Architecture Security - bcgov/PIMS GitHub Wiki
Security
PIMS is architected and built to adhere to OCIO Information Security Standards.
Summary or Architecture
This is a highlevel summary of the architecture simply for the purpose of addressing security. In-depth documentation on the various components and technology is found here Git.
Authentication
Authentication is performed by SiteMinder (IDIR, BCeID) via integration with an instance of Keycloak hosted by the Exchange Lab within OpenShift.
All users must have an active account within IDIR or BCeID to gain access to PIMS.
All private keys are maintained in OpenShift with Secrets (see Hosting).
Technology
- Oauth2.0
- Open ID Connect (OIDC)
- HTTPS
- SSL
Authorization
PIMS uses a Claims based Identity architecture to ensure only appropriate access is provided to data. Claims are grouped into Roles, which provide a simple way to assign what a User can perform within PIMS.
Roles
Roles provide a way to group users with specific authorization claims. This allows the users assigned to the Roles to perform actions within PIMS. Each Role is composed of one or more Claims.
| Role | Description | Claims |
|---|---|---|
| System Administrator | Manage all users within PIMS. Add Agencies and Sub Agencies to PIMS. | system-administrator |
| Agency Administrator | Manage only users within an agency (and sub-agencies). DO NOT USE THIS ROLE IT HAS NOT BEEN FULLY TESTED | agency-administrator, project-delete |
| Real Estate Manager - Submit/Edit Properties | The ability to submit/edit properties that belong to the agency they belong to. If the user belongs to a parent agency such as Education then this role also enables the user to submit/edit properties on behalf of a sub agency, such as a school district. | property-edit, property-view, property-delete, property-add, sensitive-view |
| Real Estate Manager - Create and Submit Projects | The ability to create and submit Disposal Projects for the agency that they belong to. If the user belongs to a parent agency such as Education then this role also enables the user to create and submit Disposal Projects on behalf of a sub agency, such as a school district. | dispose-request, project-add, project-delete, project-edit, project-view |
| Real Estate Analyst | The ability to add and update properties in for the agency they belong to. As well as the ability to create a Disposal Project for the agency they belong to. Real Estate Analyst cannot submit a Disposal Project only the Real Estate Manager can submit a Disposal Project. | project-add, project-delete, project-edit, project-view, property-edit, property-view, property-delete, property-add, sensitive-view |
| SRES | The ability to add/edit/delete properties for any agency in PIMS. The ability to create, approve, cancel, deny Disposal Projects in PIMS. | admin-projects, admin-properties, dispose-approve, project-delete, property-delete |
| SRES Financial Manager | Access to SPL Report section, create final reports, delete reports. | reports-view, reports-spl |
| SRES Financial Reporter | Access to SPL Report section | reports-view, reports-spl |
Claims
Claims are managed by Keycloak and implemented within PIMS. This means that only specific claims have privileges within PIMS. Claims are applied in both the API and the APP to ensure a consistent and secure experience.
| Claim | Description | Composite Claims |
|---|---|---|
| system-administrator | Manage all users within PIMS | admin-agencies, admin-projects, admin-properties, admin-roles, agency-administrator, project-delete, property-delete |
| agency-administrator | Manage only users within user's agency within PIMS | admin-users, project-add, project-edit, project-vew, property-add, property-edit, property-view, sensitive-view |
| admin-users | Manage user accounts within PIMS | |
| admin-roles | Manager roles within PIMS | |
| admin-properties | Access to view/edit/delete properties in other agencies | |
| admin-projects | Access to view/edit/delete projects in other agencies | |
| property-view | View property in user's agency or sub-agencies | |
| property-add | Add properties to inventory in user's agency or sub-agencies | |
| property-edit | Edit properties in user's agency or sub-agencies | |
| property-delete | Delete properties from inventory in user's agency or sub-agencies (please note this claim is currently disabled) | |
| sensitive-view | View sensitive properties within user's agency or sub-agencies | |
| dispose-request | Provides the ability to request disposal of properties | |
| dispose-approve | Provides the aiblity to approve requests for disposal of properties | |
| project-view | View projects in user's agency or sub-agencies | |
| project-add | Add projects in user's agency or sub-agencies | |
| project-edit | Edit projects in user's agency or sub-agencies | |
| project-delete | Delete projects in user's agency or sub-agencies. A project can only be deleted while it is in draft status. | |
| reports-view | Ability to see reports menu and access to generic reports | |
| reports-spl | Ability to see and use the Surplus Property List report |
Technology
- .NET Core Identity
- React keycloak-js
Hosting
The hosting platform used for PIMS is OpenShift.
