260 likes | 401 Views
Security for Web Information Systems: Towards Compromise-Resilient Architectures. Web Information Systems Engineering (WISE). Introduction. Security services play an important role in assuring the reliability and integrity of any information system
E N D
Security for Web Information Systems:Towards Compromise-Resilient Architectures Web Information Systems Engineering (WISE) confidential
Introduction • Security services play an important role in assuring the reliability and integrity of any information system • The dynamic, distributed nature of Web Information Systems also introduces multiple points of potential security compromise • Compromise resilience is as important as compromise resistance confidential
Basic Model Data Resource Agent • Model • Agents access Web information resources • Resources provide services and process data confidential
Security Services Agent Resource Data Authentication: Who are you? Authorization: What can you do? Data protection: How is the data secured? confidential
Authentication ApproachesWho are you? Agent Resource Data • Agents, resources exchange claims of identity • Authentication authority issues credentials, helps validate claims AuthenticationAuthority • Agents and resources have authentication credentials associated with their identities confidential
Authorization ApproachesWhat can you do? Agent Resource Data • Authorization authority supports policy decisions • Resources enforce policy AuthorizationAuthority confidential
Data Protection ApproachesHow is the data secured? Data Agent Resource • Stored data is encrypted • Key authority manages keys • -- which also need access control! KeyAuthority • Agents, resources exchange data through a secure channel confidential
Typical Security Architecture Agent Resource Data AuthenticationAuthority KeyAuthority AuthorizationAuthority • Authorities support agents, resources in establishing security confidential
Potential Security Compromises Agent Resource Attack Attack Attack Data AuthenticationAuthority KeyAuthority Attack Attack • Compromises happen. What’s the impact? • Replicated, mobile nature of system introduces multiple points of compromise AuthorizationAuthority Attack confidential
Authentication Compromises Agent Resource Attack Data AuthenticationAuthority KeyAuthority AuthorizationAuthority • Agent can be impersonated to resource confidential
Authentication Compromises Agent Resource Attack Data AuthenticationAuthority KeyAuthority AuthorizationAuthority • Resource can be impersonated to agent confidential
Authentication Compromises Agent Resource Data AuthenticationAuthority KeyAuthority Attack AuthorizationAuthority • Anyone can be impersonated! • Attack the authority, and/or its administrators confidential
Authorization Compromises Agent Resource Data AuthenticationAuthority KeyAuthority AuthorizationAuthority Attack • Anyone can be authorized! • Attack the authority, and/or its administrators confidential
Data Protection Compromises Agent Resource Data AuthenticationAuthority KeyAuthority Attack • Any key can be recovered! • But data remains secure unless encrypted data also compromised AuthorizationAuthority confidential
Data Protection Compromises Agent Resource Attack Data AuthenticationAuthority KeyAuthority AuthorizationAuthority • Any encrypted data can be recovered! • But data remains secure unless keys also compromised confidential
Compromise Resilience Agent Resource Attack Attack Attack Data AuthenticationAuthority KeyAuthority Attack Attack AuthorizationAuthority Attack • How do you mitigate the risk? • Resilience vs. resistance confidential
Authentication Compromise Resilience Agent Resource Data • Agent’s credentials should be short-lived and context-specific • Home agent supports agent in obtaining them • Resource’s credentials can be similarly strengthened AuthenticationAuthority HomeAgent confidential
Authentication Compromise Resilience Agent Resource Data • Authentication authority’s credentials and validation data should be short-lived • Master authority manages distribution of data and credentials AuthenticationAuthority HomeAgent MasterAuthenticationAuthority confidential
Authentication Compromise Resilience Agent Resource Data AuthenticationAuthority HomeAgent • Multi-administrator and multi-authority approaches can also help MasterAuthenticationAuthority confidential
Authorization Compromise Resilience Agent Resource Data AuthorizationAuthority • Authorization authority’s credentials should be short-lived • Multi-administrator or -authority also helps MasterAuthorizationAuthority confidential
Data Protection Compromise Resilience Agent Resource Data KeyAuthority KeyAuthority KeyAuthority KeyAuthority • Secret sharing reduces impact of compromise of one key authority • Trusted execution protects keys in field confidential
Data Protection Compromise Resilience Agent Resource Data KeyAuthority KeyAuthority KeyAuthority KeyAuthority • Proactive secret sharing maintains resilience by updating shares periodically • Distributed cryptography uses keys in split form confidential
ResilienceManager A Resilient Security ArchitectureAnticipating compromise mitigates risk Agent Resource Data KeyAuthority KeyAuthority AuthenticationAuthority KeyAuthority AuthorizationAuthority HomeAgent MasterAuthenticationAuthority MasterAuthorizationAuthority confidential
Observations • Countermeasures such as short-lived, context-specific credentials, secret sharing limit impact of security compromises • The distributed nature of Web Information Systems facilitates such countermeasures • New components easily introduced into architecture • Web Information Systems can lead the industry in compromise resilience confidential
Conclusion: Two Questions • What do you call an attacker who compromises a Web Information System? Answer : a WISE-Cracker • What do you call a Web Information System that is resilient against such compromise? Answer : a Web Information System Engineered with Resilience = WISER confidential
confidential 26 26