In the IT world, there is ever that security pendulum that either seems to move toward ease of use or toward restrictive control. Users typically tend towards the “ease of use” end of the spectrum because who wants to remember yet another password? And who wants to install complicated VPN software or jump through extra authentication hoops? Conversely, IT folks (like me) tend to believe in restrictive control, in complicated passwords as possible, extra authentication hoops and logging everything that happens over an established connection.
With the advent of SaaS (Software as a Service), security becomes all the more critical in terms of both the user of the service and the administrator of the environment providing that service. The beautiful thing about SaaS offerings like CATSWeb is that they are completely web based through HTML. This makes life much easier for all parties. From the user side, CATSWeb requires no special VPN software, nothing downloaded to the client computer and no local certificate store to verify a user’s identity only a web address and a password. From the IT standpoint, all machines involved in providing CATSWeb SaaS are completely locked down to two ports of traffic; an IT dream come true. Users will either be coming into a hosted CATSWeb environment via HTTP (port 80) or HTTPS (port 443). For securing a server to the world, only having to deal with two ports is about as simple a scenario as exists in the IT industry.
Because CATSWeb traffic is only on two ports, our servers are locked down completely, with those two ports being monitored constantly through the firewall, protected by live scanning anti-virus solutions and safeguarded by managed IDS (Intrusion Detection) systems. Add to that all web traffic is logged from start to finish and you’ve got as bulletproof a server system as can be found. And then we get to CATSWeb itself.
Within CATSWeb, AssurX has included additional security tools to ensure that your data is safe. First, each customer company has their own unique, individual database not shared by anyone else. If a customer chooses to require SSL for accessing their CATSWeb database, this ensures that all traffic to and from that database is encrypted. System access is automatically logged for easy review, including the IP address from where the traffic originated.
The rest we leave up to users. I guess that’s where CATSWeb SaaS becomes a two-pendulum system. The “server security pendulum” we’ve chosen to swing as far toward restrictive control as possible. The “user access pendulum” we leave to the users of CATSWeb. An administrator in a CATSWeb system can set their own requirements for passwords for their users, establish their own session parameters such as session length and inactivity timeouts and much, much more. This will allow any given SaaS CATSWeb system to have security anywhere along the user access pendulum, from easy to restrictive, based on what your requirements are.
