Setting up security for a web app - how to?

[fkasmani]

Hello,

I'm wanting to setup a hosted Linux VPS server to run a web based application.
The app is built around php and mysql.

Setting up the app on the VPS is not an issue, but the tricky part is setting up the security for it:

1. since it's patient medical records, it needs to be carried across (maybe) SSL?
2. the app should not be publicly available - it should only be accessible to me and my staff (located in 5 clinics)

Would really appreciate some suggestions on this,pls.

 

[wh-coach]

Others may have other ideas but, to me, you are describing a VPN.

Although there are many ways to do it, I suggest that you strongly consider two VPS's.

VPS 1:
VPN Software
Allows offices to connect to private-network servers (connected off second NIC)


VPS2:
Runs your patient records application
Is only accessible via VPS #1


If you put everything on the same VPS you expose your patient records system to getting hacked from the outside world. By using two VPS, if your VPN server gets hacked, the hacker will still need to overcome whatever security you have on your patient records system. The records system, if you run it on a private network, isn't really reachable by the outside world so not subjected to the same kinds of abuse as your VPN server would be.

Just my $0.02

 

[fkasmani]

Thanks wh-coach.

I was initially hoping it was as simple as SSL, but thanks for bringing it out.

Are we talking of setting up a mini-private-cloud here?

Would you be able to suggest a good guide to setting up such a scenario?