The Maintenance Connection security architecture employs 7 layers and modules to accomplish a highly reliable, fine-grained multi-faceted security platform.
Each layer is optimized for the enforcement or management of specific security detail:
The methodology by which information sent between a browser and web server
The most basic and top layer of defense.
2. Filtered Browsing Layer
The extension to the authentication mechanism.
Provides a dynamic grouping function of permissions associated with data manipulation or specific application level functions.
4. Process Filter
Provides a workflow-based security framework.
5. Data Access Filter
This layer enforces data access policies of the Maintenance Connection application.
6. Audit Trail Container
The central repository of the history of all changes made by all users of the Maintenance Connection system.
1. Authentication – most basic and top layer of defense which establishes the identity and credentials of the user who wishes to access the system by requiring users to enter a member name and password. Every request is re-authenticated automatically given the user credentials that have been validated and secured on the first-time login. Maintenance Connection utilizes session time-outs, therefore the user might be asked to re-authenticate in mid-session if expiration timeout has been detected.
In order to protect user identity and access to records, Maintenance Connection requires that users have a unique user-defined Member ID and password when logging on to the application. Even before the user can log onto the system, they must go through the sign-up process to establish their account. Only when this account is approved will the user have access to the Maintenance Connection applications and data.
Maintenance Connection security policies and procedures provide authentication by:
- Establishing an unapproved account during the sign-up process
- Allowing managers to approve or reject user accounts
- Allowing user-defined Member IDs and passwords that can be changed frequently
2. Filtered Browsing Layer – is the extension to the authentication mechanism, enforcing each web page access to use valid credentials. This layer detects whether a user has a valid session, and therefore it will direct users to a login step if either session or credentials have been deemed invalid. This mechanism prevents unauthorized users who might have a bookmark or URL link from gaining direct browsing access to any parts of the system.
3. Roles – provide a dynamic grouping function of permissions associated with data manipulation or specific application level functions. Maintenance Connection has a rich support for user level role definition (defined in the application as access groups), giving managers a fine-grained capability to grant permission to specific features of the system to any users of the Maintenance Connection application. The manager can assign an access group to any individual, thus easily expanding or narrowing access rights as necessary. The built-in access groups can be used, or new ones can be created. Since this security layer is dynamic and real-time, changes to the details of a particular role will take effect immediately. Several functions of the Maintenance Connection application are controlled by means of access groups, therefore users who do not have the appropriate permissions, will not be even aware of the existence of certain features, since the tabs, icons, or buttons will not be present in their view of the application.
4. Process Filter – provides a workflow-based security framework, through which managers can enable and disable application level functions at any given step in the business process flow. For example, a manager may allow a user the ability to create a work order, but not approve, issue, or close it out.
5. Data Access Filter – layer enforces data access policies of the Maintenance Connection application. All data access requests pass through system filters and only allowable data sets are exposed and returned to the user.
6. Audit Trail Container – is the central repository of the history of all changes made by all users of the Maintenance Connection system. The audit log helps reconstruct with accuracy the changes made to any specific data item. The audit log contains the date, time, user who made the change, the value before the change, and the value after the change so that information related disputes can be corroborated.
7. Encryption – is the methodology by which information sent between a browser and web server is scrambled through various algorithms in order to prevent someone from eavesdropping (or sniffing) in the communication and potentially observing the transmitted information. Clearly this is a major issue for communication over public networks, since there is no control over who can see the information on the open net. To combat this issue, the Maintenance Connection architecture fully supports and utilizes the industry standard SSL (Secure Socket Layer) protocol.
Secure Socket Layer (SSL) is the software protocol used by both the browser and the web server to implement the highest possible security levels. The Maintenance Connection server requires that the user’s browser be configured to support both SSL2 and SSL3 protocols (in the security options of the web browser) so that it can encrypt communications with the web server and ensure that information between Maintenance Connection and the user cannot be read by outside parties.
Web servers that run secure sessions require browsers with a minimum of 40-bit encryption to generate session keys used to encrypt/decrypt transmissions between browser and server. Maintenance Connection uses 128-bit encryption whenever possible to ensure privacy. Encryption capabilities are built into most Internet browsers and can be enabled by users. The larger the number of bits contained in the session key used for encryption (40-128 bits), the more difficult (exponentially) it is for an unauthorized person to unscramble the transmission. The 40-bit encryption is known as international level or export-grade encryption. The stronger 128-bit encryption is referred to as U.S. and Canada-only level, or domestic-grade encryption. Until recently, no encryption requiring a key greater than 40-bit was permitted to be exported outside of the United States and Canada.
This restriction has now been partially lifted under certain trade conditions, but 40-bit encryption is still used by many companies doing business internationally.
The Maintenance Connection servers support connections from browsers that employ 40-bit, 56-bit and 128-bit encryption. The stronger 128-bit encryption method may impose performance degradation on less powerful PCs running the browser. Maintenance Connection continually evaluates commercial browsers to ensure that they meet strict security standards. For browser requirements for Maintenance Connection, refer to Maintenance Connection Minimum Requirements.
Maintenance Connection has implemented a rich security architecture to satisfy the most stringent needs of any organization and it is under management control how much or how little security is applied, and therefore, administration can selectively enable or disable the various security measures to tailor security constraints to the organization’s needs.
The Maintenance Connection servers were configured with three issues in mind: performance, redundancy, and growth. Our hardware is setup to ensure the highest degree of uptime. Redundant firewalls are also a standard to prevent unauthorized access.
Maintenance Connection’s Maintenance Management application provide a comprehensive integrated security system that enables administrators to customize data access permissions according to their roles. Using a built-in Security Manager, Administrators can create security profiles that not only limit access to specific features, but also permit viewing of records based on data types and/or values. The ability to grant access to records based on their contents advances database security beyond that offered by many of today’s most powerful database management systems, and puts users in control of their information.
When users logon and are authenticated, information is transmitted using secure links (Secure Socket Layer or SSL encryption). As noted above, our servers and databases are protected by firewalls and secure access.
Maintenance Connection uses two browser cookies for a number of administrative purposes. For example, to store your preferences for certain kinds of information or to store a Member ID so that you do not have to input it every time you visit our site. Most cookies last only through a single session, or one visit to our site. No cookie will contain information that will enable anyone to contact you via telephone, e-mail, or any other means. You can set up your Web browser to inform you when cookies are set or to prevent cookies from being set.
The Maintenance Connection production servers are housed in a Data Center that boasts the latest in state–of–the–art Internet hosting facilities including round–the–clock, on–site technical staff actively managing, maintaining, and supporting the network, the services it provides and the customers it connects.
This Site has security measures in place to help protect against the loss, misuse and alteration of the information under our control. When you access the Site, Secure Socket Layer (SSL) technology protects your information using both server authentication and data encryption to help ensure that your information is safe, secure, and unavailable to others.
Maintenance Connection also implements an advanced security method based on dynamic data and encoded session identifications and hosts the Site in a secure server environment that uses a firewall and other advanced technology to prevent interference or access from outside intruders.
Finally, Maintenance Connection provides you with a unique member name and password that must be entered each time you visit the Site. These safeguards help prevent unauthorized access, maintain data accuracy and ensure the appropriate use of your information.