Integrated Security Architecture
Post on 30-Dec-2015
25 Views
Preview:
DESCRIPTION
Transcript
®
IBM Software Group
© 2004 IBM Corporation
Integrated Security Architecture
James Andoniadis
IBM Canada
IBM Software Group | Tivoli software
CEO View: Increased Collaboration Brings Rewards
IBM Software Group | Tivoli software
Layers of security
Perimeter Defense Keep out unwanted with
• Firewalls• Anti-Virus• Intrusion Detection, etc.Perimeter Defense
Control Layer
Assurance Layer
Control Layer• Which users can come in?• What can users see and do?• Are user preferences supported?• Can user privacy be protected?
Assurance Layer• Can I comply with regulations?• Can I deliver audit reports?• Am I at risk?• Can I respond to security events?
IBM Software Group | Tivoli software
Pre SOA Security: Enforcement & Decision Points
Access Enforcement Functionality (AEF)Access Decision Functionality (ADF)
Reverse Proxy Server
.Net / 3rd Party
Apps
Portal Server
Application Server
Business Processes
Data StoreWeb
Servers
CICSIMS...
Data Store
Data Store
AEF
Access Decision Functionality
Security Decision Services
J2EE Container
J2EE Apps
AEF
Audit Infrastructure
AEF
HTTP
Other Security Decision Services
ADF Proxy
AEF
IBM Software Group | Tivoli software
Directory Management View
Web AccessControl
NetworkAccessControl
Customer
Employee
TransactionalWeb
Presentation
InformationalWeb
Presentation
CertificateStatus
Responder
ExternalDirectory
TransactionalWeb
Integration
ExternalSMTP
Gateway
InternalSMTP
Gateway
NetworkDispatcher
Delegated UserManagement
InternalePortal, LDAP-enabled apps
Single Sign On
ApplicationAccess Control
NetworkAuthentication& Authorization
InternalDirectory
LOBApplications
Databases
ApplicationDirectory
NetworkOperatingSystems
IdentityManagement
CertifcateAuthority
WebSingle Sign On
Messaging
CRM/ ERP(PeopleSoft)
Meta-DirectoryLDAP Directory
Proxy
ExternalePortal
IBM Software Group | Tivoli software
Identity and Access Management PortfolioApps/Email
UNIX/Linux
NOS
Databases &Applications
MF/Midrange
IdentityStores
HRCRM,Partners
Security MgmtObjects
ITIM: Provisioning
• Policies• Workflow• Password
Self-service• Audit trails
Web Applications
Enterprise Directory•Personal Info•Credentials•Entitlements
ITFIM:Federated Identity
Web Services Security
PortalPresentation
Personalization
ITAM:Web Access Management
SSO, Authentication,Authorization
ITDIDirectory
Integration
ITDSDirectory
Server
TAM for ESSO
IBM Software Group | Tivoli software
CollaborationServices (Lotus)
Operational Deployment Pattern - Security Zones
WebBrowser
HTTP/S
WebspherePortal(WPS)vReverse
Proxy(Webseal)
AccessPolicyServer(ITAM)
Internal Directories:- MS AD- Enterprise LDAP- BP DB Table
protocolfirewall
domainfirewall
EnterpriseExternal WebApplications
Internet
IdentityManagement,MetaDirectory,Directory Sync
DirectoryServer(ITDS)
CustomersEmployees
Business Partners
LoadBalancer
ContentManagement
Operational Security Tools:- Host IDS, Network IDS - Auditing scanners - weak password crackers- AntiVirus - Vulnerability scanners (host, network, web) - Intrusion prevension- Tripwire - Audit/logging, event correlation - ...
