As Acquire is a web based application, security matters have always been given a high level of detailed consideration. The application’s whole design framework has been built around a secure software model and Acquire offers an unprecedented level of security straight out of the box.
The security of Acquire has already been scrutinized by the IT departments of many of the major oil companies and has always passed with flying colours.
Although it utilises web technology, Acquire is primarily designed to run on a corporate intranet and not the public Internet. Corporate intranets are already secured by the company’s IT department to stop unauthorised access from third parties.
However, even if Acquire is deployed on the public Internet it will still maintain a high level of security. The inbuilt security technologies are designed to block unauthorised access and fend off all known Internet attacks.
Acquire has 256 bit SSL encryption built in to the web server. This encrypts all data sent between the web browser and the Acquire server to prevent anyone from listening in to communications as data travels across the network.
The SSL certificate also identifies the server to prevent ‘man in the middle’ style attacks.
Acquire uses digest authentication to secure the login process:
When a user connects to Acquire with their web browser, the initial request is deliberately rejected by the server. This causes the server to send its public key to the browser and will prompt the user for their user name and password. The login details are then encrypted using the server’s public key and sent back to the server; only the Acquire server can decrypt the browser’s request. Once the details have been authenticated the user will be granted access to the system.
Once the user is logged in, every subsequent request made for data is accompanied by their digest login. This allows Acquire to track the user while they use the system and to ensure that they can only use information and features that they have been granted access to.
Acquire includes a built in user database that works in conjunction with the digest authentication. Each user can be configured with individual security settings, restricting access to functionality such as opening valves, starting proves, or making changes to set points and other variables in the flow computer.
Most other web application approaches use third party web servers such as Apache or Microsoft IIS. The third party servers must be linked to a back end database engine using a piece of software called ‘middleware’ and all of this is generally tied in closely with the operating system. As this approach relies on general-purpose products the integration can be complex and often requires expert knowledge to lock it down properly. Serious vulnerabilities can develop if this is not done correctly.
Acquire is different. The web server is purpose-made and tightly integrated into the application, making it secure straight out of the box. Everything Acquire needs – from the user interface to editors, database, web server and Modbus engine – is included in the application so it does not rely on the operating system for any service and there is nothing extra to secure. Furthermore, because Acquire is completely independent of the operating system, the operating system can be completely locked down and hidden behind a firewall.
The web server module is the only Internet facing aspect of Acquire. A single HTTP port provides the entire user interface and the port is heavily regulated; incoming traffic has to pass the security checks detailed above before it is allowed access to the database. Acquire monitors every request to ensure that it is valid and authorised.