Tag: communications platforms

Categories
Blogs communications consulting Invotra Solutions

Keri Harrowven joins Invuse as Communications Implementation Consultant

Keri Harrowven joins the INvotra COnsulting Team as Commuications Implementations Consultant

Invuse – the new name for Invotra Consulting – has added to its team of consultants with Keri Harrowven, a Communications Implementation Consultant. Keri will work with new and existing customers to transform and deliver internal communications platforms that focus on business and user needs in a time where remote working is the new norm.

Keri brings 20 years of intranet, communications and knowledge management, with a strong background in agile development, delivering creative communications solutions and creating outstanding digital user experiences.

"We are delighted to welcome Keri into our team. We've known Keri for many years now and feel that her knowledge and experience in helping customers identify and overcome their communications challenges, will really strengthen the team and what we can offer new and existing customers."

Jamie Garrett, Invuse Managing Director

Invuse – the new name for Invotra Consulting – focuses on helping organisations with their internal communications strategies to enhance and deliver digital platforms that are designed with end users and data analytics at the core.

Invotra Group has spent over 5 years working with enterprise organisations ranging from 35 – 90,000+ employees, each having complex requirements and the need to constantly adapt and change. The structure of our services means organisations can look to Invuse for support at any stage of their project(s) for assistance, from discovery and research to support and maintenance.

Categories
Blogs Data Migration Javascript Security Solutions

Using AWS Cognito and API Gateway to Authenticate

Using AWS Cognito and API Gateway to authenticate by Jonnie Russell

Following on from my previous blog on ‘How to use APIs to build Javascript Apps’ I’m going to look at how we can use three of Amazon’s AWS services – Cognito, API Gateway and Lambda – to host, manage and authenticate access to a simple JavaScript REST API.

Authentication is the process of determining the identity of an entity, to verify that they are who they say they are. Cognito uses JSON Web Tokens (JWT) which I’ve covered in this previous blog as a standard for representing claims securely between two parties, where a claim is a name-value pair which represents information about the subject, that the server/service holds to be true.

We are going to use Amazon’s Cognito service to manage the user authentication to the REST API. AWS Cognito service provides user sign-up, sign-in and access control and Cognito’s User Pools provide a secure directory service, which can scale to enable you to manage millions of users.

steps a user must take to access the protected REST API.

The diagram above shows the steps a user must take, in order to be able to access the protected REST API.

1. As the REST API is protected by access control, the user first needs to obtain a valid JWT. The first step of this process is for the user to login to Cognito using their username and password.


2. Cognito then verifies that the user is who they say they are, by checking that the username and password provided match what’s in the User Pool.

Once the user authentication has been validated by Cognito, it generates and signs 3 seperate JWT tokens:


– an ID Token which contains claims about the identity of the authenticated user such as name, email, and phone_number.


– an Access Token which contains scopes and groups and is used to grant access to authorized resources.


– a Refresh Token contains the information necessary to obtain a new ID or access token.

In Cognito you are able to define the claims that you want the JWT to contain.


3. The next step for the user is to make the REST API HTTP request to the Gateway API service, which can be hosted on a different domain, passing the JWT Access Token along as part of the header of the request. The Gateway API service has a lot of different features, however at its core it is used to route requests to a defined backend. In this case it will be the test Lambda function that we’ve set up.


4. The API Gateway has been configured to use a specified Cognito User Pool to handle the authorisation, as you can see in the image below.

API GAteway configuration for a specific user

When a request is received, the API Gateway first checks that the request contains the ‘authorization’ header and then unpacks the JWT Access Token by decoding its contents (excluding the preceding ‘Bearer ’ string) from Base64 to two JSON strings and a signature.

The API Gateway next retrieves the Cognito User Pool’s public key. Amazon Cognito generates RSA key pairs for each user pool, and it’s that private key that is used to sign the JWT token when it’s created. The public keys are made available at an address:

https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json. 

If the JWT is valid then the request is allowed to proceed to the next stage.

5. The API Gateway passes the request on to the configured backend. In this case it’s our simple Lambda function:

 

6.The response from the REST API is then passed back to the API Gateway.

7. As the final stage, the REST API response is sent back to the requesting client.

This has been an overview on how to apply access control to your REST API using AWS’s Cognito, API Gateway and Lambda Services.