Server Production Zone(restricted)
Intranet (Controlled)
Internet DMZ(Controlled)
Internet (Uncontrolled)
Management (secured)
WebBrowser
ReverseProxy
(Webseal)
EmployeesContractors
FederatedIdentityMgmt
(ITFIM)
IBM Software Group | Tivoli software
Governments as Identity Providers
“TRUST provides ACCESS”
The United States is an “Identity Provider” because it issues a Passport as proof of identification
USA Vouches for its Citizens
Users
Users
Germany:Identity Provider
Users
USA:Identity Provider
China:Identity Provider
IBM Software Group | Tivoli software
Roles: Identity Provider and Service Provider
1. Issues Network / Login credentials
2. Handles User Administration/ ID Mgmt
3. Authenticates User
4. “Vouches” for the user’s identity
Service Provider controls access to services
Third-party user has access to services for the duration of the federation
Only manages user attributes relevant to SP
Identity Provider
“Vouching” party in transaction “Validation” party in transaction
ServiceProvider
Mutual TRUST
IBM Software Group | Tivoli software
Federated Identity Standards
IBM Software Group | Tivoli software
Agenda
Enterprise Security Architecture – MASS Intro
Identity, Access, and Federated Identity Management
SOA Security
IBM Software Group | Tivoli software
Custom Application
Packaged Application
Packaged Application
Custom Application
consumers
business processesprocess choreography
servicesatomic and composite
Service C
onsumer
Service P
rovider
11
22
33
44
55
OO ApplicationCustom
ApplicationOutlook
SAP Custom Application
business processesprocess choreography
Services (Definitions)atomic and composite
Servicecomponents
Service C
onsumer
Service P
rovider
11
22
33
44
55
OO ApplicationISV
Custom Apps
Platform
Operationalsystems Supporting Middleware
MQ DB2Unix OS/390
SOA Security Encompass all Aspects of Security
SOA Security
Identity
Authentication
Authorization
Confidentiality, Integrity
Availability
Auditing & Compliance
Administration and Policy Management
SCA Portlet WSRP B2B Other
IBM Software Group | Tivoli software
Message-based Security : End-to-End Security
Message-based security does not rely on secure transport message itself is encrypted message privacy message itself is signed message integrity message contains user identity proof of origin
HTTPS HTTPS
SOAP Message
ConnectionIntegrity/Privacy
ConnectionIntegrity/Privacy
?
IBM Software Group | Tivoli software
Web Service Security Specifications Roadmap
WSS – SOAP SecurityWSS – SOAP Security
SecuritySecurityPolicyPolicy
SecureSecureConversationConversation
TrustTrust
FederationFederation
PrivacyPrivacy
AuthorizationAuthorization
SOAP MessagingSOAP Messaging
IBM Software Group | Tivoli software
SOAP Message Security: Extensions to Header
SOAP Header allows for extensions
OASIS standard “WS-Security: SOAP Message Security” defines XML for Tokens, Signatures and Encryption defines how these elements are included in SOAP Header
Envelope
Body
Header
<application data>
Security Element
Security Token
Signature
Encrypted Data
Security Element
IBM Software Group | Tivoli software
Security Drill Down
Transport Layer Security
SSL/TLS Termination
1st Layer Message Security
Signature Validation/ Origin Authentication
Message Level Decryption
2nd Layer Message Security
Requestor Identification & Authentication & Mapping
Element Level Decryption
Application Security (Authorization with ESB asserted identifier)
Security Policy
Security Token Service
Key Store, Management
Authorization
Edge Security (Transport
Layer)
Reverse ProxyXML FW/GW
ESB
SES (incl Trust Client)
ESB
SES (incl Trust Client)
Apps
SES (incl Trust Client)
Security Decision Services (Trust Services)
ESB
SES (incl Trust Client)
Nth Layer Message Security
Requestor Identification & Authentication & Mapping
Message Level Encryption
IBM Software Group | Tivoli software
Gate way
SES
SOAP
Reverse Proxy Server
.Net/ 3rd Party Apps
Portal Server
Application Server
Business Processes
Data StoreWeb
Servers
CICSIMS...
Data Store
Data Store
SES
Security Decision Services
Security Decision Services
J2EE Container
J2EE Apps
SES
Audit Infrastructure
SES
HTTP
MSFT Security Decision Services
SDS Proxy
SES
SOAP
Moving to SOA – Accommodate Web Services
HTTP
IBM Software Group | Tivoli software
Gate way
SES
SOAP
Reverse Proxy Server
.Net/ 3rd Party Apps
Portal Server
Application Server
Business Processes
Data StoreWeb
Servers
CICSIMS...
