For Alga HR, Profit-Web, Profit-W users - Data security

March 3, 2021

Information and information systems have become a strategic asset that must be protected, just like any other property that is important for the operation of the company or institution. In response to the public database security scandal, Edrana Baltic once again emphasizes the importance of protecting existing systems and the data stored in them from unauthorized access or loss.

When developing our company's Information Security Management System, as well as developing and supporting our software products, we follow the requirements of the Information Security Standard IEC 27002, which provides best practice recommendations for information security management, the requirements of Lithuanian Standard LST EN ISO/IEC 17799, the OWASP specification, and the practice of our specialists.

As we have said before, our system is equipped with options to reduce the damage of a possible accident and data loss, which are parameterized and adapted to the needs of each organization.

We recommend to immediately:

1. Encrypt Profit-Web system password;

2. When creating Alga HR users and logging them into the system, it is recommended to use the functionality "Store encrypted password on the server";

3. Perform an infrastructure security audit and take other security measures;

4. Install an SSL certificate for data encryption.

However, as practice shows, it is also necessary to protect the disk itself or its copy, as it can be physically stolen. There are a number of available measures to help protect access to specified disks or copies thereof. In order for us to be able to offer you the best solutions, we recommend and suggest an audit of your IT infrastructure. Please contact us to receive assistance from our IT specialist. Our IT specialists are experienced, hold the necessary competencies, and are able to provide high quality services.

We also suggest that you consider using Edrana Baltic cloud computing services, which would significantly reduce your IT infrastructure maintenance costs in addition to ensuring data security.

If you decide to continue storing your databases on your servers, in addition to protecting your IT infrastructure, we also recommend using data encryption algorithms that prevent viewing or disclosing existing data in the event of unauthorized access to such data.

  1. If you are using a FireBird database, to prevent outside access to the server or computer where the database is stored, we recommend using a DMZ zone or separating traffic with the help of your firewall or VLAN, by enabling communication between the application and the database only via certain ports. If possible, we recommend migrating to higher-level databases such as Oracle or MS SQL.
  • If you are using Microsoft SQL, the software manufacturer has made it possible to upgrade existing versions of SQL to MS SQL ENTERPRISE or MS SQL 2019 Standard, which have TDE (Transparent Data Encryption) functionality that allows you to encrypt your database data in real time, therefore it will not be possible to read the stolen database files.
  • If you are using Oracle, we suggest buying an additional Oracle security pack, which includes TDE functionality and allows you to encrypt data in your database.
  • If you are using Sybase DBMS, we recommend activating the feature that allows you to encrypt your database and transfer data between the Client application and the database.

Note. It should be noted that encrypting the entire database requires additional hardware resources, and, if the company does not have a sufficient number of modern servers, a slowdown in the entire system may occur after encryption is enabled. Test results show that it can be as high as 25 percent or more.

 Head of IT Department                                                         

 Herkus Razgaitis