All communication with web services is encrypted end-to-end using HTTPS and is subject to user authentication. Non-HTTPS protocols are not allowed and all non-HTTPS ports are closed.
Communication goes through a WAF to ensure integrity, and protect against application level attacks.
Users are managed via a dedicated user management service that is in charge of user registration, authentication and access control.
Users can sign in to the service using phone number only, email address without phone number, or 2 factor authentication which includes password + text code confirmation. In addition, it is possible to register users using a 3rd party directory service such as Active Directory.
The registration and authentication includes the following main functions:
- Register users and assign different attributes to different users (define the user type and the specific
entitlements and permissions of the user)
- Manage registration flow – define how users should be authorized for registration (MFA, phone, email, etc.).
- Users are authenticated using asymmetric JWT tokens and if this method is chosen by the device manufacturer, two factor authentication is performed (the user will receive a text message with a corresponding code they will have to verify on top of the standard authentication process). It is also possible to authenticate using an external directory service such as Active Directory.
- Attribute-based access control (ABAC) for all system users, where access control is fine-grained to the attribute of the accessed resource.
- Any API call is checked for authorization to use according to the ABAC.
- Any API call that fails the authorization is rejected and logged.
- API authorization is done using JWT tokens.
- The system also provides OAuth 2.0 support allowing clients to access resources using the resource owner permissions and authorization.
The system uses a dedicated audit service that logs every action made by every user (human or machine). The audit service also logs every event generated by every microservice in the system. For every event/action an audit log entry is created with the action/event done, what changes were made, and which user/service generated the change.
In the future, the system will include a full WAF policy aimed to prevent attacks like:
- Slow loris – attacks aimed at depleting resources and creating denial of service scenarios.
- SQL injection attacks.
- User security posture check.
- OWASP top 10 vulnerabilities.
- Bot identification and blocking.
All Private APIs in the system are authorized using the user management service as indicated in User authentication, registration and access control above. API calls will not be allowed if they are made without proper authorization based on the permissions of the user that is trying to generate them. Such calls will be logged for audit.
The system only contains one API that is designated as public and does not require authorization to access and this is the API for sign-up. With the exception of this API, all APIs are private and require authorization to access.
Updated 4 months ago