Meh. We can work out some solution ourselves. There’s plenty of experience in my team. But there are decisions that need to be made to allow some outside access to what’s just an internal project. We want to get around the need of VPN servers for access.
I’m dealing with layers of networks around data, with each layer adding more security. (Most of it sensitive financial data.)
Adding additional professionals to this project would include multiple NDAs and background checks and a lot of hassle.
The biggest problem I have is that no external connection will be allowed for the Web API so we can’t even set up a remote environment for these Professional Services. Only external access would be to the website, which needs to be secure on both sides. Yet the site cannot save any data itself… (Except for some configuration settings in the environment.)
Right now, I’m creating a special login that would allow applications access to the API through an API key and their fixed IP address. This is not considered secure enough yet. Thing is, how to make it more secure?