240 likes | 465 Views
Security in application integration. Kari Nordström. Topics. Objectives Application integration Enterprise Application Integration – EAI Business-to-Business integration – B2Bi Information security Basic concepts & ideas Network security Segmented networks
E N D
Security in application integration Kari Nordström
Topics • Objectives • Application integration • Enterprise Application Integration – EAI • Business-to-Business integration – B2Bi • Information security • Basic concepts & ideas • Network security • Segmented networks • Security of application integration systems • Results Security in application integration – Kari Nordström
Background and objectives of the thesis • Find out the current level of security in the application integration systems of a certain company • Conduct security reviews with a panel of experts • Make suggestions on improving the security level based on findings • Implement improvements if possible • Supervisor: Docent Timo O. Korhonen Security in application integration – Kari Nordström
Application Integration • Integrating various applications enables information sharing between applications and organisations, not between people (System-to-System connections) • Internal and external integration • EAI & B2Bi • Traditionally integration has dealt with sharing business data and documents • B2Bi is usually used for exchanging business documents • EAI integrates applications to work together, data can be gathered from various sources (applications) before processing Security in application integration – Kari Nordström
Application integration platforms in the company Security in application integration – Kari Nordström
Enterprise Application Integration (1/2) • Integration within a single enterprise • A centralised integration solution • Error handling, monitoring, cost savings over time Security in application integration – Kari Nordström
Enterprise Application Integration (2/2) • Integrating diverse applications requires transformations between formats • Processing and / or enrichment of data is also required in some integrations (defined in the workflow) Security in application integration – Kari Nordström
Business-to-business integration • Integration between separate enterprises (partner integration) • Business data, demand / supply planning … • B2Bi relies on standards, otherwise it would be very cumbersome to connect to other companies, each using their own data formats and processes • Two B2Bi platforms used in the company: • EDI, Electronic Data Interchange • RosettaNet Security in application integration – Kari Nordström
Electronic Data Interchange (1/3) • EDI is the “granddaddy” of all B2Bi systems • Designed to automate exchanging business documents a quicker and cheaper way • Dates back all the way to the 1960’s, in active use since the 1980’s • Two main standards in use • EDIFACT (EDI For Administration, Commerce and Transport) • ANSI X12 Security in application integration – Kari Nordström
VAN-based EDI (2/3) • VAN (Value Added Network) operators used to relay messages • “An electronic post office” Security in application integration – Kari Nordström
Internet EDI (3/3) • EDI-INT has been thought up to eliminate VAN costs to companies • Standards used: • AS1 (SMTP) • AS2 (HTTP) • AS3 (FTP) • The basic idea: sending EDI messages directly to trading partners over the Internet Security in application integration – Kari Nordström
RosettaNet (1/2) • XML-based integration standard • Developed and maintained by the RosettaNet Consortium, a non-profit organisation of more than 500 corporations • Integrations are based on Partner Interface Processes (PIP), which define how data is processed and the sequence of transactions between trading partners • RosettaNet Implementation Framework (RNIF) describes the basic architecture (RNIF 1.1 & 2.0) • Document Type Definition (DTD) describes the format of messages and data Security in application integration – Kari Nordström
RosettaNet (2/2) • RosettaNet aims in integrating the whole supply chain, not just passing business documents • Marketed as more flexible and easier to implement than EDI • Using VANs actually makes EDI more simple than RosettaNet where companies need to implement all connections themselves Security in application integration – Kari Nordström
Information security • Traditional way to model information security: CIA Security in application integration – Kari Nordström
Authentication Making sure the user is who she claims to be Authorisation Giving an authenticated user the right to do something Accounting All operations performed by users are logged Non-repudiation If a user performs a task, she can’t later deny having done so, the system also can’t later deny the user’s action Antivirus protection Protecting computers and network elements against malicious software Cryptography Scrambling information in a way that only the correct recipient can decipher it General security concepts Security in application integration – Kari Nordström
Network security • Host security vs. network security • Systems are protected on the network level by controlling network traffic • More cost-effective than host security • Typical misconception: network security = firewalls • Firewalls are a central part of network security, but there are numerous other things to consider (understanding the network architecture is key) Security in application integration – Kari Nordström
A few key security strategies • Use multiple, diverse layers of security • Give the lowest possible rights to users • Deny everything that’s not explicitly allowed • Use choke points to monitor traffic • “KISS – Keep It Simple, Stupid” • Make users aware of security issues! • The human factor is often the weakest link in security Security in application integration – Kari Nordström
Network segmentation • A new network architecture in the company that divides an internal network into smaller parts called cells • Naturally also affects AI systems • In practice: more firewalls Security in application integration – Kari Nordström
Security requirements for application integration systems • An AI system is central and crucial in any network that has one • Connected to many other systems attacker could gain access to virtually the whole network if e.g. the EAI system is hacked • Availability requirements are very high • Many other systems are dependant on integration systems Security in application integration – Kari Nordström
Results of the security reviews • Risk level is high for all three systems • Security implementations do not match the current requirements • Requirements have changed significantly from the 1990’s • RosettaNet was found more secure than EAI and EDI • Age, standardisation, segmented network • EDI’s problem is the number of unknown factors • VAN operator responsible for most of the implementation • EAI’s biggest problem is the lack of security standards Security in application integration – Kari Nordström
EAI security improvements • User management (no super-users) access control • Certain authentication issues have been addressed • A component was not authenticating connections properly • Client software used (fewer vulnerabilities) • The migration to new architecture will bring major advancements in the security of the system • Border security • Hosts have been hardened Security in application integration – Kari Nordström
B2Bi security improvements • It’s hard to fundamentally change security implementations in standardised systems • User management has been improved vastly in EDI • EDI will also be migrated into new architecture (RosettaNet has already been migrated) • RNIF specifies many security features, such as various forms of encryption, digital certificates and checksums • They just weren’t always used in the company new policy Security in application integration – Kari Nordström
Any questions or comments? If not, thank you! Security in application integration – Kari Nordström