Auto-Steward Security and Authentication

  • Auto-Steward

Verato Auto-Steward is a cloud-based software-as-a-service (SaaS) product, available via Verato’s Match Web Service. As such, Verato must expose web services to our clients in a manner that is both convenient for consumption but secure to the highest standards given the sensitive nature of identity information that is transmitted via the web services.

To ensure security, Verato uses multiple factors for authentication and multiple layers of security. The layers are, in order:

  • Verato only accepts incoming web service requests through our firewall from pre-approved client IP addresses that we have added to an allowed list.

  • Web service requests that pass through the IP allowed list are then further checked using Mutual TLS Authentication – the client and server perform a handshake with each other using public key cryptography. In this handshake, the client and server exchange keys with each other to confirm that each side trusts the other side. This serves as an additional authentication layer and it also encrypts the communication between the client and server.

  • Lastly, each web service interaction requires a username and password—web service interactions will fail without valid username and password.

Another possible element of security is adding the IP to an allowed list on the client side. The client’s firewall may also have a list of allowed IP addresses or URLs to restrict which outgoing requests are allowed through.

The TLS protocol is the most up-to-date evolution of the SSL protocol. Many people use the terms SSL and TLS interchangeably because they convey the same concept. There are elements or steps of the Mutual TLS Authentication that may still use the term SSL (such as “SSL handshake”), but we use the term TLS here because Verato only supports the recent versions of TLS which are considered secure (TLS versions 1.1 and higher). Past SSL versions (SSL versions 1.0, 2.0, and 3.0, which are predecessors to TLS versions 1.0, 1.1, and 1.2) are known to have security vulnerabilities along with TLS version 1.0, so Verato only supports the TLS versions 1.1 and higher.