August 21, 2017 0 Comments

Making your collaboration and messaging app enterprise ready with sensitivity.io

Developers often struggle to bring their applications to the next level by making them enterprise-ready and so break into the lucrative big business market. Oftentimes this is a question of app security, the need to make sure confidential information is kept private and there is no danger of data leakage. sensitivity.io offers cybersecurity APIs for Cloud, Apps, and Services that inject security and compliance policies into the core of apps and help them achieve unmatched sensitive data visibility and compliance that bring them closer to enterprise-readiness.

One of the many types of applications sensitivity.io can be integrated into are workstream collaboration and messaging apps. A common feature in most companies nowadays, messaging and workstream collaboration apps have become necessary for a smooth running, more efficient way for employees to share information, work together and keep each other up to date with projects and clients. But just how easy is it to integrate sensitivity.io APIs into such an application? Let’s find out!

Mattermost + sensitivity.io

Let’s take Mattermost, a sleek Slack-compatible open source service that makes it easy to self-host team communications. It brings messaging and file sharing into one place, is accessible across PCs and mobile and comes with archiving and search features. It integrates with a range of out-of-the-box apps and is extendable so you can build custom functionalities on top of the Go (golang)/ React core.

Our goal was to integrate cybersecurity features into Mattermost to manage Intellectual Property and Personally Identifiable Information (PII), regulations like PCI DSS, GDPR, HIPAA and others, while making sure workstream collaboration, communication, and productivity were unaffected. On top of showcasing sensitivity.io’s scanning and classification engine, we also wanted to show how easy you can implement DLP and remediation features in virtually any application that integrates our API.

Why messaging and workstream collaboration apps?

We love Go here at sensitivity.io. We use it in production as the primary development language for everything related to web APIs, websites, automation tools, tests and benchmarks. We chose it because we run our own Cloud-based API and SaaS for Data Storage Services that handles massive amounts of data from both Applications and Cloud Storage providers (Box, Dropbox, etc.) resulting in dozens of concurrent requests per second and the need for real-time data analysis.

We’ve also been successfully using Mattermost internally for a few years now and it has served our needs very well. It’s a messaging and workstream collaboration tool that we could freely use in-house and whose without having to resort to more commercial communication tools that we have no control over. What this great chat app lacks though is security features: data protection, remediation actions for sensitive data and hiding of confidential information. To us, this seemed like one of the biggest issues standing in the way of enterprise adoption of such open-source tools like Mattermost, so we aimed to improve it.

Posting company credit card numbers inside a chat room seems like a bad idea to begin with and while some might dismiss it outright as an unlikely event, countless data leaks testify to the contrary. Mistakes happen: imagine you copied 100 Credit Card numbers to your clipboard from your invoicing software and then you move to chat with your colleagues on a public channel and you accidentally paste the entire clipboard there and press send before realizing what has happened. Or worse, it could happen on the contractors and partners channels…All it takes is one moment of carelessness and the push of a button and your sensitive data is compromised.

How we did it

Mattermost offers great integration for posts and files through their web based API or webhooks, but we felt that this was not ideal, nor efficient enough for our use case, as we would have had to create an additional service that would inspect the messages and files posted by members. A different approach was needed and since we knew that Github hosts Mattermost’s source-code, we turned to that.

Finding out it was written in Go made our job extremely easy since we already had a Go SDK for sensitivity.io. The Go changes in Mattermost to add sensitivity.io were finished in less than a day by our Go engineers. The UI, on the other hand, turned out to be a totally different story, as nobody in our team had used React before. We thought of contracting it out, but it took us just a couple of hours to figure things out and make it work the way we needed it to. Some of the settings on the configuration page under the System Console appear there only as proof of concept for the sort of actions you can add to manage your sensitive data. The Data Scanner, Protection Profiles, Service API menus however are all functional.

Details of installing sensitivity.io C API

Our powerful scanning engine is written in C++ which helped us create complete cross-platform system APIs that customers can use on Windows, Mac, Linux, iOS and Android. It’s also lightweight, requiring under 5 MB of additional space on most operating systems. We offer already-built binding for C which makes our API very easy to integrate with Go, Python, PHP etc. We also support native Java, C, C++, .Net/C#, Objective-C/Swift or Java Android with our official SDKs.

For the demo application, we chose CentOS 7, so we installed the RPM packages available for download on our Control Panel. After that, we hooked into the Post and Files code and, based on the settings in the System Console, we scanned and identified threats inside posted messages and uploaded files.

sensitivity.io Configuration Options inside Mattermost System Console

There are lots of settings you can configure: you can set a threshold for the scanner to stop after the first or a specified number of threats are identified, mask found results so they don’t get logged in plain-text, but the most important configuration is found under the Protection Profile page. Through it, you can easily instruct the scanning engine to identify Social Security Numbers, Credit Card Numbers, other Personal Identifiable Information or your custom dictionary of confidential and sensitive terms, depending on what is most relevant to you or a company’s policies.

We added some extras under the Found Threats page. This is the place where you can select remediation actions like Block, Report, Block & Report or you can simply allow the posting of sensitive data if the user provides a justification for it. You can also set up an email address that will receive reports when sensitive data is being posted. Other useful actions include encrypting uploaded files that contain credit card numbers or personal identifiable information, without affecting confidential information-free documents. Files can also be quarantined until further actions are allowed by a manager or auditor.

Try our Live Demo

Stay tuned for more integrations and demo apps as we plan to cover at least a dozen of them, just because it’s fun, easy and takes almost no time at all! All you need is a day to add such extraordinary Cybersecurity and DLP-like features inside your apps, services or infrastructure and to us, that is time well spent!

If you have a specific scenario in mind and want to know if it’s possible with our SDKs and APIs, feel free to drop us an e-mail at team[at]sensitivity.io. We will be happy to offer additional information.

Ovidiu CICAL
Ovidiu is a cybersecurity enthusiast with over 10 years of experience in the field of information technology, working with various programming languages and technologies.

In his free time, he enjoys giving back to the information security community acting as a board member of the Open Web Application Security Project (OWASP)’s branch in Cluj-Napoca.
guest
0 Comments
Inline Feedbacks
View all comments

Get notified of new articles