In creating an integration between the ColdTrace and OpenLMIS systems, there are certain security considerations that come up related to data and network security. The purpose of this page is to identify and document any security issues or needs that we anticipate will be related to integration between these two system, or more general integration with other RTM systems. This page can also include information on security best practices to build into our work.

This is an initial list, to be filled in as work progress.

What is the data exchanged:

LMIS - > RTM system

Facilities
Equipment

RTM System -> LMIS

Equipment notification

Standard risks:

Unauthorized access to facility/equipment records
Unauthorized access to notification data
Corruption/deletion of facility/equipment records
Spoofed notification data to LMIS system
Snooping on data exchanged in both directions

How are risks mitigated

SSL
RTM System

Inputs to notification are temperature data and rules which define the notifications. Only Nexleaf Staff can modify/edit these. In the future we may allow managing users to edit the rules for the notifications.
Facility and equipment data is access controlled.
Key exchanged for API access
If LMIS wants, we can add message authentication code (HMAC, etc…)

LMIS

Josh Zamor (Deactivated) ... please fill in here.
Is facility and equipment data access controlled?
Is access to notification data access controlled?

Browser not supported