Improve the System Security

System Security is a topic not only for system architects and tech leads. The Business analyst shall consider the system security in the requirements as well. Be prepared for technical discussions and be prepared to describe the security requirements.

• Protect the data stored. The malicious user could steal data directly from the data source. It is up to the DB admin mostly to setup security rules for the DataBase. The Business analyst may specify additional rules to be applied, for example to specific columns only. A field shall be stored in an encrypted way for example. So the requirements shall contain the encryption algorithm and how to maintain the encryption key – who can configure it and how. In many cases those requirements follow regulatory rules – the role of the Business analyst is to apply those rules in the context of the system.
• Protect the data processed. Each functionality shall be accessed by specific user roles only – this is the so called user authorization. In other words we authorize a user role to access a piece of functionality. In regards to system integration, the functionality might be the service or the method itself. The user roles in that case could correspond to real persons or rather to technical accounts, meaning an account for the client system.
• Protect the data exchanged. The malicious user could potentially sniff the traffic between the client and the server systems. There are several ways to encrypt the traffic. One common approach is to use HTTPS. This means that the HTTP packets are transmitted over an encrypted SSL connection. The server side installs a X.509 certificate. That way it proves that this is really the right server, but also the private/public key pair is used for encrypting the connection.