Survey Security

Illume surveys rely on two features for security: authentication and encryption.

Authentication

Authenticated surveys require survey participants or interviewers to provide some kind of credentials to access the survey. The individual designing the survey determines what the credentials will be. It may be a name/password combination or a simple user ID.  Associated to an authenticated survey is a participant list.  A participant list identifies the individuals who should be given access to a survey.  Illume validates each visitor’s credentials against the participant list before admitting the visitor into the survey.  If the credentials are valid, and if the credentials have not already been used for that survey, then the visitor is let in to the survey.

Illume supports both auto-authentication and manual authentication.   For auto-authenticated surveys, participants access the survey through a unique URL sent via an email.  That URL embeds their unique credentials, such that when the participant clicks the link, he/she is taken directly into the survey without ever needing to know or enter the credentials.   Alternatively surveys can be set up for manual authentication.  For this type of survey, participants are taken to a login page wherein they must enter their unique credentials to enter the survey.

Illume also supports unauthenticated surveys.  For these types of surveys, no credentials are required for entry.

Encryption

As participants move from page to page in a survey, the data are automatically encrypted and sent to the server.  Illume surveys hosted by DatStat use secure https connections with 128-bit encryption and signed SSL certificates. These settings are also the supported configuration requirements for most customers hosting their own Illume servers.  The signed SSL certificate enables the participant’s browser to verify the identity of the Illume server.  The encrypted connection protects information exchanged between the participant’s browser and the Illume survey by making data unintelligible to any third party attempting to intercept the communication.

Every page the participant submits to the Illume server is encrypted, and every page the server sends to the participant’s browser is encrypted. Illume‘s 128-bit encryption uses the same employed by online banking and other commercial web applications requiring the highest levels of security.

Survey Data

The only way to access submitted survey data is through the Data Manager. The Data Manager enforces user access restrictions defined by the system administrator, preventing users from unauthorized access to data.  Users must supply a valid login name and password. Valid users are further secured by role-based access and can see only those objects to which the Illume Administrator has granted them access.

Users can perform only those tasks (e.g., creating, modifying and deleting objects) that their roles allow. The Illume System Administrator manages users, roles, and project-level access. For example, one user may be able to create queries of survey results, whereas another user can only run queries created by other users.

The Illume system administrator can deactivate users at any time, or schedule their access privileges to expire on a specified date.

Survey Manager

The Survey Manager uses a secure https connection to communicate with the Illume server for checking surveys in and out, publishing surveys, browsing the repository, etc. The Illume Survey Manager application will not connect to an Illume server with an invalid SSL certificate. Once the connection is established, all communications are encrypted.

Web Services

The Illume SDK (Software Development Kit) communicates with the Illume server through Web Services. The connection between custom-built SDK components and the Illume server uses the secure https protocol, 128-bit encryption, and the Illume server’s signed SSL certificate. The Illume system administrator can set up special “non-interactive” user accounts for SDK software to use when connecting to Illume Web Services. Components created with the SDK must provide a valid user name to access Illume Web Services. The Illume system administrator can restrict the data to which an SDK application has access by narrowly defining the roles and object-privileges of each non-interactive user.

Web Applications

The DatStat Web Applications (Enterprise Manager, Data Manager, Data Change Module, Discovery) also use https, 128-bit encryption, and a signed SSL certificate.

HIPAA and Internal Review Board Regulations

For academic, medical, and scientific research projects, HIPAA regulations or the study’s Internal Review Board may mandate the separation of participant-submitted data from data that can identify a user. The separation of roles and privileges can help to ensure that members of the research team cannot connect individual responses to individual participants.

Best Practices

While Illume‘s user authentication and encrypted communications prevent unauthorized users from seeing data, survey designers, Illume administrators, system/database administrators and SDK developers each play a role in maintaining security.

Survey Designers

  • If running an authenticated survey with a defined list of participants, be sure to review Configuring the Login Collection.
  • If the requirements include separating personally identifiable data from survey responses, don’t include questions that require personally identifiable data.
Administrators
  • Assign users only those roles required to complete their tasks. For example, both a Power User and a Participant Manager can view and update participant information. However, the Power User can also create surveys and query results. If a user should be managing participant lists only, they should be assigned the Participant Manager role. See User Administration Overview for more information.
  • Disable users who no longer need access to Illume. In addition to aiding security.
  • Set expiration dates on the Illume accounts for contractors and temporary workers.
  • Restrict the objects to which non-interactive users have access. For example, if the developers are creating SDK software to add special features to Survey X, create a non-interactive user that has access only to that survey.

System/Database Administrators

  • Restrict access to the SQL Server installation, or at least to the Illume database, to only those accounts requiring access.
  • Allow connections to SQL Server ports only to trusted hosts.
  • Back up data regularly.

Use an encrypted password in the Web.config file for the Illume Designer Service.