Hello All,

The DSpace instance I am working on will be used to facilitate data sharing of very sensitive information, for example, identifiable health-related information. Hence, there is a need to make it a very secure application. I am in the process of obtaining information on what needs to be done in order to make it secure- server configurations, application configuration, database security, etc. 

Currently,  I have setup the application on one server and the database on another. Upon reading the dspace documentation, however, I figured that the assetstore directory contains the uploaded data. 

1.  Any ideas on how I can secure this directory? Is it possible to retrieve the item if the directory gets compromised or does the database have some key which is required to retrieve the item?

2. Does it make more sense to move the assetstore directory to a secure location? If yes, how can I go about doing this? Since the database will have login credentials for all registered users, and the fact that registered users have access to the protected information, should I consider keeping the assetstore directory and database separated from where the application resides?

3. Any configuration settings on Apache httpd and tomcat other than making dspace run on https?

4. How can I perform an audit on the system? For example, get a list of users who downloaded a particular item.

I would greatly any help and insights into making the dspace application a very secure one. I would also be more than happy to document all the steps (once I have it all figured out and tried and tested) for the benefit of anyone interested.