Here is a quick outline of the security procedures we take to ensure your information is private and secure.
We use a service oriented architecture hosted on the Windows Azure platform.
The ‘business layer’ is made up of a number of web and worker roles (effectively Virtual Machines) which host ‘RESTful’ services which are individually secured by means of a supplied authentication string.
Communication with the client is via AJAX over a HTTPS (SSL) connection.
When an individual logs in to the system, their credentials are sent over HTTPS, validated, verified and a secure string is returned which is subsequently used to gain access to a restricted set of services (in this case those necessary for Payroll).
The usual security around expiry of the token applies here to prevent the machine being left ‘logged in’.
We make use of the ASP.NET membership provider to manage the security system and as an extra precaution we ‘salt’ the passwords when saving so it is (effectively) impossible to reverse the process and gain the password from the encrypted version.
The database which stores the information is hosted within Microsoft Azure SQL and thus has all of the protections afforded by the platform, including firewall protection so no IP external to the Azure infrastructure can access the DB.
This means that the only services that can access the DB must be hosted on the Azure platform
The architecture only allows access to the DB is via the business layer – clients only have access to selected services depending on the ‘role’ the user has been allocated the database is never queried directly.
Finally all access to the database is performed via stored procedures and as mentioned above these can only be accessed via the business layer completely preventing any chance of a an ‘injection attack’.