloud service). A Waterloo-based start-up has a solution for easy sharing 
encrypted files: http://ithinksecurity.com/ (web site still in progress but they 
demo'ed their working product to me and I was very impressed).

Fernando Duran
http://fduran.com


--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list