Fieldpine Logo

eLink Server Implementation Documentation


Security Models

eLink Servers support a range of different security models and techniques depending on your requirements, level of desired security and budget. Your needs for internet connected servers is probably higher than internal secure networks.

Standard Security

High Security

Usage

Mobile User

Mobile User (#2)

Technical Details

Authentication is about proving you are who you are, while authorisation is about verifying you are permitted to access the resource/data you are requesting. While often mixed in common use, they are seperated here as different techniques are used for each piece.

Options to prove who you are (Authentication)

No SecurityYou may explicitly enable some end points to have zero security
Username/Password
Stored Token/Password

Options to secure messages in transit

SSLCommonly available encryption of messages between browsers and web servers. SSL does not prove you are you (without client certificates, which we do not currently use) so cannot be used as an authentication method
OTPOne Time Pad encryption. Advanced usage only due to key management issues for most clients
AES-256

Additional measures taken by server

Geo CheckingThe server may check your requests to verify the Geographical location you are currently in. This is not considered a very secure check but does offer some level of protection.
FingerprintingThe server may use finger printing techniques to more gain more reliability that you are who you say.
Usage Tracking We may build a profile of your typical use and verify requested access against this. For example, if you typically only view reports or edit products, but suddenly start altering credit limits for accounts, this may trigger a usage tracking event.
Data ShardingIn high security environments, your data may be seperated over multiple servers in a fashion similar to RAID-5 disk technology. This sharding is done at a bit/byte level, so that no single server has full details of anything. This results in slower client use (as need to communicate to multiple servers to fetch a record), but means that compromise of a single server yields little information.
Velocity ControlsYou may be able to configure velocity controls to restrict the flow of data to clients in some cases. For example, the option to retrieve a complete sale is available, but clients would rarely request ALL details on ALL sales, even requesting one at a time, so you may choose to start slowing data flow down in this case. A velocity control can help limit the amount of data loss should a security incident occur.

Note, all the security options and tracking/monitoring techniques are ONLY used to verify your identity and secure your data. You may deselect these options for your account, but they are designed to provide additional security. We do not share this information with anybody

SSL, OTP, AES, HMAC, Geo Checking, HTTP Fingerprinting, usage tracking
Dev Notes
  1. /gnap/~g1,2,3,4/buck - access to gdb 1,2,3,4 no security provided
  2. /gnap/~uuser123~g1,2,3,4/buck - access to gdb 1,2,3,4 as user123 (no password, or implied security)
  3. /gnap/~uuser123/buck - access as user123 to default gdb for user
  4. /gnap/~uuser123~pabc/buck - access as user123 password abc to default gdb for user. DANGEROUS/UNSAFE as password sent