0

We are about to develop an integration with an old system which is still live . Due to technical issues it is not possible to augment the data from the old system using the browser so we are going to develop a server to server integration.

There is robust permission management on the old system and the intention is that it will continue to master the data and permissions. The new system would therefore need to inform the old system on the user requesting so that permissions are applied at the source.

Are there any standards to which this needs to be developed? Specially in the case of the user, is it just about including it as a parameter or is there a more robust way- for example managing authentication through the clients browser but then transferring information server to server?

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
aquaman
  • 73
  • 5

1 Answers1

1

Are there any standards to which this needs to be developed?

That depends a lot on the context of what you're doing

Technical standards

This depends on the technologies involved. The legacy system that you're connecting to may well have standards, or at least best-practice guides, for doing this sort of thing. These tend to be technology-specific, for example certain HTTP headers may have non-standard meanings to that application.

Your question seems most concerned with the user-switching functionality in the old system. Sounds like you need to read up on exactly how that works in the old software and learn whether there are Dos and Don'ts around it.

Security and compliance standards

Again, this depends on your context.

Does your organization have IT security policies that you have to adhere to when designing this system? If the data that's being accessed originally came from customers, partners, or end-users then do you have contractual obligations, privacy policies, EULAs, or other legal agreements that were in place at the time that the data was collected?

Are you trusting the new system to correctly tell the old system which user is making the request? If so, then the new system has access to become any user in the old system? How well have you secured the new system to prevent someone from requesting info that they shouldn't have access to? For example, I would expect that the user name that I'm allowed to request data under is tied to my corporate identity (Active Directory, Jira account, etc), so that requesting data under someone else's unername is not easy. If the username is just a URL param, then what's stopping a user from putting someone else's username in their browser bar?

Another consideration is what kind of data the system is handling? If it's medical data, financial data, or other kinds of personally-identifiable information (PII) then how you handle it could be subject to relevant laws in your country such as HIPAA or GDPR, which could have broad implications for how you design the new system. See Wikipedia: Information privacy law for a good overview of privacy laws by jurisdiction.

TL;DR - It's good that you're thinking about security and asking these questions. I think in this case there are too many "it depends" to give a good answer. You probably need to do a bit more research in order to discover what technical and legal standards and best-practices apply to your specific situation.

Community
  • 1
Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207