Data security mechanisms

Unified system of authentication and authorization

The Unified Authentication and Authorization System is a key component of data protection that provides secure access to system resources. It allows you to manage users, their permissions and access to data at the system-wide level.

Reminder:

• Authentication is the process of verifying the authenticity of a user (e.g., using a username and password).
• Authorization is the process of verifying a user’s permissions to perform certain actions (e.g., access data or system functions).

A unified authentication and authorization system provides the following benefits:

• Centralized management: Simplifies the management of users and their permissions.
• Security: Protects data from unauthorized access.
• Consistency: All applications and systems use the same authentication and authorization mechanism.
• Scalability: Easily add new applications and users.

System Components

Authentication

• Login and Password: The traditional method of authentication. Initially, when logging in, the user must identify themselves with a username and password.
• Multifactor Authentication (MFA): The use of multiple factors (e.g., a dynamically updated program token for the WEB API).

Token-based authentication simplifies the process for established users. To get started, the user sends a request to the server with a username and password. The server then validates them based on the values registered in its identity database. If the identities are confirmed, the server returns an authentication token (which is also stored in the database).

When the same user later sends requests for access to protected resources, these requests can be authorized using an authentication token instead of a username and password. The server checks the token against the token registered in the database and grants access.

Authorization

• Roles and Permissions: Users are assigned roles (e.g., access administrator, user) that define their permissions.
• ACL (Access Control Lists): Access control lists that define who has access to what resources.
• RBAC (Role-Based Access Control): Role-Based Access Control.
• ABAC (Attribute-Based Access Control): Attribute-based access control (e.g., time of day, location).

User Data Storage

• User Database: Storing information about users, their roles and permissions in a single database.

Security

• Encryption: Protects data during transmission and storage.
• Access Tokens: Using dynamically updated software tokens for session management.
• Auditing: Logging of all user actions for later analysis.

System Implementation

The user enters a login and password, the system validates them and returns an access token. The user’s e-mail address is used as the login.

Example of a request in Curl format:

1
2
3
4

curl -i --header "Content-Type: application/json" \
--request POST \
--data '{"email":"api@local.net","password":"Str0ngPas$"}'\
https://server123/api/v1/auth/sign_in

In response, we will receive the following message:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none Referrer-Policy: strict-origin-when-cross-origin Content-Type: application/json; charset=utf-8 access-token: tgervk9_9xicJYpmSsnnNA
token-type: Bearer
client: D-Uv3ER53873olhnNLjL9w
expiry: 1615227012
uid: api@local.net
ETag: W/"5b9bcc76f7223b72b79d9f2d31ff0fd5"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: c18e06b4-e5bd-40b5-875d-7ac958e2fbb5
X-Runtime: 0.391069
Transfer-Encoding: chunked
{"data":{"id":6,"email":"api@local.
net","provider":"email","uid":"api@local.net","name":"API user"}}

In this response, we are interested in the access_token parameter. The value of this header is used as the password for each request. The value changes with each request.

Here is an example of a request using the token from the previous response:

1
2
3
4
5
6
7
8

curl -i --header "access-token: tgervk9_9xicJYpmSsnnNA" \
--header "token-type: Bearer" \
--header "client: D-Uv3ER53873olhnNLjL9w" \
--header "uid: api@local.net" \
--request GET \
--header "Content-Type: application/json" \
--data '{"page":"2"}' \
https://server123/api/v1/stations

In response, we will receive the following message:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Content-Type: application/json; charset=utf-8
access-token: Bmh2GVrxr6aW0Hngor4gPw
token-type: Bearer
client: D-Uv3ER53873olhnNLjL9w
expiry: 1615311367
uid: api@local.net
ETag: W/"ba0df406b647bd92f0bf3a18916714c1"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: 35a26441-ae78-48fa-8b2e-e92d2605133b
X-Runtime: 0.167748
Transfer-Encoding: chunked
{"data": [
{"id":1,"name":"865293041101853","equipment_brand_name":"Корректор
БК","phone":"","equipment_id":1},...
],
"total_pages":7,
"current_page":2
}

To terminate, you can use the SignOut procedure, or save the necessary headers from the last request and if the token lifetime has not expired, use them next time. Remember, without terminating the session, the last token will be valid for some time, depending on the system settings of the server.

Advantages of the system

A unified authentication and authorization system is a powerful tool for data protection and access control. It provides the following benefits:

• Centralized management: Simplifies the management of users and their permissions.
• Security: Protects data from unauthorized access.
• Consistency: All applications and systems use the same authentication and authorization mechanism.
• Scalability: Easily add new applications and users.

Data Encryption

In order to protect critical information, the system uses encryption (the process of converting information into a form that cannot be read without the appropriate key) and hashing (converting data into a unique fixed length string - hash) of data. This is one of the key data protection mechanisms that ensures confidentiality, integrity and security of information both during storage and transmission.

