IBM Security Architecture

®

IBM Software Group

© 2004 IBM Corporation

Integrated Security Architecture

James Andoniadis

IBM Canada

IBM Software Group | Tivoli software

CEO View: Increased Collaboration Brings Rewards


Layers of security

Perimeter Defense Keep out unwanted with

• Firewalls• Anti-Virus• Intrusion Detection, etc.Perimeter Defense

Control Layer

Assurance Layer

Control Layer• Which users can come in?• What can users see and do?• Are user preferences supported?• Can user privacy be protected?

Assurance Layer• Can I comply with regulations?• Can I deliver audit reports?• Am I at risk?• Can I respond to security events?


Pre SOA Security: Enforcement & Decision Points

Access Enforcement Functionality (AEF)Access Decision Functionality (ADF)

Reverse Proxy Server

.Net / 3rd Party

Apps

Portal Server

Application Server

Business Processes

Data StoreWeb

Servers

CICSIMS...

Data Store

Data Store

AEF

Access Decision Functionality

Security Decision Services

J2EE Container

J2EE Apps

AEF

Audit Infrastructure

AEF

HTTP

Other Security Decision Services

ADF Proxy

AEF


Directory Management View

Web AccessControl

NetworkAccessControl

Customer

Employee

TransactionalWeb

Presentation

InformationalWeb

Presentation

CertificateStatus

Responder

ExternalDirectory

TransactionalWeb

Integration

ExternalSMTP

Gateway

InternalSMTP

Gateway

NetworkDispatcher

Delegated UserManagement

InternalePortal, LDAP-enabled apps

Single Sign On

ApplicationAccess Control

NetworkAuthentication& Authorization

InternalDirectory

LOBApplications

Databases

ApplicationDirectory

NetworkOperatingSystems

IdentityManagement

CertifcateAuthority

WebSingle Sign On

Messaging

CRM/ ERP(PeopleSoft)

Meta-DirectoryLDAP Directory

Proxy

ExternalePortal


Identity and Access Management PortfolioApps/Email

UNIX/Linux

NOS

Databases &Applications

MF/Midrange

IdentityStores

HRCRM,Partners

Security MgmtObjects

ITIM: Provisioning

• Policies• Workflow• Password

Self-service• Audit trails

Web Applications

Enterprise Directory•Personal Info•Credentials•Entitlements

ITFIM:Federated Identity

Web Services Security

PortalPresentation

Personalization

ITAM:Web Access Management

SSO, Authentication,Authorization

ITDIDirectory

Integration

ITDSDirectory

Server

TAM for ESSO


CollaborationServices (Lotus)

Operational Deployment Pattern - Security Zones

WebBrowser

HTTP/S

WebspherePortal(WPS)vReverse

Proxy(Webseal)

AccessPolicyServer(ITAM)

Internal Directories:- MS AD- Enterprise LDAP- BP DB Table

protocolfirewall

domainfirewall

EnterpriseExternal WebApplications

Internet

IdentityManagement,MetaDirectory,Directory Sync

DirectoryServer(ITDS)

CustomersEmployees

Business Partners

LoadBalancer

ContentManagement

Operational Security Tools:- Host IDS, Network IDS - Auditing scanners - weak password crackers- AntiVirus - Vulnerability scanners (host, network, web) - Intrusion prevension- Tripwire - Audit/logging, event correlation - ...

Server Production Zone(restricted)

Intranet (Controlled)

Internet DMZ(Controlled)

Internet (Uncontrolled)

Management (secured)

WebBrowser

ReverseProxy

(Webseal)

EmployeesContractors

FederatedIdentityMgmt

(ITFIM)


Governments as Identity Providers

“TRUST provides ACCESS”

The United States is an “Identity Provider” because it issues a Passport as proof of identification

USA Vouches for its Citizens

Users

Users

Germany:Identity Provider

Users

USA:Identity Provider

China:Identity Provider


Roles: Identity Provider and Service Provider

1. Issues Network / Login credentials

2. Handles User Administration/ ID Mgmt

3. Authenticates User

4. “Vouches” for the user’s identity

Service Provider controls access to services

Third-party user has access to services for the duration of the federation

Only manages user attributes relevant to SP

Identity Provider

“Vouching” party in transaction “Validation” party in transaction

ServiceProvider

Mutual TRUST


Federated Identity Standards


Agenda

Enterprise Security Architecture – MASS Intro

Identity, Access, and Federated Identity Management

SOA Security


Custom Application

Packaged Application

Packaged Application

Custom Application

consumers

business processesprocess choreography

servicesatomic and composite

Service C

onsumer

Service P

rovider

11

22

33

44

55

OO ApplicationCustom

ApplicationOutlook

SAP Custom Application

business processesprocess choreography

Services (Definitions)atomic and composite

Servicecomponents

Service C

onsumer

Service P

rovider

11

22

33

44

55

OO ApplicationISV

Custom Apps

Platform

Operationalsystems Supporting Middleware

MQ DB2Unix OS/390

SOA Security Encompass all Aspects of Security

SOA Security

Identity

Authentication

Authorization

Confidentiality, Integrity

Availability

Auditing & Compliance

Administration and Policy Management

SCA Portlet WSRP B2B Other


Message-based Security : End-to-End Security

Message-based security does not rely on secure transport message itself is encrypted message privacy message itself is signed message integrity message contains user identity proof of origin

HTTPS HTTPS

SOAP Message

ConnectionIntegrity/Privacy

ConnectionIntegrity/Privacy

?


