Hey guys, if you're able to drop in your .02c it would be much appreciated.
Here is the breakdown:
Here's my question: Our biggest issue is not people "hacking" our site, but rather someone obtaining a perfectly normal user's password, downloading all our research (say, via a script), and posting it somewhere public. How can we help to minimize this risk?
Currently we have a cap of 300 documents a day on users (so if a script is used to download all docs, we're notified and access is cut off to that user). However, if the user says "oh sorry I didn't realize" (they are also bound by a contract, but that won't help resurrect the business post-dissemination) they could very well set the script to pull 299 the next time, circumventing the flag. What are more effective alternatives to a straight download cap? Perhaps after the first breach, a lagged monitoring of usage for a few weeks after?
Regarding physical security in terms of upgrading beyond simple usernames/passwords: has anyone had any experience with a physical key provided to the client that would cycle to a new password every ten, twenty, or something similar minutes? what are the costs of these systems? other alternatives?
Any ways of allowing the research to be convenient to view for the clients, but difficult for them to bring to the groups we complete it on?
Is anyone working for a group with a similar issue? Any and all responses would be much appreciated.
Here is the breakdown:
- I work for a company that produces very valuable research (downloadable, passworded, watermarked, and printable) to our clients
- If this research is disseminated to the groups we complete it on, it could ruin the business
- Clients access this research through a secure website (typical username/pass system)
Here's my question: Our biggest issue is not people "hacking" our site, but rather someone obtaining a perfectly normal user's password, downloading all our research (say, via a script), and posting it somewhere public. How can we help to minimize this risk?
Currently we have a cap of 300 documents a day on users (so if a script is used to download all docs, we're notified and access is cut off to that user). However, if the user says "oh sorry I didn't realize" (they are also bound by a contract, but that won't help resurrect the business post-dissemination) they could very well set the script to pull 299 the next time, circumventing the flag. What are more effective alternatives to a straight download cap? Perhaps after the first breach, a lagged monitoring of usage for a few weeks after?
Regarding physical security in terms of upgrading beyond simple usernames/passwords: has anyone had any experience with a physical key provided to the client that would cycle to a new password every ten, twenty, or something similar minutes? what are the costs of these systems? other alternatives?
Any ways of allowing the research to be convenient to view for the clients, but difficult for them to bring to the groups we complete it on?
Is anyone working for a group with a similar issue? Any and all responses would be much appreciated.