The system uses various data encryption and hashing algorithms.

Application of encryption in the system

Storage Encryption

• Databases: Encrypting individual database fields.
• Files: Encrypting files before saving them to disk.

Encrypting data in transit

• HTTPS: Using SSL/TLS to encrypt data during network transmission.
• VPN: Creating a secure tunnel for data transmission.

Password Encryption

Storing password hashes instead of passwords.

Examples of data encryption/decryption

Let’s look at examples of data encryption/decryption of system configuration files:

Data encryption

1
2
3
4

mkdir_p(encrypted_dir_path)
encrypted = Rails.application.encrypted(encrypted_file_path, key_path: 'config/system.key')
encrypted.write(File.read(decrypted_file_path))
File.delete(decrypted_file_path)

Data interpretation

1
2
3
4

mkdir_p(decrypted_dir_path)
File.write(decrypted_file_path, 
  Rails.application.encrypted(encrypted_file_path, key_path: 'config/system.key').read
)

Benefits of data encryption

• Confidentiality: Protecting data from unauthorized access.
• Celestity: Ensuring that data has not been altered.
• Authenticity: Confirming the source of the data.
• Compliance Requirements: Meeting regulatory requirements.

Audit and Monitoring

A number of subsystems have been developed and connected to monitor user and system activity, identify suspicious activity, and ensure compliance with security requirements.

To this end:

• The system is organized to collect, analyze, and store information about user and system activities to ensure accountability and compliance.
• Organized continuous real-time monitoring of the system and equipment to identify and respond to incidents.

Objectives

• Accountability: Ensuring that all user and system activities are recorded.
• Security: Detecting and preventing unauthorized activities.
• Problem Detection: Identify hardware problems and anomalies and take action to correct them.
• Performance Optimization: Analyze system performance and find bottlenecks that require optimization.
• Prediction and Planning: Collect data to forecast future workloads and plan resources.
• Compliance: Ensuring compliance with regulatory requirements.
• Incident Analysis: Ability to analyze incidents that have occurred and prevent future incidents.

Audit and Monitoring Components

Data Collection

• Logs: Records of user and system actions at all levels.
• Metrics: System performance data (e.g., CPU utilization, memory usage).

Data Storage

• Log Storage: Collecting data from various sources, organized distributed storage of logs and metrics by topic area .
• Log Rotation: Automatic deletion of old logs to save space.

Data Analysis

• Search & Filter: Ability to search and filter logs by various criteria.
• Analytics: Use of data analysis tools (e.g. Zabbix).

Alerts

• Alerts: Sending notifications about suspicious activity, emergencies (e.g. email, Telegram chat).
• Automatic Actions: Automatically responding to incidents (e.g., blocking a user).

Example implementation

Logging

Using a library for logging in the application.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

# Logs all changes to models
gem "audited"

# Logging settings
Audited.config do |config|
    config.audit_class = CustomAudit
end

class CustomAudit < Audited::Audit
  default_scope { order(created_at: :desc) }

  ACTION_NAME = { 'Create' => 'create',
                  'Update' => 'update',
                  'Destroy' => 'destroy' }.freeze

end

# Metering device
class Equipment < ApplicationRecord
  audited except: [:password]
	...
end

Collection of errors in data from meters

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

# data model for error collection
class ErrorLog < ApplicationRecord
    enum message: { invalid_equipment_serial_number: 0,
                  invalid_equipment_software_version: 1,
                  ...
                  }
    belongs_to :loggable, polymorphic: true
    belongs_to :loggable_equipment, class_name: 'Equipment', foreign_key: :loggable_id, optional: true
    validates :loggable_type, :loggable_id, :message, presence: true
end


# Event log
unless valid_value?(serial_number)
	message_params = {equipment: equipment, new_serial_number: serial_number}
	message2logger(loggable_obj: equipment, message: :invalid_equipment_serial_number, params: message_params)
end

Log Storage

Using centralized storage for logs.

Table audits.

This table stores data logging information.

Table error_logs.

This table stores information about errors in the data coming from the meters.

Log Analysis

Tools used to analyze logs:

• Setting up Web Forms for visualizing and analyzing logs.
• Creating dashboards to monitor user activity.

Alerts

Customized alerts for suspicious activity:

• Configuring alerts in Zabbix to monitor metrics.
• Sending notifications via email or Telegram chat for alarm events.

Benefits of auditing and monitoring

Auditing and monitoring are powerful data protection tools that allow you to track user and system activity, identify suspicious activity, and ensure security compliance. They allow you to:

• Ensure data accountability and security.
• Identify and prevent incidents.
• Meet regulatory requirements.