The attack surface has dramatically increased over the last years when we start to publish our services online. Software today must address identity and authentication, access control (authorization), confidentiality, and integrity at every level to minimize the risk and damage that could be caused by a security breach.

We can help you to develop your digital services using these cornerstones:

Identity and access control

The identity is one of the core elements in a secure solution, maybe even the most critical component. If you do not know who is requesting your data, it is impossible to apply access control. 

We can help you setup identity and authorization for your needs.

  • Authenticators 
    An authenticator is the means used to confirm a user’s identity, that is, to perform digital authentication. Social media, BankId, and fingerprints are common ways to authenticate, but new techniques emerge that the solution need to adhere to. 
  • Authorization service 
    The authorization service produces a token that contains the user’s identity and information needed to perform access control (authorization). Think of the token as a ticket that gives you access to API:s, data, and services, the ticket controller validates the information on the ticket (authorization) before you are allowed to pass. 
  • User management 
    The authentication server needs to verify and access data related to the authenticated identity. Today’s online services are often complex combinations of several underlying systems, many times silos. The user management can be seen as a kind of user broker (SCIM) to sync users across these silo systems.   

If you require any further information, feel free to contact us

API management & integration 

The API:s are the digital interfaces of your business, both internally and externally. The API Manager becomes the central point that provides the API:s with documentation, measurements, and a defence line.   

We can help you design API:s and setup API Manager to authenticate and authorize users and be the first line of defence of your services. 

  • API Manager
    API management is the process of creating and publishing API:s, controlling access, collecting and analysing usage statistics, and reporting on performance. 
  • Tokens 
    API Manager trust and evaluates tokens issued by your token server to decide if the call should be let through or not. 
  • Developer portal 
    Collaboration platform for developers to access and test your API:s and provides the API documentation. 
  • Integration 
    We can all agree on that customer facing “public” API:s have to be secure but let’s not forget about the “internal” integration endpoints that may be publicly available and potential data leaks. The integration layer can also be used to secure data from legacy systems if they do not support modern authorization technologies. 

If you require any further information, feel free to contact us

Secure Software development 

Agile software development and DevOps are widely adopted methodologies to develop software; optimized for focus on functionality and short time to market. Unfortunately, security has not been a core concern of these methodologies. This has led to that developers have little or no guidance on how to develop secure software and that security is left to the very end of the project when time and cost constraints are at their maximum and short-cuts in the security implementation is far to common.

We can provide developers with a reliable security architecture consisting of best-practices and reusable well-designed software security components that will allow the team to keep focusing on customer value and time to market while still delivering secure software. 

  • Think security in all phases 
    Security should be thought of from beginning to end, through design, implementation and operations. 
  • Understand your service 
    It’s not until you understand your service end to end that you will have enough information to set the correct level of security. Who is the audience? How sensitive is the data? What level of access control do we need?
  • Use standards, guidelines and proven technology
    Build your service using best practice and rely on proven technology, incorrect implementation and use of open source components may itself become a security threat. Provide implementation guidelines and strategies for how the choose third party components and technologies. 
  • DevSecOps 
    DevSecOps routines with configuration management will secure the life cycle management of the software and surrounding environments. 

If you require any further information, feel free to contact us

Regulations 

It’s important to identify any regulations such as GDPR, PSD2, that could affect the service as early as possible. If there are any regulations to comply with, it’s important to enforce rules in the right place at the right time. That will minimize the risk of data leakage and that it is not possible to bypass it.

We can help you to analyze and classify data to take appropriate actions to comply with regulations. We can also help you to implement the controls according to best-practices and prepare the service for future changes.

Example use cases 

Banking 

We have helped several banks to secure their API:s to comply with Payment Service Directive (PSD2) regulations. Banks are under constant pressure to comply with new regulations, especially in the EU. For example, the latest Revised Directive on Payment Services (PSD2) that among other things, aims to force banks to open up APIs that enable third-party actors to build new applications around the financial institution. These API:s must use Strong Customer Authentication to comply with the PSD2 directive from the European Payments Council. 

Power and Utility

We built a layer of identity and access control in a customer-facing digital service to provide smooth login while protecting user data. The service made previously unavailable data available via an API Manager to support new customer-centric services including real-time energy consumption/outage information.

Telemarketing 

We helped a company with the architecture to repackage existing services to be able to reuse them for online services. They had to secure and harden internal services to make them publicly available for self-service portals, enabling the customer to give their end-users access to data and API:s. We provided insights and knowledge on how to organize the Identity and Access Management team (IAM) and which tools to use to provide fine-grained security. 

Johannes Svensson

Phone: +46 40 643 07 73
johannes.svensson(at)dataductus.se