Designed for Security
- Managed cloud environment provides security features to the application layers
- Application is hosted within a private subnet with NAT gateways
- Network firewalls can prevent access from the public internet
- Intrusion detection can be provided by Threat Intelligence on the firewall, configured to ‘alert and deny’ for malicious network traffic
- Dedicated network connectivity can be set up to the subscriber’s site – either on premises or on-cloud services
In terms of API security, all API calls are authenticated by using the Client Credentials Flow (defined in OAuth 2.0 RFC 6749), in which they pass along their Client ID and Client Secret to authenticate themselves and get a token from an authorisation server. This token is then passed along with calls to the API.
API authorisation is performed using a third-party Identify Provider (IDP) authorisation server. All communication is strictly over HTTPS. Your subscriber client identity is resolved via the token and not through any parameters passed with the calls, ensuring all subscriber’s API calls are separate and no subscriber can impersonate another. In addition, each API client can be associated with specific API endpoints, ensuring that each client application that requires decisioning only has access to what has been provisioned for it.