[Koha] Questions on data security, liability and RFP issues

Chris Cormack chris at katipo.co.nz
Sat Nov 6 16:15:31 NZDT 2004 

On Fri, Nov 05, 2004 at 06:39:58PM -0600, Baljkas Family said:
> Friday, November 5, 2004    18:14 CST
> 
> Greetings all,
> 
> Owen's question reminded me of some issues I had been meaning to ask about for a while now.
> 
> First off, the whole issue of data security in the Koha ILS.
> 
> I don't think this question has been raised before -- and I apologise in advance if it has been, or if asking it this way is simply hopelessly naive/ignorant: but how safe against hacking, e.g. would Koha be? Or is this more a matter of systems admin level securities behind which Koha would be shielded? (G*d, I hope so.)
> 

I can take a crack at this part, ill leave all the legal stuff to someone
else :)

The security we have on koha, is that the librarian interface is behind
password authentication, but you can disable this. What HLT does and other
libraries we have worked with do, is not make the librarian interface
available to the world. This can be done by restricting access to only
certain ips, or only available on a lan. These are of course system
administrator tasks, and the sys admin can do a lot more, such as securing
the box serving koha as much as possible.
You could use mysql replication and have a seperate box serving the opac
with a read only database, such that the only interface available to the
public has no write access. Again more sys admin tasks.

What we as developers try to do, is to make sure that we dont write cgi's
that are vulnerable to attack, and we depend on the writers of such
things as apache, and mysql and linux to keep their products as secure as
they can. Then we depend on the system admins of the Koha installations to
do their part.

Basically it boils down to the sysadmin, they can make the data stored in
Koha as secure or as insecure as they like.

Chris
-- 
Chris Cormack                                                     Programmer
027 4500 789                                       Katipo Communications Ltd
chris at katipo.co.nz                                          www.katipo.co.nz

More information about the Koha mailing list