Web Service Security Specifications Roadmap

WSS – SOAP SecurityWSS – SOAP Security

SecuritySecurityPolicyPolicy

SecureSecureConversationConversation

TrustTrust

FederationFederation

PrivacyPrivacy

AuthorizationAuthorization

SOAP MessagingSOAP Messaging


SOAP Message Security: Extensions to Header

SOAP Header allows for extensions

OASIS standard “WS-Security: SOAP Message Security” defines XML for Tokens, Signatures and Encryption defines how these elements are included in SOAP Header

Envelope

Body

Header

<application data>

Security Element

Security Token

Signature

Encrypted Data

Security Element


Security Drill Down

Transport Layer Security

SSL/TLS Termination

1st Layer Message Security

Signature Validation/ Origin Authentication

Message Level Decryption

2nd Layer Message Security

Requestor Identification & Authentication & Mapping

Element Level Decryption

Application Security (Authorization with ESB asserted identifier)

Security Policy

Security Token Service

Key Store, Management

Authorization

Edge Security (Transport

Layer)

Reverse ProxyXML FW/GW

ESB

SES (incl Trust Client)

ESB


Apps


Security Decision Services (Trust Services)

ESB


Nth Layer Message Security

Requestor Identification & Authentication & Mapping

Message Level Encryption


Gate way

SES

SOAP


.Net/ 3rd Party Apps

Portal Server

Application Server

Business Processes

Data StoreWeb

Servers

CICSIMS...

Data Store

Data Store

SES



J2EE Container

J2EE Apps

SES


SES

HTTP

MSFT Security Decision Services

SDS Proxy

SES

SOAP

Moving to SOA – Accommodate Web Services

HTTP


Gate way

SES

SOAP



Portal Server

Application Server

Business Processes

Data StoreWeb

Servers

CICSIMS...

Data Store

Data Store

SES



J2EE Container

J2EE Apps

SES


SES

HTTP


SDS Proxy

SES

SOAP

Moving to SOA – Accommodate Web Services

Transport Layer

Confidentiality

Integrity

Transport Layer

Confidentiality

Integrity

HTTP

User Interaction

Based I&A

Enforcement

Identification &

Authentication

Decisions

Token Based

Authentication

Enforcement

Identity Mapping

Message Layer

Confidentiality

Integrity


Moving to SOA, Adding the ESB…(Mandatory Scary Picture)

E S B

ESB

GatewaySOAP


Portal Server

Application Server

Business Processes

Data StoreWeb

Servers

J2EE Container

J2EE Apps

SES


SESHTTP

SES

SES

SES


CICSIMS...

Data Store

Data Store



SDS Proxy

SES

Security Decision ServicesCommon Auditing & Reporting Service

Tivoli Federated Identity Manager

Tivoli Access Manager

H/W: DataPower XS40

S/W: WebSphere Web Svs. G/W

S/W: Tivoli Access Manager

Reverse Proxy/Web PI

Tivoli Directory Server

WebSphere Enterprise

Service BusDP XI50

TFIM, TAM

TFIM

TFIM

TFIM

TAMTAM


Further Reading

On Demand Operating Environment: Security Considerations in an Extended Enterprise http://publib-b.boulder.ibm.com/abstracts/redp3928.html?Open

Web Services Security Standards, Tutorials, Papers http://www.ibm.com/developerworks/views/webservices/standards.jsp

http://www.ibm.com/developerworks/views/webservices/tutorials.jsp

http://webservices.xml.com/

Websphere Security Fundamentals / WAS 6.0 Security Handbook http://www.redbooks.ibm.com/redpieces/abstracts/redp3944.html?Open

http://www.redbooks.ibm.com/redpieces/abstracts/sg246316.html?Open

IBM Tivoli Product Home Page http://www.ibm.com/software/tivoli/solutions/security/


Summary End-to-end Security Integration is complex

Web Services and SOA security are emerging areas Moving from session level security to message level security

Identity Management incorporates several security services, but other security services need to be integrated as well Audit and Event Management, Compliance and Assurance

Etc.

Security technology is part – process, policy, people are the others and often harder to change

Only Constant is Change, but evolve around the fundamentals Establish separation of application and security management

Use of open standards will help with integration of past and future technologies


Questions?


