1. Backup all data on a SEPARATE server NB**
This guy learned the hard way that you should never store your backups on the same host server. If a server is hacked, backups could be compromised as well so in effect "backed up data" stored on the same host server is useless
2. Separate your Application Servers/webservers from Database servers
Cost restrictions can mean this is not always an option for webmasters but its a very effective tool in lowering the chances of all data being lost in an attack - put simply a hacker would need to compromise 2 servers. Its also a much more robust way of managing access security.
3. Store all critical server side code behind the webroot.
4. Encrypt identifiable data on the your database
Keep the key stored outside of the webroot
5. Restrict access by IP
Mostly only relevant to Apps used internally but many Apps have no need to be accessed by the general public
6. Gather Client information (IP etc. to apply access management)
7. Keep all servers patched and store backups for a minimum of 4 weeks
8. Apply Version control (Git etc.)
9. Login user management
- Make sure all passwords are hashed
- Apply password policy (length, contains alpha-numeric etc.)
- Password must be changed every quarter
- Login pages must contain extra security validation (Recaptcha, Google Authenticator etc.)
10. Run all online applications over SSL (Secure Sockets Layer)
This ensures the transfer of data between web servers and browsers is encrpted
This should serve as a rough guide to good practice for effective data security but many of the suggestions here may not even apply to your webspace. All applications differ as to what is the most vulnerable data and what is the most critical to secure so you will have to make decisions based on your own application setup.
If you require any further information on this topic please do not hesitate to contact EchoMedia. We have extensive experience in securing and managing highly sensitive data.