1 / 26

EP127 Implementing Security in Enterprise Portals

EP127 Implementing Security in Enterprise Portals. Thomas J. Parenty Information Security Consultant tom@parenty.com. Risks and Attack Sources Security Goals and Technologies EP Security Architecture & Functionality User Authentication Access Control Administration Futures.

bryant
Download Presentation

EP127 Implementing Security in Enterprise Portals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. EP127 Implementing Security in Enterprise Portals • Thomas J. Parenty • Information Security Consultant • tom@parenty.com

  2. Risks and Attack Sources Security Goals and Technologies EP Security Architecture & Functionality User Authentication Access Control Administration Futures Topics

  3. Data Disclosure Communication-Based Access Control-Based Data Corruption Communication-Based Access Control-Based Impersonation Denial of Service Risks

  4. Outside Hackers Application Developers Legitimate Users Attack Sources

  5. C onfidentiality of Data I ntegrity of Data A vailability of Service Non-Repudiation Security Goals

  6. User Authentication Passwords, Digital Certificates, Tokens,… Single Sign-On Encryption, Digital Signatures, Message Digests Access Controls Security Technologies

  7. Secure Business Objects Components Connection Manager Servlet Access Control DB Web Server EP Security Architecture Application Server User • Legacy Data • ASE • Oracle • SAP • PeopleSoft • IBM

  8. Major Components Connection Manager Access Control Database Secure Business Objects EP Security Architecture

  9. Responsible for Authenticating Portal Users Maintaining Security-Session State Making Access Control Decisions Talks to Access Control Database Natively supports Username/Password Authentication Digital Certificate-Based Authentication Connection Manager

  10. Two Aspects: Servlet on Web Server Component in Application Server If Web Browser Client Servlet is Invoked Servlet Communicates with Component If Non-Browser Client Component Invoked directly Connection Manager

  11. Connection Manager Access Control DB Connection Manager & ServletUser Login Web Server Portal Application Server Servlet HTTP Info

  12. ASE Database Structured as LDAP Security Policy Information Authentication Information Password Digital Certificate Call to Authentication API Authorization Information Roles Permissions The Access Control Database

  13. Portal Wide User ID Portal Authentication Info or API Profile Roles & Organizations Access Permissions Application: Authentication Info or API A Portal User Record

  14. Other portal applications may have their own Username/password -- Connection Manager 1. Login to Portal Msmith, portalPwd 4. “mary” “SAPpwd” 3. SAP, mary, SAPpwd 2. Msmith, portalPwd Multi-TierSingle Sign-On Java SAP Application

  15. Acts as “Guard” for Data Store Interfaces with Connection Manager XML Requests Sent to SBO EJB Component in Application Server Secure Business Object (SBO)

  16. JDBC Secures Access to JDBC Data Source PortalSearch Secures Access to Portal Search Engine and its Databases EJB Secures Access to EJB Components in Portal Application Server Includes AI (Application Integration) Components for CORBA Applications Types of SBOs

  17. 1. Session handle & XML request 5. Connect and Submit search request Connection Manager 2. Get profile and check permissions for the requested actions 3. Lookup permissions SBOs in Action: Portal Search Services 4. Translate XML request into correct syntax SBO for PortalSearch Component User EJB

  18. Defines Portal Security Infrastructure Monitors Portal Security Administers Access Control Database Uses Portal Security Manager Application The System Security Officer (SSO)

  19. Create Organizational Hierarchy Create Subjects and Define Roles Authorization Services Define Permission Objects Define Security Labels (Access Control Entries) Setting Up Enterprise Portal Security

  20. Describes Subject’s Function in Organization A Role May be Shared by Multiple Subjects A Subject May Have Multiple Roles Roles

  21. Service Name Subject’s Username and Password for Specific Backend Data source URL for Data Source Example: jdbc:sybase:Tds:host1:2638 All Fields Stored Encrypted Authorization Services

  22. Add Subject Authorization Service Authorization Services: Single Sign-On Portal Security Manager Java SSO Corp DB Usernames & Passwords Java Access Control DB Legacy Systems (mainframe, CICS, other)

  23. Defines a Set of Access Rights Includes One or More Selected Permissions Create Update Execute Read Delete Etc. Permission Objects

  24. Defines Permitted Operations Includes: Subject Organization Role Permission Asset Verified at Runtime Security Label (Access Control Entry)

  25. PKI Integration Stored Data Encryption Digital Signatures Fine-Grained Access Control LDAP-Support Closer Integration Content Management Existing User Directories Futures

  26. EP127 Implementing Security in Enterprise Portals • Thomas J. Parenty • Information Security Consultant • tom@parenty.com

More Related