Hear from the Staff

 

Data Security with LANDBOSS Software

November 24, 2009 - Blake Anderton

Although Cole talked about it briefly in this post, I thought I'd dedicate this week's post to how we can back up our claim that your data is secure when using LANDBOSS.  You, as the holder of valuable and leverage-able information (ownership information, etc), hopefully are concerned about the security of that data when choosing software.  If you're willing to take our word that we prioritize security in LANDBOSS then I'm grateful for your faith in us, but if you're more skeptical (maybe even a bit jaded?) then please read on and allow me to show you several ways we "walk the walk."

Secure Data in Any Environment

First off, a disclaimer for those who don't happen to have Computer Science degrees.  The truth is that no matter how you store your data, there is no such thing as 100% security.  Well, there is, but it's rather useless then.  Think of your data storage like a bank vault.  If there are no doors and the thing is placed in the center of the sun, then no one's getting in, right?  But then of course you can't get in...  But by allowing even a single way inside your vault, there is a potential for misuse or foul-play.  The best you can do is provide the best possible, but still reasonable, protection.  With LANDBOSS we have taken great care to make our software as secure as possible without sacrificing usability. 

Your Current Security

While I won't presume to know every detail of your current data's security, "word on the street" is many of you are still just emailing Excel files to each other.  If you aren't, and have highly-secure software guarding your data, then good for you! If you are just emailing files around, though, then you really have no data security at all.  Email is notoriously unsafe, and can be easily intercepted and read by people that are clever enough.  Plus, at least with Excel, you have to do all the security work yourself.  If you only want to show 50 out of 100 notes to a certain landman, you must manually cull them from your file before sending it to him.  Even other land and leasing programs may have inherent problems - most client applications store some sort of file locally which could be copied/stolen, etc.

Security in Landboss

LANDBOSS is infinitely more secure than the Excel/Email solution, and I'd bet money it's more secure than client applications.  Here are just some of the ways we protect your data (with shnazy military-sounding acronyms thrown in just to prove how serious they are!):

Step 1 - Communication Security (COMSEC)

The first step in our security plan is to make sure that any data that is transfered from us to you (and vice-versa) is safe from people intercepting it.  To do this we have the LANDBOSS web application secured using Secure Socket Layer technology.  Your web browser is automatically set up to handle this technology, and you can usually tell a site is using it when the address starts with "https://" instead of "http://".  This ensures that no one is able to "sniff" the data being passed back and forth between your browser and the server - they will just see garbage.  There are always ways around this (see my disclaimer above), but I'd give SSL a 99.9999% chance of stopping "sniffing" attacks.  We use this technology for every piece of information sent to and from the application, and we do not allow you to use the site with unsecured HTTP.  If you try to go to the HTTP address of your account site you will be redirected immediately to the HTTPS equivilant.

Step 2 - Server Security (SERVSEC)

I won't tell you the exact environment our severs run on (it's not hard to find out, though), but I will say that we go through great pains (and many long nights for certain people, thanks Daniel!) to keep our servers up-to-date and secure.  Most attacks on servers succeed because they are using out-dated versions of the server software, and bad actors use known issues for these older versions to compromise them.  By keeping an (almost) constant watch on the servers and their health we are able to tell very quickly if a problem arises.

Step 3 - Database Security (DBSEC)

Since LANDBOSS is a web application with a central server, it's pretty obvious that we have all the information stored in a central database server as well.  While this gives the same benefits I described in step 2, you might ask yourself, "Wait a minute, if I have my data store on that server, and my competitor also uses LANDBOSS and they also use that server, maybe they can get to my data if they're sneaky enough!"  Well, no, in fact they cannot.  When you sign up for LANDBOSS you get your own database, complete and seperate from everyone else's.  We'll happily send you your database's backup file to prove it (also even if you just wanted it for another reason - it's your data we aren't going to keep it from you).  There is no way the LANDBOSS web application can be "tricked" into showing some other company's information.  Though the databases are separate, they are stored together on the same server, and so that again goes back to step 2 on how we secure the servers.

Step 4 - Billing Security (BILLSEC)

We at LANDBOSS do not store any billing information on our internal servers - all your payment information is stored at the world-class payment processor that we use.  All our communication with them also uses HTTPS, so even if step 2 or step 3 fails no one can get at your credit cards/bank accounts.

Step 5 - User Security (USERSEC)

The previous steps form the foundation of our "layered approach" to security.  If a bad actor somehow defeats 1 layer the other layers should keep him from causing too much damage.  The top "layer" though, is a bit trickier.  It involves making sure that malicious or overly-curious  users from within your organization don't get a hold of data you don't approve of them seeing or changing.  There are many ways we do this with LANDBOSS.

  1. Password Security - LANDBOSS stores all passwords in a very secure, and unreadable, format.  Even if someone was to break into your database, they could not log into the application with your login.  We also require very strong passwords (6 characters, 1 upper case, 1 lower case, 1 number) - so it would be infeasible to use a "brute force" attack.  Password security is only as good as the user, though, as Cole mentioned in his article.  A password on a sticky note on your monitor makes having that password kind of pointless.
  2. Read-only accounts - Each user has a license "Package" assigned to them.  These licenses are what we charge you for each month, and assigning them to a user login makes sure we know who is using which license.  Certain licenses do not allow the changing of land information (parties, tracts, leases, etc).  They can enter time for themself and view things (that they are allowed to see), but that's about it.
  3. Roles - Each user login can belong to zero or more "Roles" - which allow them access to certain pages in the application.  Do not confuse these with their license features: features change access to huge swaths of the application, roles allow you to restrict what sorts of things the user can see/do within those features.  When your account is first created we add a couple "reasonable default" roles for you to use, but you can easily customize them or add new ones with very fine-grained precision.
  4. Prospect Access - Most everything in LANDBOSS is tied to a prospect.  Each user login has a list of prospects that they have access to.  If a piece of data (for example, a lease) is in a prospect that the user doesn't have access to, then from their point-of-view it doesn't even exist.  They can't search for it, view it, edit it, nothing.  Of course we allow an easy way to give "admin" users access to every prospect without having to check each one, but this list allows you to restrict what data they can act on even within their Role(s).

You'll notice that each of these ways of securing your data from other users allows you to customize or somehow take control of them.  While we work very hard to make sure our default values work in most cases, there is always the possibility that an improper setting in the user admin might let a user access something they shouldn't.  You can avoid much of this the same way we do - simply be aware and vigilant against it.  If you create a new user you might want to log in as them before you hand it over to your employee - make sure they see only what you intend.  We worked hard to give you flexibility and power over your data internally, but with great power comes great responsi....I'm sorry, I can't even finish that phrase it is so cliche'd.  You get the idea, though.  If you ever have any issues with your internal data security, just contact support and we'll make sure we get your data secured how you want.

The Power is Ours!

Phew! Thanks for reading.  Hopefully I've shed a little light on how we handle security here at LANDBOSS, and now you might actually believe us when we say "your data's security is our top priority."  I hope you also see why we can only do so much when it comes to that security - part of it will have to be how you use the tools we've given you.  We'll do everything in our power to help you use those tools properly, but knowing that the weakest link in security almost always comes down to people is the first step to building real security.