Three Basics of Secure Client Portal Design

Three Basics of Secure Client Portal Design

Attention: open in a new window. PDF | Print | E-mail

Any type of client portal allows access to some type of client information and resources through a web-based interface. Typically that information includes sensitive financial data such as credit card numbers and account balances. Client portals may also allow clients to update contact information, account preferences and even send email to company contacts.

Although there are many benefits to be had from client portals, it can also create significant risk that requires substantial efforts to ensure that records are appropriately secured. The following are three important areas that should be addressed to help security concerns related to the use of a client portal:

Implementing a multi-tier architecture that isolates the web, application, and servers behind multiple firewalls. The application architecture must consider requirements for intrusion protection.

Designing an appropriate method for providing client accounts. The system will need a procedure that ensures log-on credentials (i.e., username and password) are delivered to the client in a secure fashion. It should include an efficient method to reset passwords when the client requests. Client credentials should also be coordinated with the master client index to safeguard against confusing access among similarly named clients.

Implementing a proactive incident recognition and response program. Significant damage to reputation can occur when a security breach is not handled in a timely fashion. A critical aspect of good incident response is proactively monitoring the portal for suspicious events, service interruptions, code errors, and general utilization issues. Timely responses to analyze root causes, correct deficiencies, and communicate with the client population are essential activities.

Unfortunately, there is no cookbook approach that can be applied to computer security. The specific security measures taken must always match the level of risk that pertains to a particular client portal application.  However, the fundamental guidelines discussed here will provide a solid foundation for any client portal that you might design.

~Steve Barnes