310 likes | 457 Views
Integrated Security Architecture. James Andoniadis IBM Canada. CEO View: Increased Collaboration Brings Rewards. Perimeter Defense. Control Layer. Assurance Layer. Layers of security. Perimeter Defense Keep out unwanted with Firewalls Anti-Virus Intrusion Detection, etc. Control Layer
E N D
Integrated Security Architecture James Andoniadis IBM Canada
Perimeter Defense Control Layer Assurance Layer Layers of security • Perimeter Defense • Keep out unwanted with • Firewalls • Anti-Virus • Intrusion Detection, etc. • Control Layer • Which users can come in? • What can users see and do? • Are user preferences supported? • Can user privacy be protected? • Assurance Layer • Can I comply with regulations? • Can I deliver audit reports? • Am I at risk? • Can I respond to security events?
Pre SOA Security: Enforcement & Decision Points Access Enforcement Functionality (AEF) Access Decision Functionality (ADF)
Network Operating Systems Application Certificate Network External Internal Directory Status Access SMTP SMTP Customer Responder Control Gateway Gateway LOB Applications Employee Databases Network Delegated User Identity Management Management Dispatcher External Internal Directory Directory Transactional Web Web Access Certifcate Integration Control Authority Internal ePortal, LDAP- Transactional Network enabled apps Web Authentication & Authorization Presentation Informational Application Web Access Control Presentation Single Sign On Directory Management View LDAP Directory Meta-Directory Proxy External ePortal Messaging Web Single Sign On CRM/ ERP (PeopleSoft)
Apps/Email NOS ITDI Directory Integration TAM for ESSO ITDS Directory Server UNIX/Linux ITIM: Provisioning Databases & Applications • Policies • Workflow • Password Self-service • Audit trails MF/Midrange ITAM: Web Access Management SSO, Authentication, Authorization Security MgmtObjects Portal Presentation Personalization Web Applications ITFIM: Federated Identity Web Services Security Identity and Access Management Portfolio Identity Stores CRM, Partners HR • Enterprise Directory • Personal Info • Credentials • Entitlements
Users Users Users Governments as Identity Providers “TRUST provides ACCESS” Germany:Identity Provider USA:Identity Provider The United States is an“Identity Provider”because it issues a Passport as proof of identification USAVouchesfor its Citizens China:Identity Provider
Roles: Identity Provider and Service Provider “Validation” party in transaction “Vouching” party in transaction Service Provider Identity Provider Mutual TRUST Service Provider controls access to services Third-party user has access to services for the duration of the federation Only manages user attributes relevant to SP 1. Issues Network / Login credentials 2. Handles User Administration/ ID Mgmt 3. Authenticates User 4. “Vouches” for the user’s identity
Agenda • Enterprise Security Architecture – MASS Intro • Identity, Access, and Federated Identity Management • SOA Security
SOA Security Encompass all Aspects of Security 5 5 5 5 SCA Portlet WSRP B2B Other consumers SOA Security • Identity • Authentication • Authorization • Confidentiality, Integrity • Availability • Auditing & Compliance • Administration and Policy Management 4 4 4 4 Service Consumer Service Consumer business processes business processes process choreography process choreography 3 3 3 3 Services (Definitions) services atomic and composite atomic and composite 2 2 2 2 Service components 1 1 Service Provider Service Provider 1 1 SAP Custom Custom OO OO Packaged ISV Application Application Application Application Packaged Custom Custom Application Outlook Application Application Application Custom Apps Operational systems Platform Supporting Middleware OS/390 MQ DB2 Unix
Message-based Security : End-to-End Security ConnectionIntegrity/Privacy ConnectionIntegrity/Privacy • Message-based security does not rely on secure transport • message itself is encrypted message privacy • message itself is signed message integrity • message contains user identity proof of origin ? HTTPS HTTPS SOAP Message
Authorization Secure Conversation Federation Privacy Security Policy Trust WSS – SOAP Security SOAP Messaging Web Service Security Specifications Roadmap
SOAP Message Security: Extensions to Header Envelope Security Element Security Token Header • SOAP Header allows for extensions • OASIS standard “WS-Security: SOAP Message Security” • defines XML for Tokens, Signatures and Encryption • defines how these elements are included in SOAP Header Security Element Signature Body <application data> Encrypted Data
Security Drill Down 1st Layer Message Security • Signature Validation/ Origin Authentication • Message Level Decryption 2nd Layer Message Security • Requestor Identification & Authentication & Mapping • Element Level Decryption Nth Layer Message Security • Requestor Identification & Authentication & Mapping • Message Level Encryption Transport Layer Security • SSL/TLS Termination Application Security (Authorization with ESB asserted identifier) Security Policy Security Token Service Key Store, Management Authorization
Moving to SOA – Accommodate Web Services HTTP SOAP
Moving to SOA – Accommodate Web Services Transport Layer Confidentiality Integrity User Interaction Based I&A Enforcement HTTP Message Layer Confidentiality Integrity Token Based Authentication Enforcement Transport Layer Confidentiality Integrity SOAP Identity Mapping Identification & Authentication Decisions
TFIM TFIM TAM TAM TFIM Moving to SOA, Adding the ESB…(Mandatory Scary Picture) WebSphere Enterprise Service Bus DP XI50 H/W: DataPower XS40 S/W: WebSphere Web Svs. G/W S/W: Tivoli Access Manager Reverse Proxy/Web PI TFIM, TAM Tivoli Directory Server Tivoli Federated Identity Manager Tivoli Access Manager Common Auditing & Reporting Service