Categories
Blogs Data Migration Javascript Security Solutions

How to make your website cookie compliant

how to make your website cookie compliant banner with cookie icon that has a tick on it

Recent research by Colin Stenning showed 37.78% of local government websites did not provide users with the means to enable or disable non-essential cookies or failed to make it easy to configure them.

Those responsible for creating, managing and maintaining a website must meet the requirements set out by the General Data Protection Regulation / UK Data Protection Act 2018 to be cookie compliant .

All websites have to meet these requirements, but users face a variety of confusing and often frustrating pop ups, banners, buttons and barriers to website entry and cookie acceptance or rejection. 

If website administrators can’t provide straight forward, recognisable options, then expecting website users to understand their rights and what cookies actually mean for them is difficult. 

The responsibility to meet the requirements can be overwhelming. Despite being responsible for policing the rules on cookies, the ICO itself has admitted to failing to meet their own rules at first. Additionally, it is worth noting that following our exit from the European Union the General Data Protection act will no longer be applicable. Although, much of the legislation will be merged with the UK Data Protection Act 2018, in 2021 new legislation is highly likely. Even if a website is compliant now changes are likely, so dealing with our website cookies is an ongoing process.

What is a cookie?

Each time a website is accessed a cookie, which is a small text file, is downloaded onto the user’s device, their computer, tablet or smartphone. .

The cookie can be either a session cookie, which is temporary and expires when the browser closes, or a persistent cookie, that will stay on the user’s hard drive until they, or the browser erases them, depending on the cookie’s expiration date (which should be no more than 12 months).

Where do cookies come from?

Websites put cookies on to devices themselves, enabling users to use their features securely. These are often essential and necessary cookies and websites do not need your permission to add these, as use of their site would be impossible without them.

However, many additional cookies such as functional cookies or marketing cookies may come from third parties, such as advertisers or analytics. These cookies must be declared and permission given by the user before they are installed.

Why are websites still failing to meet the requirements?

Most websites provide information about the presence of cookies, but aren’t unified in how effectively cookie compliance is done. As previously mentioned, the research of Local Government websites, by Colin Stenning revealed that although 98.04% of their public facing websites explain what the cookies are doing and why, only 37.78% made sure users had the means to enable or disable non-essential cookies and made it easy to do.

It is not acceptable to assume that website users will take it upon themselves to understand and access your cookie policy and find out how to change their settings. To be fully compliant, a website has to provide this information in an easy to access and completely transparent way.

How do I make sure I have cookie compliance?

You need to ensure that you have explicit consent from all of your users and that you observe their rights to data. The strict rules of compliance are that websites:

  • Do not use any but strictly necessary cookies without users’ consent.

  • List and explain the purpose of the data each cookie tracks

  • Keep a record of all users’ consent.

  • Allow access to your service even if they refuse cookies

  • Make it easy for users to withdraw consent.

There are some straightforward steps everyone can take to be compliant. Webtoffee is a great example of a plugin that ensures you capture all cookies and can efficiently block these cookies if the user elects to reject them.

A whole host of companies offer the help you may need to ensure you can request, act on and store cookie consent date. Check that any plugin or solution you use allows you to:

  • Scan and track all cookies used on your site. This needs to be redone regularly to keep up-to-date.

  • Produce a cookie report listing all cookies, which automatically updates. This can be used as the Cookie policy for your site and a link should be included in your cookie consent banner.

  • Customise a cookie consent banner. This needs to show users they can accept, reject and access a list of all cookies, in categories so users can opt in and out of specific cookie types.

  • Ensure you securely store data from users who have consented.

  • Provide the users with the option to renew their consent annually.

  • Allow users to withdraw or alter their consent easily at any point in their user journey.

Using a plugin facilitates all of the requirements you need to meet, but it is the responsibility of every organisation to make sure each of the steps to full compliance are completed efficiently.

Why is it vital to be cookie compliant?

In the current climate, data breaches cost companies on average $3.86 Million per breach, with 80% of this accounted to breaches of personally identifiable information, according to a report by Juniper Research. It is expected that globally, this number will rise to $5 Trillion by the year 2024.

Data breaches are serious business and organisations should do everything they can do to not only educate themselves but also embed data protection into their everyday culture.