Data Store
Data Store
SES
Security Decision Services
Security Decision Services
J2EE Container
J2EE Apps
SES
Audit Infrastructure
SES
HTTP
MSFT Security Decision Services
SDS Proxy
SES
SOAP
Moving to SOA – Accommodate Web Services
Transport Layer
Confidentiality
Integrity
Transport Layer
Confidentiality
Integrity
HTTP
User Interaction
Based I&A
Enforcement
Identification &
Authentication
Decisions
Token Based
Authentication
Enforcement
Identity Mapping
Message Layer
Confidentiality
Integrity
IBM Software Group | Tivoli software
Moving to SOA, Adding the ESB…(Mandatory Scary Picture)
E S B
ESB
GatewaySOAP
Reverse Proxy Server
Portal Server
Application Server
Business Processes
Data StoreWeb
Servers
J2EE Container
J2EE Apps
SES
Audit Infrastructure
SESHTTP
SES
SES
SES
.Net/ 3rd Party Apps
CICSIMS...
Data Store
Data Store
Security Decision Services
MSFT Security Decision Services
SDS Proxy
SES
Security Decision ServicesCommon Auditing & Reporting Service
Tivoli Federated Identity Manager
Tivoli Access Manager
H/W: DataPower XS40
S/W: WebSphere Web Svs. G/W
S/W: Tivoli Access Manager
Reverse Proxy/Web PI
Tivoli Directory Server
WebSphere Enterprise
Service BusDP XI50
TFIM, TAM
TFIM
TFIM
TFIM
TAMTAM
IBM Software Group | Tivoli software
Further Reading
On Demand Operating Environment: Security Considerations in an Extended Enterprise http://publib-b.boulder.ibm.com/abstracts/redp3928.html?Open
Web Services Security Standards, Tutorials, Papers http://www.ibm.com/developerworks/views/webservices/standards.jsp
http://www.ibm.com/developerworks/views/webservices/tutorials.jsp
http://webservices.xml.com/
Websphere Security Fundamentals / WAS 6.0 Security Handbook http://www.redbooks.ibm.com/redpieces/abstracts/redp3944.html?Open
http://www.redbooks.ibm.com/redpieces/abstracts/sg246316.html?Open
IBM Tivoli Product Home Page http://www.ibm.com/software/tivoli/solutions/security/
IBM Software Group | Tivoli software
Summary End-to-end Security Integration is complex
Web Services and SOA security are emerging areas Moving from session level security to message level security
Identity Management incorporates several security services, but other security services need to be integrated as well Audit and Event Management, Compliance and Assurance
Etc.
Security technology is part – process, policy, people are the others and often harder to change
Only Constant is Change, but evolve around the fundamentals Establish separation of application and security management
Use of open standards will help with integration of past and future technologies
IBM Software Group | Tivoli software
Questions?
IBM Software Group | Tivoli software
Security 101 Definitions
Authentication - Identify who you are Userid/password, PKI certificates, Kerberos, Tokens, Biometrics
Authorization – What you can access Access Enforcement Function / Access Decision Function
Roles, Groups, Entitlements
Administration – Applying security policy to resource protection Directories, administration interfaces, delegation, self-service
Audit – Logging security success / failures Basis of monitoring, accountability/non-repudiation, investigation, forensics
Assurance – Security integrity and compliance to policy Monitoring (Intrusion Detection, AntiVirus, Compliance), Vulnerability Testing
Asset Protection Data Confidentiality, Integrity, Data Privacy
Availability Backup/recovery, disaster recovery, high availability/redundance
IBM Software Group | Tivoli software
Agenda
Enterprise Security Architecture – MASS Intro
Identity, Access, and Federated Identity Management
SOA Security
IBM Software Group | Tivoli software
MASS – Processes for a Security Management Architecture
IBM Software Group | Tivoli software
Access Control SubsystemPurpose:
Enforce security policies by gating access to, and execution of, processes and services within a computing solution via identification, authentication, and authorization processes, along with security mechanisms that use credentials and attributes.
