Security feature is a broad feature which circle many component services. At a high level, security feature includes the following
User Authentication and Authorization
API Authentication and Authorization
Networks, Firewalls and Reverse proxy
Application and Database security.
Accessing external servers.
Unlike other services in BookAndPay application, security service is not a standalone service. Instead it encompasses few functions distributed over multiple services. To understand how security is implemented, lets take a step by step approach
First is user. Before a BookAndPay application can be used, one or more users needs to be registered or provisioned. Users need to be authenticated. The user authentication and authorization is done by user-management. Once the user is authenticated, users will be identified by a
token will be used by all API transactions. User authentication and authorization uses OAuth protocol.
Second step is API. Once the user is authenticated, the user might want to access some services such as Asset API (e.g create work orders) and make a booking for a asset/resource (e.g Booking API). The API request from the user is verified and validated by the API gateway. API gateway checks if the
token is valid.
In addition to User and API authentication/authorization, BookAndPay application is also protected at network level in few ways. Some of main ones are listed below
Traffic control: This includes ability to white or black list IPs or domains.
Rate control: This provides ability to control the number of requests which an API endpoint can receive for a particular period of time.
Reverse proxy: This provides the ability to host the BookAndPay application behind your secure firewalls but provide some public access. This is especially important for self-service.
Now that BookAndPay application is secure against unauthorized access, the next aspect of security is application and database security. Application and database security protects the system against malicious code or users. The technical details are beyond the scope of this document. When you deploy BookAndPay application, good recommended practices are used to protect the application and database.
The last step of security is how BookAndPay access external services / servers such as Google calendar or Stripe payment. BookAndPay application complies to the service provider methods and recommendations. For example, to access Google calendar, BookAndPay application uses OAuth based authentication/authorization.
BookAndPay application has been designed and built with “Security First” approach. The application is protected at various levels.
Though BookAndPay application is secure, there is a responsibility when you deploy and configure the application and network correctly. Some reasons why security is important why it needs to configured correctly
Prevent unauthorized access
Ability to scale the application up and down without affecting security.
Auditing and audit trails.
Security is implemented via multiple services. User management provides user level authentication and authorization. API gateway provides api level authentication and authorization. Additional security is provided by a reverse proxy.
Unlike other services, security is not a stand alone service, it needs to be configured at user level and api level. Most of the situation, default configuration may suffice. Details of how to configure API gateway and user management can be found in the configuration guide