Is Security a Parameter of Choice or Must-have?
For years, security concerns have been the major factor preventing businesses across the globe from implementing new technologies. As time goes, there are significant improvements in security. However, still, many software vendors fail to implement security best practices.
So, how to choose a really secure enterprise-level business automation software? Here are four key elements to analyze when selecting a new solution.
What is a secure software?
The principles of secure system design are something that had been around for quite a while. For example, the classic paper “The Protection of Information in Computer Systems” by Jerome Saltzer and Michael Schroeder was released back in 1974. Here are some main principles listed there that have proven their importance during the last 30+ years:
Simple is secure: the design of the system should be as small and straightforward as possible.
- Authorization is crucial: every access to every object must be checked for authorization.
- Use the least privilege approach: every program and every user of the system should operate using the least set of privileges necessary to complete the job.
- The interface should be built for humans: the UX should be designed with simplicity in mind so that users routinely and automatically apply the protection mechanisms correctly.
Many modern enterprise software solutions do not comply with all of these critical principles. So, what do you need to analyze, when choosing a new platform?
Data access policy
A big system that will be used by dozens and hundreds of users, especially in the multi-tenancy model, requires robust data access and protection policies implemented. The main task here is to prevent the situation when someone can access data stored in another customer’s instance, or information disclosure in any other way.
We solve this task in 1C:Enterprise by providing individualized data access management, down to the level of object fields
and individual records. Also, the system keeps a full changelog, so that it is straightforward to investigate any possible incident.
Authorization and authentication
When a human, another software, or component makes an attempt to perform any action in the system, there should be tools to control whether its actor has sufficient rights. This means authorization checks should be implemented for all essential activities where vital data is processed or somehow used.
1C:Enterprise offers multiple ways of authenticating application users, including OpenID and OpenID Connect. Two-factor authentication and biometric authentication are also supported.
Encryption
Another critical tool for data protection is encryption. It helps to protect valuable information from unintended disclosure or alteration when the data is stored or transmitted. The classic encryption approach assumes that the system administrators should have an opportunity to use flexible encryption. For example, encrypt data stored in the custom fields in the database.
To provide greater encryption flexibility, 1C:Enterprise has support for third-party encryption modules. Application data processing can include a cryptographic layer and use third-party encryption modules.
Physical security
While having tools for online security implementation is a must, physical security should not be overlooked as well. If the protection mechanisms can be easily bypassed by a person that gains an unauthorized use of the system, it is a source of severe security threats.
To avoid such situations, additional protection mechanisms should be used. For example, 1C:Enterprise can work in a so-called protected form. One of the components of the security system used is the USB key that protects against unauthorized use. When working in this mode, it is impossible to run a system without a USB key connected to a USB port of the computer.
