Contract Management Security: Attacks, Risks and Solution
- 15 min read
- SUMIT KUMAR AGGARWAL
Introduction
At Sirion, we work with diverse set of industries and customers seeking to transform their current contract lifecycle management processes. To help them through their decision cycle, we employ a three-pronged approach of;
Design – Realize – Transform
The aim behind this three-pronged philosophy is to design a roadmap to build a great user experience while incorporating and strengthening the feature design parameters in Sirion. The goal is to improve the usability of Sirion for the customers while preserving the trust and privacy of their contract information.
So, what are design parameters?
Design parameters are the qualitative and quantitative aspects of the functional characteristics of a product or system that are input to its design process. These parameters determine the cost, design, and risk tradeoffs in the product’s development.
In Sirion’s case, the design parameters broadly include (but not limited to) security, multi-tenancy, performance & scalability and migration impacts. These are also recognized as non-functional attributes of the system that defines the user and the system environment.
These features are highlighted here since they also characterize the slippery slope in product development, where mistakes often happen while designing any web application. In the subsequent sections you will find an overview of our philosophy and behind the scenes glimpse of these feature design parameters.
Contract Management Security
One aspect that always comes up in our conversations with customers is security. Most importantly “Are my critical business documents and contracts secure in the cloud?” So, if you are evaluating a solution like Sirion to help you realize more value from your contracts – and since we are a strong proponent of cloud technology– it is likely that you must also have questions like these.
To elaborate on the security aspect, at Sirion, the security design parameters are included right from requirement management stage till the development stage with various phases like;
- Requirement gathering
- Product feature discussions
- Software design guidelines
- Design documents
- Architecture diagrams
Our focus always is to envision and understand how the data can be further secured. We constantly prod ourselves on;
- What are the various tools to assess the security threats and pre-empt them?
- How can we forecast the possible attacks during the testing phase?
- The preventive measures we can take at the coding, reviewing, testing and implementation level
At Sirion, security is not a solitary piece, it is a progression from “project initiation” till the “Go live” phase, classified into three broad categories:
- Data Security
- Login/Session management
- Attacks (Like OWASP)
Data Security
From a client’s perspective, data security is one of the most important piece of the security puzzle. It incorporates three chief principles,
- Confidentiality: A set of rules that limits the access of information.
- Integrity: Assurance that the information is trustworthy and accurate.
- Availability: Stipulated rights to use the information by authorized users.
Access controls can be further divided into two main areas:
- Physical access – controls over who can enter the premises and who can access personal data
- Logical access – controls to ensure employees only have access to the appropriate software, data and devices necessary to perform their specific roles.
Any breach not only affects client’s trust but also of the employees while putting the whole organization at risk.
At Sirion, we have instilled a culture of keeping the security aspect at the forefront, beginning from the system designing process till the product release. It could be a feature requirement or even an informal discussion between the developers and quality assurance teams, we prioritize this thought process in all our activities while creating great products.
Login and user session management
A user authentication and authorization mechanism are required to prevent customer’s data from getting in the wrong hands.
Consider a scenario where end-user logs into Sirion and forgets to log out. There may be a possibility that an unauthorized user may access their information and takes an undesirable action like modifying or deleting sensitive data. To prevent this the system must be designed in a way that if the user is inactive or has overlooked to logout from the application or left the application unattended for a long duration then the system automatically logs out, thus saving the integrity of the system.
Attacks
An attack is an attempt to alter, destroy or steal the customer’s sensitive information to make an unauthorized access to any data repository.
We continually consider scenarios during the development phase for example if there is any part of the code that is attack prone or It could be a “key-> value” pair in one of the URL parameters, enabling an option for an outsider to execute a rogue script or any left out ports exposed to the outside world during server configuration.
Hence, a system must be designed in such a way that one should able to execute the following tasks:
- Can we check the various possible attacks by an unauthorized user?
- What preventive measures can be taken to stop these attacks?
- What are the various tools to view these various attacks?
As a team, it is non-negotiable for us to leave the security aspect of the thought process at any stage of our engineering processes.
Multi-tenancy Support
The term “software multi-tenancy” refers to a software architecture in which a single instance of a software runs on a server and serves multiple tenants. A tenant is a group of users who share a common access with specific privileges to the software instance.
In a multi-tenancy environment, the system can enable the same feature across all clients, with minimal or no customization. This also supports easy upgrades to all clients while promoting cost and time savings for an organization.
Sirion is a multi-tenant SaaS thus, during the design, coding, code-reviews or testing scope of a feature, we need to ensure that the multi-tenancy aspect is being deliberated adequately so that the same feature can be enabled if required for multiple clients, majorly via front-end configurations.
As an illustration, while doing an integration with a third-party software, we cannot afford to build integration framework which will just work in a specific scenario. If required, we should also be able to enable integration of the same software for other clients as well.
To achieve this kind of output, we need to think right from the beginning of feature design that “How multi-tenancy parameter does not get compromise while building the feature?”
Performance & Scalability
Performance and scalability are interlinked to each other. Scalability is the process of expanding the current system’s framework and performance is the way for measuring the system’s behavior on its scalability.
Let us take an example of a single entity creation. In this feature, a user must perform the same steps multiple times to perform a task which could be very time consuming and tedious. To overcome this challenge, we designed a feature for bulk entity data update with which the user can update multiple entities at once.
At the same time, we also need to ponder if it would impact the scheduler’s performance, or if we scale our system to perform bulk operations, how would it impact our current system’s performance, or if the listings download for an entity data is currently ten thousand, what would happen if the limit is increased to 2X or 3X? How does it impact Sirion’s performance?
If one of the clients asked you to raise the listing download size and the system started to respond slower than its usual speed, it indicates that the system isn’t capable enough to scale the listing download size which directly impacts system’s performance.
Let’s take another scenario – Currently, we have the provision to upload the excel file for bulk data entry. The questions, we asked ourselves were – is our system capable enough to directly read the file from the FTP path? How much time would the backend services take to perform such tasks? How does it impact Sirion’s performance?
So, if Sirion can upload the service levels in bulk with five thousand being the upper limit. And on one of our client’s request, we upgrade this limit to ten thousand which makes the system sluggish. The alternate to this is to abort the process and break the file into two parts to perform the operation again which can lead to several other manual changes in the excel file like:
- How much data was uploaded into the system before aborting the bulk operation?
- Manual errors like filters issues, copy & paste error while splitting the file into two parts.
Hence, while designing a product, the pertinent question one should ask: “Is the existing framework easily scalable for the future load?”
Migration Impact
Migration is the process of implementing or enhancing new features without hampering the existing one.
At Sirion, we focus on these five questions before any migration is done;
- How will I manage risk?
- How will I track and document existing data dependencies?
- How will I document and integrate new data, system functions, and processes?
- How will I execute post-migration testing?
- How will I avoid/manage downtime?
This article emphasized on feature design parameter like security, multi-tenancy, performance – scalability and migration impacts. For a good requirement management process, it is necessary to include these parameters in the standard guidelines for designing the software. We hope that this would be of help to you in comprehending and understanding the utility of these feature design parameter while designing any web application from the grounds up.