Functions:
Access control monitoring and enforcement: Policy Enforcement Point/Policy Decision Point/ Policy Administration Point
Identification and authentication mechanisms, including verification of secrets, cryptography (encryption and signing), and single-use versus multiple-use authentication mechanisms
Authorization mechanisms, to include attributes, privileges, and permissions
Enforcement mechanisms, including failure handling, bypass prevention, banners, timing and timeout, event capture, and decision and logging components
Sample Technologies:
RACF, platform/application security, web access control
IBM Software Group | Tivoli software
Identity and Credential SubsystemPurpose: Generate, distribute, and manage the data objects that convey identity and
permissions across networks and among the platforms, the processes, and the security subsystems within a computing solution.
Functions: Single-use versus multiple-use mechanisms, either cryptographic or non-
cryptographic Generation and verification of secrets Identities and credentials to be used in access control: identification,
authentication, and access control for the purpose of user-subject binding Credentials to be used for purposes of identity in legally binding transactions Timing and duration of identification and authentication Lifecycle of credentials Anonymity and pseudonymity mechanisms
Sample Technologies: Tokens (PKI, Kerberos, SAML), User registries (LDAP,AD,RACF,…),
Administration consoles, Session management
IBM Software Group | Tivoli software
Information Flow Control Subsystem
Purpose:
Enforce security policies by gating the flow of information within a computing solution, affecting the visibility of information within a computing solution, and ensuring the integrity of information flowing within a computing solution.
Functions:
Flow permission or prevention
Flow monitoring and enforcement
Transfer services and environments: open or trusted channel, open or trusted path, media conversions, manual transfer, and import to or export between domain
Encryption
Storage mechanisms: cryptography and hardware security modules
Sample Technologies:
Firewalls, VPNs, SSL
IBM Software Group | Tivoli software
Security Audit SubsystemPurpose:
Provide proof of compliance to the security policy.
Functions:
Collection of security audit data, including capture of the appropriate data, trusted transfer of audit data, and synchronization of chronologies
Protection of security audit data, including use of time stamps, signing events, and storage integrity to prevent loss of data
Analysis of security audit data, including review, anomaly detection, violation analysis, and attack analysis using simple heuristics or complex heuristics
Alarms for loss thresholds, warning conditions, and critical events
Sample Technologies:
syslog, application/platform access logs
IBM Software Group | Tivoli software
Solution Integrity SubsystemPurpose: address the requirement for reliable and correct operation of a computing
solution in support of meeting the legal and technical standard for its processes
Functions: Physical protection for data objects, such as cryptographic keys, and physical
components, such as cabling, hardware, and so on Continued operations including fault tolerance, failure recovery, and self-testing Storage mechanisms: cryptography and hardware security modules Accurate time source for time measurement and time stamps Alarms and actions when physical or passive attack is detected
Sample Technologies: Systems Management solutions - performance, availability, disaster recovery,
storage management Operational Security tools: , Host and Network Intrusion Detection Sensors
(Snort), Event Correlation tools, Host security monitoring/enforcement tools (Tripwire, TAMOS), Host/Network Vulnerability Monitors/Scanners (Neesus), Anti-Virus software
IBM Software Group | Tivoli software
On Demand SolutionsOn Demand Solutions
On Demand Infrastructure – Services and Components
Network Security Solutions (VPNs,
firewalls, intrusion detection systems)
On Demand Infrastructure – OS, application, network component logging and security events logging; event management; archiving; business continuity
Policy Management (authorization,
privacy, federation, etc.)
Identity Management
Key Management
Intrusion Defense
Anti-Virus Management
Audit & Non-Repudiation
AssuranceAuthorizationIdentity Federation
Credential Exchange
Secure Networks and Operating Systems
Secu
re L
oggin
g
Tru
st Model
Bindings Security and Secure Conversation(transport, protocol, message security)
Security Policy Expression
Privacy Policy
Virtual Org Policies
Mapping Rules
Service/End-point Policy
On Demand Security InfrastructureOn Demand Security Infrastructure
On Demand Security Architecture (Logical)
top related