Further Reading • On Demand Operating Environment: Security Considerations in an Extended Enterprise • http://publib-b.boulder.ibm.com/abstracts/redp3928.html?Open • Web Services Security Standards, Tutorials, Papers • http://www.ibm.com/developerworks/views/webservices/standards.jsp • http://www.ibm.com/developerworks/views/webservices/tutorials.jsp • http://webservices.xml.com/ • Websphere Security Fundamentals / WAS 6.0 Security Handbook • http://www.redbooks.ibm.com/redpieces/abstracts/redp3944.html?Open • http://www.redbooks.ibm.com/redpieces/abstracts/sg246316.html?Open • IBM Tivoli Product Home Page • http://www.ibm.com/software/tivoli/solutions/security/
Summary • End-to-end Security Integration is complex • Web Services and SOA security are emerging areas • Moving from session level security to message level security • Identity Management incorporates several security services, but other security services need to be integrated as well • Audit and Event Management, Compliance and Assurance • Etc. • Security technology is part – process, policy, people are the others and often harder to change • Only Constant is Change, but evolve around the fundamentals • Establish separation of application and security management • Use of open standards will help with integration of past and future technologies
Security 101 Definitions • Authentication - Identify who you are • Userid/password, PKI certificates, Kerberos, Tokens, Biometrics • Authorization – What you can access • Access Enforcement Function / Access Decision Function • Roles, Groups, Entitlements • Administration – Applying security policy to resource protection • Directories, administration interfaces, delegation, self-service • Audit – Logging security success / failures • Basis of monitoring, accountability/non-repudiation, investigation, forensics • Assurance – Security integrity and compliance to policy • Monitoring (Intrusion Detection, AntiVirus, Compliance), Vulnerability Testing • Asset Protection • Data Confidentiality, Integrity, Data Privacy • Availability • Backup/recovery, disaster recovery, high availability/redundance
Agenda • Enterprise Security Architecture – MASS Intro • Identity, Access, and Federated Identity Management • SOA Security
Access Control Subsystem Purpose: • Enforce security policies by gating access to, and execution of, processes and services within a computing solution via identification, authentication, and authorization processes, along with security mechanisms that use credentials and attributes. Functions: • Access control monitoring and enforcement: Policy Enforcement Point/Policy Decision Point/ Policy Administration Point • Identification and authentication mechanisms, including verification of secrets, cryptography (encryption and signing), and single-use versus multiple-use authentication mechanisms • Authorization mechanisms, to include attributes, privileges, and permissions • Enforcement mechanisms, including failure handling, bypass prevention, banners, timing and timeout, event capture, and decision and logging components Sample Technologies: • RACF, platform/application security, web access control
Identity and Credential Subsystem Purpose: • Generate, distribute, and manage the data objects that convey identity and permissions across networks and among the platforms, the processes, and the security subsystems within a computing solution. Functions: • Single-use versus multiple-use mechanisms, either cryptographic or non-cryptographic • Generation and verification of secrets • Identities and credentials to be used in access control: identification, authentication, and access control for the purpose of user-subject binding • Credentials to be used for purposes of identity in legally binding transactions • Timing and duration of identification and authentication • Lifecycle of credentials • Anonymity and pseudonymity mechanisms Sample Technologies: • Tokens (PKI, Kerberos, SAML), User registries (LDAP,AD,RACF,…), Administration consoles, Session management
Information Flow Control Subsystem Purpose: • Enforce security policies by gating the flow of information within a computing solution, affecting the visibility of information within a computing solution, and ensuring the integrity of information flowing within a computing solution. Functions: • Flow permission or prevention • Flow monitoring and enforcement • Transfer services and environments: open or trusted channel, open or trusted path, media conversions, manual transfer, and import to or export between domain • Encryption • Storage mechanisms: cryptography and hardware security modules Sample Technologies: • Firewalls, VPNs, SSL
Security Audit Subsystem Purpose: • Provide proof of compliance to the security policy. Functions: • Collection of security audit data, including capture of the appropriate data, trusted transfer of audit data, and synchronization of chronologies • Protection of security audit data, including use of time stamps, signing events, and storage integrity to prevent loss of data • Analysis of security audit data, including review, anomaly detection, violation analysis, and attack analysis using simple heuristics or complex heuristics • Alarms for loss thresholds, warning conditions, and critical events Sample Technologies: • syslog, application/platform access logs
Solution Integrity Subsystem Purpose: • address the requirement for reliable and correct operation of a computing solution in support of meeting the legal and technical standard for its processes Functions: • Physical protection for data objects, such as cryptographic keys, and physical components, such as cabling, hardware, and so on • Continued operations including fault tolerance, failure recovery, and self-testing • Storage mechanisms: cryptography and hardware security modules • Accurate time source for time measurement and time stamps • Alarms and actions when physical or passive attack is detected Sample Technologies: • Systems Management solutions - performance, availability, disaster recovery, storage management • Operational Security tools: , Host and Network Intrusion Detection Sensors (Snort), Event Correlation tools, Host security monitoring/enforcement tools (Tripwire, TAMOS), Host/Network Vulnerability Monitors/Scanners (Neesus), Anti-Virus software