Security

Tags:

Updated:

8 minute read

APPSeCONNECT platform accomplishes the integration of your most serious business information and business processes with the utmost security. The application maintains security at its core, which means any communication from any of our infrastructure always follow a centralized security system which encrypts data and uses protected plug for communication. The stringent data security ensures that all your data is secure at rest as well as in motion. We never expose data to a third-party vendor without consent, and you would be always informed about who are opening what part of data, thereby permitting you to do your business with ease without the second thought of security issue.

Application & Platform Security

APPSeCONNECT is a platform which does integration between two or more incongruent applications. The mechanisms that are involved to do the integration are APPSeCONNECT Web, APPSeCONNECT API and APPSeCONNECT Agent.

APPSeCONNECT Web gives you user interface to interact with the platform, which exposes your project through a web browser. We ensure every communication between you and the platform is communicated through an encrypted secure socket connection and data integrity is maintained.

  • The certificates used to encrypt the transport layer is encrypted using PKCS (or Public Key Cryptography Standard) SHA256 with RSA (which enhances security of the application).
  • The connectivity is forced to TLS 1.2 (this is presently the most secured transport layer security).
  • The web application is developed and safeguarded from XSS hacks using SQL Injection techniques.

APPSeCONNECT API layer provides all the security measures that are mentioned for web. Additionally, it ensures only valid systems can access data from the APIs. The licensing system of APPSeCONNECT, activates a machine or an IP address to the API, and only requests from a valid machine is accepted.

APPSeCONNECT Agent is a tool and is a background service which runs as per your configuration running on schedule, either automatically or manually, and syncing data between applications. This tool is either installed in your server or you can host it through our cloud portal to start executing the sync operation.

Data Security

On premise data communication via APPSeCONNECT Agent is required when you do not want to expose your application credentials to anyone, and you want all your transactions are isolated to your own network. In this case, the agent downloads all the configurations made in the platform which does the actual sync through APPSeCONNECT API and installs it on your system.

Our component always stores the data in encrypted format on your local machine ensuring highest security for the sensitive and transactional data. When the data is transferred to our data centers, all files and integration scans for automatic detection of viruses and malwares.

On-premise data communication can be of two types :

1. Communication between Application with APPSeCONNECT

Your network will communicate with application through APPSeCONNECT using standard protocol defined by the application vendor. E.g.: Magento 2.0 uses OAuth 2.0 as standard security protocol as data communication, here APPSeCONNECT leverages the same technique to communicate data inflow and outflow. Our component always stores the data in encrypted format on your local machine ensuring highest security for data transfer.

The encryption algorithm which is used to store the data on-premise is Triple DES algorithm with 168-bit private key. We do not move any transactional data to our APPSeCONNECT Cloud or any sensitive credentials to our system. We of course do occational backup, of your data for desaster recovery. In such a case, the entire encrypted data files are uploaded to a seaprate vault which is accessible from your agent. Hence, no security protocol is violated.

We noticied DES is soon going to be deprecated. We have plans to upgrade our encryption algorithm from DES to AES. We will update as soon as we release our securty patch.

2. Communication between APPSeCONNECT to APPSeCONNECT Cloud

The Agent can respond to any configurational changes and can retain that application configuration until the next change. Once installed and logged in to APPSeCONNECT Agent, it will automatically download all the configurations after update configuration, giving you the option to see all the activated processflows from the cloud. If there is any further configuration change after logging into Agent, user needs to Update Configuration again which is an Agent feature to manually update the Agent with current configuration changes.

The transactional databases are occasionally backed up in a location at an interval to ensure the data is safe from disaster and you can retrieve the last state back when needed.

Architecture of On-Premise Data Communication

aec-data-communication

No inbound firewall ports need to be open for the OP Agent to communicate with the data centre for both the applications (Source and Destination). The agent transfers data to and from the application in communication directly from the on-premise network. This means, APIs are called directly using an adapter built for that particular app.

