At OCRestful, we understand that you take the security of your data seriously, as you should. We do too. We are practiced in the security requirements of ISO/IEC, NIST, IASME, among others. Since some of these security standards apply to you, we understand that by extension, they apply to us. Therefore, we apply a level of security conformance that aims to be superset-compliant; we strive to meet them all.
At the same time, we provide a back-end service to your front-end application, and we cannot usurp your application's control over user security and end-user authentication and authorization. We are not in that business and you don't want us to be. We focus on authenticating your front-end application as our true client, and ensuring we can securely handle its data and respond to its requests for services.
Some of the key security controls we have in place to safeguard your data include:
- Hardened operating systems. We use security-enhanced linux (selinux) as our base operating system, which includes a hardened linux kernel and comes pre-configured with unnecessary services and permissions disabled in order to reduce operating-system-level attack vectors.
- Encryption in-transit. We do not allow plain HTTP in production settings; all traffic other than "welcome" and informational pages is encrypted by 128-bit HTTPS during transmission.
- Encryption at-rest. We use fully encrypted block-storage devices to back all of our databases, ensuring that data cannot be read even if someone were to gain possession of the physical drives somehow.
- Data segregation. Every client has a private database in our system, and there is no sharing of information across databases. This ensures there is no chance of data bleed-over between accounts, and that, when a client requests their account be deleted, we can guarantee that all client-owned data can be cleanly removed by deleting the database.
- Cryptographically-generated tokens. The API "secret" every client is issued is generated by a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) in order to assure adequate length and true randomness. This ensures they are much stronger than the typical passwords used in everyday Web transactions.
- Password hashing with per-user SALT. We follow best practices for authenticating API and Web users, never storing the user's password in any database (instead storing a hash of the password) and using a user-specific cryptographically-secure SALT to further protect the password. These measures ensure that, even if our passwords database were exposed, the contents would be useless to attackers in figuring out users' passwords.
These measures ensure the safeguarding of the data you store in OCRestful, and allow you to remain compliant with the security standards that are in place in your business environment.