Secure API & Private Cloud

No data or media is ever exposed to the public internet, instead a secure API handles all client transactions

Highlights

  • No data or media is publicly accessible, all data and media is provided through a secure REST API
  • API access requires two-factor authentication which is embedded into SMS, user credentials only are not sufficient to access the API
  • All network communications are conducted through SSL (secure sockets layer) connections only
  • Databases and repositories are never hosted outside of our virtual private cloud; it is impossible to connect to them via Internet
  • API is protected against brute-force attacks and any injection attacks
  • All servers are hardened and patches/updates are installed as soon as they are released

Data Privacy via Secure REST APIs

SMS doesn’t directly connect to any internet-accessible databases, nor does it send any plain-text data over the web, instead all data originating from SMS is encrypted and sent via SSL to our private REST API. Utilizing a REST API is a security best practice, REST APIs are a gateway which control all access to SMS’ database. It is only the API which connects to the database and since both the API and database are physically connected, the database itself never needs to be hosted on the Internet. SMS clients authenticated and utilizing the app as intended will pass through the API gateway without issue; however, attempting to utilize the app without the correct authentication or permission will cause the gateway to deny input or output from the database.

API Authentication Requires Multiple Factors and Is Stronger

It is not enough to simply have a username and password to login to the API. The API also requires a proprietary second factor of authentication which was designed to follow security best practices. This second factor of authentication is unique to Screening Made Simple and we are happy to discuss it with our clients and partners.

Adding an API gateway also offers the ability to increase the strength of existing authentication mechanisms. Most systems are susceptible to brute-force attacks where the attacker continually tries dictionary-based passwords, but API gateways allow for a greater level of management and as such controls can be instituted that prevent brute-force attacks by requiring time delays between login attempts.

API Gateways Limit Threats

API gateways provide SMS with three very important benefits:

  1. They allow databases to be private and unaccessible from the Internet
  2. They prevent direct connections from the app to the database
  3. They limit the commands that can be executed against the database to only a specific set of instructions

SMS’ API gateway offers a security trifecta by making it more difficult to authenticate a connection, making it impossible for the underlying database to be stolen, and, if any unscrupulous actor was ever to get connected, an API limits the damage they could cause. For example, if SMS was able to directly connect to a database, commands could be run which could delete all records, or worse yet, list all records in the database. SMS’ API does not allow all records to be listed, nor does it allow for all records to be deleted. Additionally, SMS’ API gateway facilitates checking all input for any exploitable characters that may be used to override database queries to delete or list all records.

Security Best Practices Ensure API Gateway Security

An API gateway is only as strong as the stack it is hosted upon. That is why we utilize AWS servers that are hardened to only include the services we require and nothing more. All security best practices are employed on our servers, this means there are no publicly accessible database or storage instances, all data is encrypted, and servers are updated and patched regularly. We are committed to full transparency and are happy to provide 3rd party reports demonstrating our committment to security.