Integration Security Architecture
This page highlights the measures available within the Integration Hub that ensure the secure exchange of data between applications. The Hub provides firewall, encryption, authentication, and authorization services for APIs, asynchronous messaging, and file exchange. While all applications must continue to include these services at the local level as required, these central services make sure that integrations between applications can handle the most privileged campus data with a minimum of effort by developers on either end.
The firewall examines characteristics of each network packet (such as source address and destination port) and compares these to a set of predefined rules that determine whether the packet is to be forwarded or dropped. Restricting network access to localhost or a list of specific IP addresses are typical rules employed.
Transport Layer Security (TLS) uses public and private certificates to verify the sender and recipient of network traffic and to encrypt the data flowing between them.
All integrations must limit access to verifiably identified applications. This identity is represented by a public ID and authenticated through the use of a corresponding private key. These two form a credential pair for the application.
Credential pairs are managed and authentication enforced as part of the API Management layer accessed through API Central. API Central account holders can generate any number of secure credential pairs to associate with the applications they support. For access to a restricted API, the the account owner must describe her application when creating the credential pair, and API Central presents this to the data steward for a decision on permission to use the API at all.
For Message Queues
The Integration Hub’s message broker authenticates credential pairs passed by publishers and subscribers using Java Authentication and Authorization Service (JAAS) in conjunction with a dedicated LDAP server.
For File Exchanges
Berkeley IST’s Production Control Shared Service Center (PCSSC) services include Managed File Transfer (MFT), which provides scheduled and encrypted transfer service. File based integrations will rely on this service for security in transit between applications and the Integration Hub. The Hub’s local file system authenticates MFT read/write access to specific files and directories using a predetermined credential pair. Applications must likewise authenticate MFT.
The process of authorizing access to particular data records and elements (fine-grained authorization) relies on an authenticated application identity as a basis for enforcing access policies. Also required is some resource for associating roles and attributes with that identity so policies can be defined more generally (e.g., “only advising applications can access case management data,” or “an academic department application can only access its own course offerings”). Finally, policy enforcement must act to limit the data passed to the allowed records and elements.
While we have yet to determine the implementation for this layer (both vendor provided, custom developed, and SIS-specific solutions are under consideration), its functionality is set. Fine-grained authorization will take the identity of the application calling an API and and use it to retrieve the application’s assigned roles and other attributes of interest. These will be compared to a policy that authorizes access to particular records or fields carried in the message, redacting or masking those that fail the policy. This allows APIs and their messages to be designed more generally, while still enabling data owners complete control over which of their data is exchanged.
For Message Queues
The LDAP server referenced by the Hub’s JAAS configuration will hold the roles and attributes needed to authorize access to specific topics and queues. If fine-grained authorization is required, the queue can be “wrapped” with an API endpoint which will allow its specialized authorization measures (see above).
For File Exchanges
Only the MFT service is authorized to access the Integration Hub’s local file system, enforced by operating system level access control lists. Applications must likewise authorize MFT to access their own systems. As with message queues, fine-grained authorization can be implemented through the use of an API to read and/or write the file.