Being “cookie compliant” is one step organisations can take to minimise the amount of breaches they might suffer through poor data protection.

By ensuring that visitors know what data is collected, why it is collected and how long it is stored for, they can make positive steps in the right direction to protect all data.

For more information, feel free to talk to us

Categories
Blogs communications consulting design Solutions

5 technical considerations when designing or procuring a new platform

Banner reading 5 technical considerations when designing or procuring a new platform with image of Luke Parry

Driving digital transformation can prove to be a challenging exercise with the vast number of options available. How do you choose a platform which aligns with your digital strategy and ecosystem?

The short answer is it completely depends on your strategy. Nonetheless, there are 5 considerations that should be reviewed whenever you design or procure a new platform.

Buy vs build

One of the first considerations for procuring a new platform is whether to build a bespoke solution in-house, buy one off the shelf, or go down the SaaS route.

There are advantages to each approach, but the main questions to answer are:

  • What problem are you trying to solve, and is there an out of the box solution/service which already solves it?
  • What are the associated costs?
  • When does the solution need to be delivered?

The last two points are notoriously difficult to get right if you plan on building a solution. Off-the-shelf and SaaS solutions commonly offer a transparent and fixed cost, or at least a predictable cost in terms of the latter, and are much faster to deploy and roll out to the wider business. The main trade-off here is less control over the application.

Data management & Integration

There’s nothing worse than having to manage the same data across multiple applications. In an ideal scenario, applications should only be concerned with the data they need to function, and any data that needs to be shared across applications should be managed between those applications to avoid duplication and a management overhead nightmare.

APIs can help alleviate this problem and help avoid reinventing the wheel by encouraging integration between applications in favour of rebuilding.

When deciding on a platform, consider:

  • What data needs to be shared between this application and existing applications?
  • What are the available options for managing data externally?
  • What APIs are available?
  • Would it be easier to integrate with certain parts of the application rather than replacing everything?

For example, if you need users to be able to authenticate against the application, you can automate the provisioning and de-provisioning process. This may come with an initial setup cost but will save a lot of manual intervention in the future.

Analytics

This is somewhat related to the previous point. Generally speaking, the more data that is available over APIs, the more analytics can be gathered to help drive insights. This isn’t just related to APIs, there are plenty of other tools such as Google Analytics and Matomo which provide a different set of analytical tools, driven by the web traffic to the platform.

To be clear on the definitions:

Data: Information within the platform
Analytics: Discovering patterns and trends from that data
Insights: Obtaining value from those analytics to drive improvements throughout the organisation

The main considerations here are:

  • What analytics tools are available? (e.g. Google Analytics)
  • Outside of analytics tools, what is the availability of data which could be extracted by other means? (e.g. APIs, CSV extracts)

Analytics tools can help you answer many of the questions you face, to name a few:

  • Which areas of the platform are most popular?
  • How many users are using the platform on a regular basis?
  • Are there any parts of the platform which are redundant, and need a rethink/remove?
  • Where should we be focussing our energy with the platform in question?
  • What devices are users using to access the platform?
  • What time are users accessing different types of data?

Cross-platform support

Cross-platform support is basically a guarantee nowadays, especially with web applications. It’s easier than ever before to support working from mobile and tablet devices as well as a desktop.

More and more users expect this level of support from applications, whether that be to just check their calendar on their daily commute or to completely switch to a smaller device for certain types of work just based on preference.

Choosing a platform that enables this flexible approach to work will provide a better experience for end-users. Pair this with analytics and it will be easy to see which types of work are most popular with different platforms, and where to optimise certain areas of the platform.

Security & updates

Last but definitely not least, security. With cyber-attacks constantly on the rise, it’s crucial to make sure that your users and information are safe. As attacks evolve and become more advanced, so do the methods used to prevent them. Information security is something that needs to be constantly monitored and prevented, which in itself is a story for a separate blog. When specifically talking about securing a platform, one of the most common considerations is how to keep the platform as up-to-date as possible without disrupting other workflows.

This is one of the reasons SaaS models have become so popular. Updates (not necessarily security-related) and maintenance are handled by the supplier, often without any disruption, allowing you to focus on your users.

Talk to us

If we can support you with designing or procuring a new platform, or you’d simply like to learn more, please get in touch.