Despite its unique collaboration capabilities, APIlation has an extremely robust security model with powerful features to restrict access to content based on domain, role (group), and/or user. APIlation also provides a combination of firewall infrastructure support, port mapping, content filtering, and a sophisticated security manager. Enhanced security features include multiple N-Factor authentication methods, secure communications channels, security policies, directory services support, and more – as detailed in the following sections.
Attack Prevention
APIlation provides comprehensive protection against cross-site scripting attacks. All aspects of the HTTP communication are tested by the proxy, including requests, headers, and body. Captured attacks display HTTP 500 responses and are detailed in the system log files for investigation. Updates to the output encoding scheme are also implemented to improve system efficiency and to eliminate cross-site scripting attacks. The default behavior is to deny requests that contain malicious characters if the page that initiated the request is not from the APIlation server.
Password Management Policies
The security of the system is enhanced by the ability to define password management policies for users’ passwords. The following types of policies can be instituted:
¡ Specifying a password lifetime, which forces users to change passwords
¡ Syntax polices, to avoid the use of predictable passwords
¡ Account lockout upon consecutive failed login attempts
When integration of third-party authentication tools (such as LDAP) is used for user management, APIlation will also cooperatively sync with any password policies in effect on the associated server.
Access Control List Rules
APIlation enables Administrators to create "allow" and "deny" rules that can be enforced from the global and/or Channel-specific level. For example, these rules can prevent users from accessing specific URLs.
SSL Communications Support
Communications between APIlation clients and the APIlation server can be secured using HTTPS (HTTP over SSL). This protects the communications streams as they pass through the public Internet. APIlation’s Tomcat web server provides the HTTPS support, and the configuration rules to enable this are delivered with the stock configuration files. The APIlation server can also communicate with external HTTPS web servers. This typically occurs within the web resource proxy (discussed below) and is dictated by the protocol field of the URL that the Proxy has been directed to retrieve.
Proxy Technology
A key component, and differentiator, of APIlation is its patented secure-proxy technology. APIlation’s bidirectional proxy technology provides protected access to fully interactive applications over public and private networks. It works by allowing access to specifically identified back-end web applications and content to authorized APIlation users. Of significant importance, APIlation’s web resource proxy does not require installation of additional software on the servers being proxied.The APIlation system, uses a web resource proxy approach to provide controlled access to fully interactive web applications. The web resource proxy approach allows the web browser to communicate entirely with the APIlation server for all interaction with the external web applications. Yet APIlation seamlessly handles all interaction as if the browser were communicating directly with the application. The APIlation solution provides a higher level of security, because end-users never directly connect to the back-end proxied servers.
Firewall Support
The APIlation web resource proxy provides users with a single access point - exactly one HTTP(S) port - to all integrated HTTP(S)-based applications. APIlation content retrieval allows all HTTP(S)-based content and applications to be accessed through a single socket connection within a network DMZ, network address translation (NAT), and firewall environment. The APIlation solution only requires a single firewall rule to allow access from the user’s browser to APIlation. The “typical portal” solution requires additional holes in the firewall between the user and each integrated application.
Protection of Private Networks and Application Assets
The protection and concealment of back-end applications and network assets are of critical concern to organizations that must provide application access to users and customers over a public network. APIlation allows multiple dynamic HTTP(S)-based applications to be integrated into the APIlation framework, concealed, and pushed through a DMZ environment for presentation to external users on a public network. The web resource proxy does not allow clients to directly connect to these resources. Additionally, external entities have no knowledge of applications’ addresses, port numbers or operational networks. The APIlation proxy provides an additional layer of protection between internal resources and external users.
Single Sign-On
Single Sign-On is a feature of APIlation where all of a user's credentials to multiple applications are securely stored by APIlation. This allows users to access and display information from back-end applications without having to manually log in to each of these applications. Once a user logs into APIlation, no other credentials are required from that user. Using APIlation’s pre-built PIMs, this capability is provided with no custom software development or modification to back-end applications.
An additional benefit of APIlation’s Single Sign-On is that a single account for a back-end application can be shared across and entire group of users if desired. This allows the application administrator to configure access options for many users through a single account and also limits the number of named user accounts that are needed in the application.
The APIlation Single Sign-On feature supports the integration of various security and authentication schemes presented by existing applications. This capability is implemented through a component called the Login Proxy Service (LPS) that handles all authentication interactions between the user and third-party services.
Single Sign-Out
When a user logs out of APIlation, Single Sign-Out automatically logs the user out of all integrated applications with open sessions. This provides additional security and performance by limiting the number of open sessions. It also can lower costs and eliminate lockouts by reducing the number of concurrent licenses that are needed for the integrated applications.
Authentication and Login Processing
APIlation provides a complete UI and embedded database for internally managing domains, users, and roles. However, some organizations already have one or more LDAP servers in place to manage this information. This enables the organization to store all user information and credentials in one centralized location. In this case, APIlation can simply map to the existing LDAP configuration and rely on LDAP for externally managing this information. Typical LDAP repositories supported by APIlation include Active Directory and OpenLDAP, but others are also supported.Delegated user management with LDAP APIlation provides a full toolset for mapping LDAP groups to APIlation roles, enforcing password policies, and keeping user credentials in sync between the LDAP server and APIlation.
External User Authentication
APIlation supports several common authentication tools that are already in use by many customers. This allows APIlation to rapidly integrate with existing login management infrastructure. AC/PKICommon Access Card (CAC) is a two-factor authentication mechanism used by certain organizations, including the United States Department of Defense. This allows Single Sign-On integration with the desktop authentication via a Client Certificate, a feature of Public Key Infrastructure (PKI). Use of this module requires that the desktop operating system and web browser are configured with the necessary hardware and middleware to support the physical CAC token and associated protocols. This module can be adapted to other single- and two-factor authentication mechanisms that present a Client Certificate to web applications.
IP Address and Session Limiting
One of the validations that can be required before a session is established is to check the user’s source network address and only allow certain roles to be accessed from specified networks. The administrator is able to restrict the content available to that role to only users who are assigned that role and who are accessing the system from within a known and approved network. APIlation provides for several session-based constraints including:
1. Limiting the number of simultaneous active sessions for a specific set of users or Domains
2. Limiting initial sessions to a set time and/or defining the duration of extensions when users are actively using the system
3. Determining what action to take if a user attempts to start a new session when an existing session already exists: Block access, terminate previous sessions, or prompt user to terminate the active session or cancel the login request
4. Displaying a security statement to be acknowledged prior to login.
Data and Schema Level Security
Apilation's core database technology has both data level security (DLS) and schema level security (SLS) built into it's native JSON functionality. It is not an afterthought or add-on like many other database security configurations. Going well beyond secure partioning, the combination of DLS, SLS, and the many security features inherent to the patented secure-proxy UI, secure LZ, single platform architecture, in addition to the AWS-based cloud security architecture helps to make Apilation the most secure Analytics as a Service platform in existence. Unlike "stack" architectures - as a single integrated platform - there are very few potential access points all of which have been hardened and tested against our multi-layered security approach.
