thumbnail

November 26, 2019

The Rhombus API - Enterprise Video Security Without Limits


At Rhombus Systems, we like to think of ourselves as an API-oriented organization. APIs for accessing cameras, APIs for accessing video, APIs for accessing APIs…I think you get the point. This is why defining clear interfaces between systems is hugely advantageous in software development. It leaves no room for ambiguity, removes the need for either side to worry about the other, and makes interactions in the system as simple as possible.

When we exposed APIs to our clients and partners, we exposed the same contracts that we, ourselves, must adhere to. We can hardly tell the difference between our clients and customers since they are all calling the same endpoints. This enables organizations to receive a powerful, easy-to-use, and robust API infrastructure that is much more than some afterthought that you’ll commonly find in traditional video security systems or NVRs.

Is API Access Important to a Video Security System and Why Do I Need It?


To harness the full power of Rhombus Systems!

One question that often comes up with customers is “are you a closed or open system?” Because of our comprehensive API infrastructure, the answer is both! While it’s true that we don’t currently interoperate with other video security systems using traditional standards (ONVIF, RTSP, etc.) – it’s not because we want to lock you into the system, it’s because we would lose control in providing you with a world-class experience. The experience currently provided by other systems in the market is the reason why so many customers have been pushed away from traditional systems in the first place and why we do what we do.

With the Rhombus API, there is nothing even remotely closed about our system. All data, video, reporting, metrics are available at our customers’ fingertips and can be customized to no end. Say you want to store a backup of all videos on a local NAS. Great, simply use our API to pull the footage and save it directly. Maybe you want to incorporate our Face analytics with your timecard software to align sign-ins/outs with the real world? Great, all of the data is easy to pull from our API. For our partners, we provide simple API access to all of your customer accounts, so you no longer need to manage multiple sets of credentials. All you need is just one set of credentials across your entire customer base. This allows for running batch operations, aggregations, and other automation across all of your customers, saving you precious time and money.

At Rhombus, we’ve built the most powerful cloud video security product on the market, but the power of our product only matters if customers can use it. Using the Rhombus API enables your organization to bring your video security system in line with the rest of your IT infrastructure to better improve security and operations.

How Easy Is It to Use the Rhombus API?


So easy!

We use a common API framework called OpenAPI (version 3.0 as of writing this), which makes incorporating the Rhombus API a breeze. There are countless client-side bindings in every language imaginable, which makes including an API client into your codebase as simple as running a single command with our OpenAPI document as an argument.

If you prefer to run from the command line (using wget or cURL), no problem. The API follows a simple JSON over HTTPS convention, making the commands easy to read and understand. We also have an upcoming webhook option, which will post JSON to the HTTPS server of your choice to receive real-time data updates.

How Secure is the Rhombus API?


More secure than any other API you’ve used.

Most other Cloud APIs use a simple character-based key/password for controlling API access. This means if that simple string is ever leaked or intercepted (see next sentence), someone will have full access to your account, which invalidates any other sophisticated controls that may be in place for normal user login. Also, most Cloud APIs rarely enforce/encourage any type of certificate validation, which means that a simple man-in-the-middle attack could easily intercept, see your secret key in plain text, and then spoof any request they want using that info.

The Rhombus API uses the same industry-leading security models that can found throughout the platform. Namely, a PKI infrastructure, which uses a signed and verified client-side certificates, along with a second-factor access key. One of the major advantages of using certificates for authentication is that the private material never leaves your system. Even if a malicious actor were able to man-in-the-middle your traffic (which they won’t, see next sentence), there is nothing in the request that can be used to emulate your account in future requests. And since Rhombus does full client certificate authentication, customers only have to trust our intermediate certificate on their side, to effectively thwart man-in-the-middle attacks.

We also strongly recommend that customers do two more things to make the Rhombus API as secure as possible: password protect your private key and store both the password and the access key separately from the private key. This ensures that all 3 of these factors would need to be compromised for a breach to take place. If all 3 are stored separately (perhaps one in code, one on the server, and another in a properties file), you are ensuring that someone would need wide-spread access to your infrastructure to gain anything useful.

Take the Rhombus API for Spin!


We’re incredibly proud of the Rhombus API and are excited to share its capabilities with you. The Rhombus API truly opens the platform up to ensure that your organization has a video security system that meets your needs and allows for flexibility for when you need specific actions to take place. If you are interested in learning more about our API, product, and features in greater detail, please be sure to reach out to sales@rhombussytems.com!