Implementing Bullet Proof Security for Cloud based Financial Applications

Cloud based applications whether in the Financial domain or otherwise, implement a logical separation between the user interface that is presented to the customer and the programs that fetch the data from the database, perform computation and return a result set. The User Interface (UI) is usually built using graphical components while the  programs that perform computations are built using a framework that exposes them as an API (Application Programming Interface). The coupling between the UI and API is asynchronous i.e. the UI sends a request and gets a response. The connection between the UI and API is not established till the next request. This poses a challenge in implementing a fool proof security policy that covers both Authentication and Authorization.

Why is it a challenge? The API server should know the following about any request that is made to it.

1. Is the request originating from an authorized source?
2. Is the request made by a person authorized to access the resource?
3. How long should the server accept the connections from this source?

To ensure that the API responds to requests only from authorized sources the API should implement an effective CORS (Cross Origin resource Sharing) Policy that lists the domains from which requests can be made. 

The ensure that only authorized persons can access the resource the API should implement a sound Authentication policy where the user provides their credentials that are transmitted securiy for the server to validate and provide access. The API should ensure that the varfous URL routes are protected from being accessed directly. For example a person should not be prevented from accessing say /api/emicalculator while allowing them to access /api/repaymentschedule by by-passing security.

Its also important that the API implements a mechnism to prevent the same source from making a large number of requests. This is essential to prevent the source from overwhelming the API server and also helps ion preventing DDOS attacks.

The AB Suite implements an effective CORS policy that allows requests to be made only from the same machine or from an authorized domain which is mapped to the server IP on which the UI components are hosted.

User authentication in the AB suite is in two stages. The user submits their username and password. This is validated against the (encrypted) password stored in the database. We use several encryption mechanisms and AB Suite chooses the one based on the processing cost of encryption. Once the password check is accomplished the calling program receives a 256 bvit encrypted java We Token (JWT). This token allows the calling program (UI in our case) to access all the API's without having to provide the username and password again. This JWT has a Time To Live (TTL) of 60 minutes. Once the TTL elapses the token is invalidated (the token is also invalidated when a user logs out). Any attempt to access an API resource with an invalid token will return a 401 Unauthorized error. The calling program has to reauthenticate and generate a new token.

Sometime UI developers will attempt to generated a new token for every request to circumvent the TTL check. Such situations can overwhelm the PI server. AB Suite has a rate limiting mechanism that allows a calling program to make a certain amount of requests after which any further requets are denied till the end of a cooling period.

We combine all of these features and implement it over HTTPS which provides the required Transport Layer Security. Would you like to see a demonstration of the Bullet Proof Security? Reach out to us.