240 likes | 398 Views
Web Security Infrastructure Study. For a Multinational Life Insurance Company. Topics Current State Concerns Recommendations. Presentation by Kankan Roy. Present Web Security Infrastructure. The security is built on the following components and their replication for hi-availability:
E N D
Web Security Infrastructure Study For a MultinationalLife Insurance Company Topics Current State Concerns Recommendations Presentation by Kankan Roy
Present Web Security Infrastructure The security is built on the following components and their replication for hi-availability: Cisco 11503LB Load balancer Amber point plug-in (for transparent re-direction) ISA 2004 for NAT, Firewall, isolation of internal network XML firewall (XS40), WebService Gateway (XI50) External Active directory having trust relationship with internal AD granting security principals from external domain to access resources in the internal Windows forest.
Present Web related Infrastructure • IIS 6, Windows 2003 • ASP.Net • Windows and Web Services • Datapower used as XML gateway for web services • Oracle and Oracle RAC Databases • Web Applications with individual Security Deployment • Data warehouse and Data mart: SQL Server 2000 • Services from 3rd Party is provided through Web Redirection to External Web Sites, and they access Data stores and Files via adapter. They have “Foreign Security Principal” trust to access internal Windows Server
Security Concerns • Possible indirect Access to Internal Windows resources • Possible indirect Access by 3rd Party Partners to internal resources • Possible Direct accesses to secured web sites and Data Bases by Authenticated but unauthorized user • No Auditing and access logging of End User Access or Information accessed • Security is not decoupled from business logic • Protected object space is not defined, nor centrally managed • Access control is not dynamically enforced • It is possible to by-pass authorization since it is implemented in deployment Script and there is no security governance policy. • Authentication is implemented, Authorization and Access Control is partially implemented, and Auditing is not at all implemented. • There is no governance policy to create or modify objects that need protection • Lack of Documentation of Access Control Policy (ACLP) for Objects • No explicit SSO implementation
DIRECT ACCESS TO SECURITY ZONE BY BUSINESS SERVICE PROVIDERS
External AD based Security implementation External AD is used for Authentication and implemented by Security Configuration Layer (Web Applications’ web.config file). Given below is a snippet from a web application site:
Future Web Security Roadmap • Web must play Active Vehicle for business Expansion • Focus of web Application no longer shall be Policy Centered (Type, Line of Business, or Policy Administration) • Future Web shall have User (Type Role and Self-service) Focus where policy operation are intuitive implicit and automated. • User Operations shall be serviced by Business Services, Management Services, Administration Services, Request Services • Implement shall require security guide lines for Information Access Control to private user information • Security Policy must be explicit and de-coupled from Service Code • Security Assertion should be made before Service invocation • Service level audit and access record should be available to pin point responsibility in the event of security breach • Users should be able to manage their own profile, Access, Account, Associates and Policies without customer service assistance. Self Enrollment for new user. • Business should be de-coupled from Infrastructure • Infrastructure should be inter-operable and distributed, open and accommodative of emerging Technology • Centralized Policy Administration System to manage all line of business • User Access device can be any – desk top/laptop browser, mobile, hand-held, Voice activated or cellular devices • Sarbanese-Oxley Act 2002 - http://www.soxlaw.com/index.htm
Abstract Model For Role Based Access Control (RABC) Current AD based RABC identifies Web Directories as only Target using Web.Config
Protected Objects Space Needing Access Permission • Web Sites • Web Services • Partners Services • Providers Services or Web Sites • Applications • Programs • Policies • Users • Consumers • Producers • Transactions • Statements • Queues • Infrastructure • Hierarchy of Objects based on Ownership relation • Private Information encapsulated in Objects
Access Control Enforcement Point • Reverse Proxy Single Sign On • Federated SSO for 3rd party service providers • Single Point Authentication and Authorization system for all User Devices – Mobile, Handheld, Phone, Desktop, Messaging Device • B2B Service • Messaging Service • Proxy Services to Business Service • Web Service Security • Enterprise Service Bus • Gateway ESB • Application Invocation • Information Security for View generation service • Information security for Data Object Access Service
Protected Object Space is a Centrally Managed Database • Object Definitions • Access Control List Policies for Objects • Associated Object Policies – Privacy, Auditing, Access Time/Accessor Log etc. • Associated Authorization Rule (for External/Internal Rules Engine to Access Manager) that asserts access to protected object • Pre or Post Processing/Filtration/transformation Requirement for inbound/outbound Message
Authentication Mechanism Device Interface for Authentication Mechanism can be any as per the user device interface (Form, Inter-active Voice/Phone, text Message) Web Security Server uses Access Manager User Registry to Create Access Manager User Credential used for the duration of the session
Adapting/Migrating (Multiple) ADS User Registry For Access management
Authentication and Federation • Authorization Manager should be able to authenticate user from any kind of user Communication device and create a Session for a User irrespective of users’ device • External Authentication Manager should be able to recognize User Credential when redirected to the external site and should be able to create a session and vice versa • External User/application may not be granted Trust to access internal Resources such as DB using any kind of Adapter or web service.
ESB Functionalities • Routing • Mediation • Confidentiality • Protocol Transformation • Logging, Auditing, Authorization • Enforce Access Control • Flow Management • Throttling – Queue length – number of simultaneous flows • Correlation of in-bound flows to out-bound flows • Proxy for virtualization and versioning • Notification • Alert • Activity monitoring and Aggregate Reporting via Dashboard
Transitioning: Present To Future[Concern: Data Synchronization During Transition] • Reverse Proxy server should act as Gateway to Old and New implementation transparent to any user. • Operation Data Store during Transition must remain in Sync. Active Active Data Sharing/Replication Bridge should be in Place. • All DB Access may be channeled through ESB for New so that Data Replications of New to Old can be incorporated easily and securely
High Availability Zero Downtime • Physical Replication of total infrastructure (Active Passive fail over) • RAID – replication of Storage • Cloud space and Grid Storage – virtual storage – Internet hosted application • RAC DBMS • Web Clusters • Replication of Critical databases and Directories/Registers • Queue Clusters • End Point Virtualization, Versioning and Governance using Registry and repository