The DevOps tools are Jenkins and OpenShift.
Non-sensitive configuration is provided through json files within source.
Non-sensitive configuration is provided through OpenShift Configuration Maps and Environment Variables.
Sensitive configuration is provided through OpenShift Secrets.
Technology
- OpenShift
- Base64 Encoding
- Environment Variables
Database
The API database used for storing property inventory is hosted as a Docker container within the OpenShift environment.
External access is not available.
Internal access is only available within the OpenShift Project to approved Pods.
The database is running a MS SQL Database 2019 on a Linux OS.
There are two accounts generated for the database currently; the default sa and an account generated for PIMS.
PIMS uses the generated account to gain access to the API database.
No personal information is stored within PIMS.
PIMS is designed to store sensitive property information.
This information is marked as sensitive and as such is only visible to users who belong to the owning agency, that have the Claim sensitive-view.
Additionally users who have the admin-properties and the sensitive-view Claims will also have access to this information.
Technology
- MS SQL Server 2019
- Linux
- Docker
- OpenShift
IM/IT Standards
Appropriate Use
1.2 Guidelines on the Use of Open Source Software
All software, frameworks, tools used and built by or for PIMS is presently Open Source. PIMS is built under the Apache 2.0 license.
1.3 Electronic Signatures Guide
Presently PIMS does not provide any electronic signatures. All signatures are provided externally through standard/historical processes.
Software Development
2.1 Development Standards for Information Systems
All documentation of requirements and constraints is documented in the following locations; Jira, Confluence, Git. All documentation is visible and reviewed through Scrum Project Management processes and peer reviewed through Pull Requests within Git. All requirements and constraints are approved through Scrum Project Management processes (i.e. Backlog Refinement, Sprint Planning).
Testing is performed through the following; Manual Developer Testing, Manual QA Testing, Automated unit-test, Automated integration test, UAT Testing, SonarQube analysis, ZAP analysis and Code Coverage Reporting.
All Open Source Development practices are adhered to.
2.2 REST API Development Standard
The PIMS API is a RESTful implementation. It is accessible externally but requires IDIR or BCeID authentication via Oauth2.0. All HTTP methods are applied appropriately. URLS only identify a single resource type. Presently PIMS only support output formats (JSON). Error messages are always returned in a standard JSON format and only contain appropriate information. The API is versioned and all URLs adhere to their version.
- Metadata is NOT included in a variable in the response.
Information Management
3.1 Data Administration Standard
All data within PIMS is currently hosted within the API database. The Data Model is expressed in the following ERD. The entities that compose the database are designed through Code-First modeling provided by Entity Framework Core (EF Core), and can be found within Data Access Layer (DAL) source. All access to the database is managed by the DAL which applies security through the before-mentioned Claim based Identity.
The intent of PIMS is a shared resource between all agencies/ministries to maintain inventory of property for the purpose of disposal and aquisition.
3.4 Physical Address & Geocoding
As PIMS is a property inventory, physical addresses of properties are stored. Additionally GIS latitude and longitude coordinates captured and stored within the database.
3.5 Date & Time
All dates and times are stored as UTC within the database.
Identity Management
4.2 BCeID
Authentication is performed by SiteMinder and allows for BCeID access.
4.4 Identity Assurance Standard
PIMS uses a Claim based Identity architecture. Claims are applied to authenticated users through the application of roles.
IT Security
6.14 Application & Web Development & Deployment
PIMS has been designed and developed with the latest stable released software, frameworks and tools (.NET Core 3.1, React 16.12.0, MS SQL Server 2019). GitHub and Snyk provides regular scans for vunerabilities found within dependencies and submits regular Pull Requests (PR). During development every effort is made to upgrade and maintain dependency with tight versioning controls.
Known Weakness
- Presently the only known vulnerability is the inherit lack of anti-forgery tokens for Open APIs. There are architectural design patterns that can be applied, but they will require additional effort. It should be noted that most if not all Open APIs do not apply anti-forgery tokens.
6.16 Database Security Standard for Information Protection (DSSIP)
Direct access to the database and its host container is only possible through access to the appropriate OpenShift Project. Additionally access to the PIMS database is only possible with the appropriate account and secret which are generated and only visible within OpenShift. Databases are backedup on a regular schedule (i.e. nightly). Access to specific data within the database is managed externally through a Claim based Identity architecture enforced by the DAL.