When we talk about security, it’s one of the most important topics SaaS owners need to worry about. Today, when different cyber-attacks are happening on all sides, we are constantly witnessing reports of data leaks, denial of services, or maybe even cyber extortions. In this article, we will focus on the application layer of security and we will describe the security mechanisms of the StormHub Engine and its components.
User authentication
The main entry to all web or mobile solutions is user authentication. It’s one of the most basic functionalities that every solution needs to have, the possibility for users to get access to applications by providing certain authentication parameters. In most cases, those parameters are username and password.
You can’t talk about security without mentioning passwords. Passwords are the most straightforward security measure that enables a user to get access to a certain system by only those who know a combination of the user’s email and the user’s password. In our Engine, we ask users to configure passwords with certain requirements to be sure it’s not easy to guess or use brute force to test different combinations until the password is matched.
Once the user is authenticated in the system, we send a notification email just to make the user aware of this action. In case all the security mechanisms are somehow bypassed by an attacker, you will be able to do something about it and prevent him from doing more damage.
User authorization
Besides user authentication, or better to say, checking who the user is and if the user has access to the system, there needs to be an authorization check that makes sure the operation, or action the user is doing is allowed for him to take. In some previous articles, we already talked about the multi-tier privilege system of StormHub Engine. An important note to take is that in the Engine, every user action needs to pass the authorization process and it only allows the user to execute the operation if he has the proper access rights in the system.
Multi-factor authentication
Many will agree, that today, protection with only a password is not protection at all. You need to have something beyond it to be sure someone didn’t steal or guess your password. That protection comes in the form of a secondary authentication mechanism. In the StormHub Engine, by default multi-factor authentication is enabled for all users with an email code. Of course, it’s also possible to customize and enable other multi-factor solutions, like authentication over SMS, or with 3rd party software applications like Google Authenticator.
Rate limits
Password complexity, or even multi-factor authentication, doesn’t prevent malicious minds from trying to brute-force and crack passwords or multi-factor codes by just testing all possible combinations. Here in the play comes rate limits which trigger automated timeouts that disable login attempts for a certain time. In this way, any automated way of testing combinations of passwords becomes very long and unprofitable work for the attacker.
Summary
In terms of security, it’s important to understand that application level is only one part of the puzzle. In this article, we focused on basic mechanisms implemented in the Engine, which can be the first line of battle against malicious attempts to get access to the system. Another part is security on the platform level, but we will talk about it in another article.
In the meantime, don’t share your passwords, use auto-generated ones from different tools, and enable multi-factor authentication everywhere where possible. Stay vigilant, stay safe!