Discussion

Web and other Internet servers are notoriously vulnerable to compromise. No Harvard confidential information can be stored on such a server because of the risk of to the information if the server is compromised. Confidential information can be saved on a separate "back-end" computer (for example, a database server) that is isolated from the Internet server by a firewall. The back-end computer should use private IP addresses and not be directly reachable from the Internet or from open portions of the Harvard network. Access to the back-end computer should limited to that required to support the computer and that access should be through a firewall. There also should be a firewall between the Internet server and its users on the Internet or on the Harvard networks. All of the firewalls should be configured to block all inbound and outbound traffic that is not needed for operation of the service.

Note that the Internet server should not remote mount a disk from the back-end computer since that directly exposes the information on the disk.

There is still a risk that an attacker who compromises the Internet server could figure out how to issue the right commands to access the information on the back-end computer but the risk is far smaller than the risk presented by having the data itself on the Internet server.