Security 101 Definitions

Authentication - Identify who you are Userid/password, PKI certificates, Kerberos, Tokens, Biometrics

Authorization – What you can access Access Enforcement Function / Access Decision Function

Roles, Groups, Entitlements

Administration – Applying security policy to resource protection Directories, administration interfaces, delegation, self-service

Audit – Logging security success / failures Basis of monitoring, accountability/non-repudiation, investigation, forensics

Assurance – Security integrity and compliance to policy Monitoring (Intrusion Detection, AntiVirus, Compliance), Vulnerability Testing

Asset Protection Data Confidentiality, Integrity, Data Privacy

Availability Backup/recovery, disaster recovery, high availability/redundance


Agenda

Enterprise Security Architecture – MASS Intro

Identity, Access, and Federated Identity Management

SOA Security


MASS – Processes for a Security Management Architecture


Access Control SubsystemPurpose:

Enforce security policies by gating access to, and execution of, processes and services within a computing solution via identification, authentication, and authorization processes, along with security mechanisms that use credentials and attributes.

Functions:

Access control monitoring and enforcement: Policy Enforcement Point/Policy Decision Point/ Policy Administration Point

Identification and authentication mechanisms, including verification of secrets, cryptography (encryption and signing), and single-use versus multiple-use authentication mechanisms

Authorization mechanisms, to include attributes, privileges, and permissions

Enforcement mechanisms, including failure handling, bypass prevention, banners, timing and timeout, event capture, and decision and logging components

Sample Technologies:

RACF, platform/application security, web access control


Identity and Credential SubsystemPurpose: Generate, distribute, and manage the data objects that convey identity and

permissions across networks and among the platforms, the processes, and the security subsystems within a computing solution.

Functions: Single-use versus multiple-use mechanisms, either cryptographic or non-

cryptographic Generation and verification of secrets Identities and credentials to be used in access control: identification,

authentication, and access control for the purpose of user-subject binding Credentials to be used for purposes of identity in legally binding transactions Timing and duration of identification and authentication Lifecycle of credentials Anonymity and pseudonymity mechanisms

Sample Technologies: Tokens (PKI, Kerberos, SAML), User registries (LDAP,AD,RACF,…),

Administration consoles, Session management


Information Flow Control Subsystem

Purpose:

Enforce security policies by gating the flow of information within a computing solution, affecting the visibility of information within a computing solution, and ensuring the integrity of information flowing within a computing solution.

Functions:

Flow permission or prevention

Flow monitoring and enforcement

Transfer services and environments: open or trusted channel, open or trusted path, media conversions, manual transfer, and import to or export between domain

Encryption

Storage mechanisms: cryptography and hardware security modules


Firewalls, VPNs, SSL


Security Audit SubsystemPurpose:

Provide proof of compliance to the security policy.

Functions:

Collection of security audit data, including capture of the appropriate data, trusted transfer of audit data, and synchronization of chronologies

Protection of security audit data, including use of time stamps, signing events, and storage integrity to prevent loss of data

Analysis of security audit data, including review, anomaly detection, violation analysis, and attack analysis using simple heuristics or complex heuristics

Alarms for loss thresholds, warning conditions, and critical events


syslog, application/platform access logs


Solution Integrity SubsystemPurpose: address the requirement for reliable and correct operation of a computing

solution in support of meeting the legal and technical standard for its processes

Functions: Physical protection for data objects, such as cryptographic keys, and physical

components, such as cabling, hardware, and so on Continued operations including fault tolerance, failure recovery, and self-testing Storage mechanisms: cryptography and hardware security modules Accurate time source for time measurement and time stamps Alarms and actions when physical or passive attack is detected

Sample Technologies: Systems Management solutions - performance, availability, disaster recovery,

storage management Operational Security tools: , Host and Network Intrusion Detection Sensors

(Snort), Event Correlation tools, Host security monitoring/enforcement tools (Tripwire, TAMOS), Host/Network Vulnerability Monitors/Scanners (Neesus), Anti-Virus software


On Demand SolutionsOn Demand Solutions

On Demand Infrastructure – Services and Components

Network Security Solutions (VPNs,

firewalls, intrusion detection systems)

On Demand Infrastructure – OS, application, network component logging and security events logging; event management; archiving; business continuity

Policy Management (authorization,

privacy, federation, etc.)

Identity Management

Key Management

Intrusion Defense

Anti-Virus Management

Audit & Non-Repudiation

AssuranceAuthorizationIdentity Federation

Credential Exchange

Secure Networks and Operating Systems

Secu

re L

oggin

g

Tru

st Model

Bindings Security and Secure Conversation(transport, protocol, message security)

Security Policy Expression

Privacy Policy

Virtual Org Policies

Mapping Rules

Service/End-point Policy

On Demand Security InfrastructureOn Demand Security Infrastructure

On Demand Security Architecture (Logical)

IBM Security Architecture

Technology

bp db table

enforce security

ibm software

incl trust

security audit

access control

based security

security policy