It follows the standards defined by the application to push data and does not have any footprint on APPSeCONNECT cloud. This feature of APPSeCONNECT agent ensures security on your own network. For on-premise agent, we only transfer configurational data from our server, which itself does not hold any transactional or sensitive information. The AEC Engine after doing the necessary transformation passes the data through Storage (Encrypted API) and then to Application 2.

The AEC Engine always initiates the connection, the data centre never pushes data to the Agent. When the Agent initiates a connection, it uses SSL handshake to authenticate the data centre before transmitting data. All outbound communication is performed using the secured HTTP port 443. The Agent uses the digital certificate automatically created during APPSeCONNECT registration (see Password Encryption Security below).

AEC Engine communicates with AEC Storage and Microservices via API Layer which is 256 bits encrypted by a private security key of an organization.
Organization based private key is used to encrypt data on-premise at rest, such that the data becomes unreadable and unencryptable. The on premise agent uses Code Signing certificates to digitally sign the executables which guarantees the code is kept intact once generated. It uses SHA(Secured Hash Algorithm) 384 bit with RSA hash to sign our code. The code signing not only identifies the author of the code, but also defines that the code is unaltered by any malwares and they are safe to execute in the Operating systems.

Types of data storage in OP agent

  • Configuration of AEC Server.
  • Application Credential.
  • Application Data.
  • Transactional Configuration.

Cloud Data Communication

Data transferred from our cloud platform is also secured inside our server firewalls. The servers cannot be accessed from outside of our network and the firewall only allows communications from our public facing applications.

What is Cloud Agent

Cloud Agent is a tool that executes all the sync process in cloud. All the background services which runs as per the configuration done are executed in cloud. User is required to create and enable the cloud agent in the environment section of the portal for utilizing the functionality of the cloud agent. Cloud Agent works only for the cloud supported applications.

How Cloud Agent works with AEC

Cloud Agent interacts with AEC in a very secure way so that your data credibility remains intact and secure throughout your business transactions. AEC Engine interacts with the applications database and storage using IP Based Filtering and thereby the API interacts with AEC Portal via Firewall for high security mechanism.

aec-data-communication2

  • IP Based Filtering : It uses a strict filtering process where no one from outside world/ unauthorised parties can penetrate. It will be only accessed by our server components on cloud agent.
  • Microservice Engine : When the user (clients) requests any action in the portal, it triggers one or multiple microservices through an API Layer which is itself firewalled and follows IP Based Filters to fetch the data ensuring high security of your data from outside world/ unauthorised parties.
  • Secure Transactional Data Storage - The transactional data stored in data vaults are stored and accessed using secured communication layer. These data are exposed using a key which is accessible only through our application server.

Password Encryption Security

When an APPSeCONNECT user registers for an account, the platform generates a temporary password and sent to the registered email for activation. The password generated from our server is hashed and stored. The password is encrypted and stored for the account. Only the account owner can decrypt with the password needed to unlock the account. When an agent is deployed, we generate a license key using the credentials supplied to the agent. A key uniquely identifies a machine and is stored on the system for any communication,
Link to license management.

Password Encryption Security is categorised into two major sections :

  • Platform Security Password.
  • Application Security Password.

Platform Security Password : Required during Registration

(a) Password is stored in md5 hash.
(b) When user authenticates their own password, it is automatically converted to md5 hash (during registration) and stored in AEC Database. This format is irreversible to the actual password, hence providing users with full password security. Here only the user can decrypt with the password needed to unlock their password to access the account.
(c) If the user forgets password, they can do reset password to set new password.

Application Security Password : Required during Build and Deployment

(a) In every organization, we generate key which is used to encrypt data/credential for that organization. The credentials are stored in a vault which can be opened only by that key.
(b) We use triple DES cryptographic algorithm to encrypt your application credentials using the private key generated for the organization.
(c) The key size is of 168 bits (56 bits X 3).
(d) During application communication the AEC Agent internally uses the private key to decrypt the credentials.

Hostnames and URLs of APPSeCONNECT

In addtion to secured connectivity, APPSeCONNECT requires a number of URLS and Ports for deploying it on your environment for seamless connection between the agent and our cloud portal. Click to view the list of host URLs and ports.

See Also