ClearAvenue, LLC
description
Transcript of ClearAvenue, LLC
Case studies on Authentication, Authorization and Audit in SOA Environments
Dr. Srini Kankanahalli
2
ClearAvenue, LLC
Headquartered in Columbia, Maryland Focused on Systems Integration, Data
Management, Information Security, Storage networking, Custom Software development
Premier IBM Business Partner CMMi Maturity Level 3 clearAvenue, LLC is a 8(a) certified
minority women owned Small Disadvantaged Business
3
Authentication, Authorization, and Audit– The Challenge
Identity and Access Management is a major challenge for all federal agencies
Multitude of Applications, Legacy as well as state-of the art Systems pose additional challenges
The complexity of Federal laws as well as federal contracting regulations further adds to the complexity
Comprehensive End-to-End Audits across multiple systems poses a significant challenge
4
Layers of Security
Perimeter Defense Keep out unwanted with
• Firewalls• Anti-Virus• Intrusion Detection, etc.Perimeter Defense
Control Layer
Assurance Layer
Control Layer• Which users can come in?• What can users see and do?• Are user preferences supported?• Can user privacy be protected?
Assurance Layer• Can I comply with regulations?• Can I deliver audit reports?• Am I at risk?• Can I respond to security events?
5
Custom Application
Packaged Application
Packaged Application
Custom Application
consumers
business processesprocess choreography
servicesatomic and composite
Service C
onsumer
Service P
rovider
11
22
33
44
55
OO ApplicationCustom
ApplicationOutlook
SAP Custom Application
business processesprocess choreography
Services (Definitions)atomic and composite
Servicecomponents
Service C
onsumer
Service P
rovider
11
22
33
44
55
OO ApplicationISV
Custom Apps
PlatformOperational
systems Supporting Middleware
MQ DB2Unix OS/390
SOA Security Encompass All Solution Layers
SOA Security Identity Authentication Authorization &
Privacy Auditing Confidentiality,
Integrity and Availability
Compliance Administration and
Policy Management
SCA Portlet WSRP B2B Other
6
Identity Management– the basis of comprehensive security
Systems
Identity Management Functions
User Groups
FoH
BoH
Contractors
Customers
Provisioning
De-provisioning
User self service
User profile management
Systems
Identity Management Functions
User Groups
FoH
BoH
Contractors
Customers
Provisioning
De-provisioning
User self service
User profile management
7
User Provisioning and De-provisioning
User Provisioning across multiple enterprise systems poses significant challenges
User De-provisioning is a greater challenge Role-based access and Role Management
adds to the complexity Role Engineering encompasses very little
“engineering” and lot of “Politics”
8
Implementing Role-based Access Control
Successfully implemented RBAC with role-based provisioning to legacy as well as state-of the art systems
A Role is a set of entitlements that has a “Business Context”
Roles are not “cast in stone,” but is derived through a “trial and error” process
Role Re-factoring has to be kept in mind during the design and implementation of any RBAC system
9
Role-based Access to Legacy and Modernized Systems
10
Legacy systems integration -- Seibel
11
Federated Identity Management-- Challenge
In many situations, one federal agency has to communicate and access data from another agency
This problem also may exist between multiple subdivisions of the same agency or organization
The solution involves building and propagating trust across boundaries using industry standards
Audits across agencies or subdivisions pose additional challenges
12
SAML
Organization B
Organization A
Federated Identity Management Across Multiple Organizations
13
Federation Entities
14
SOA Federated Identity Management
Web ServiceInternetLDAP
Websphere ND
TFIM
SAML
SAML
15
Multi-Factor Authentication
There are multiple federal and commercial mandates for strong and Multi-factor authentication
16
Multi-factor based Certificate based Authentication architecture using IBM Tivoli Federated Identity manager
17
Conclusions
We have implemented complex security patterns in multiple federal agencies
Security is Multi-faceted and hence has to be carefully architected and implemented correctly
The availability of multiple point products adds to the integration complexity
Authentication, Authorization, Audit and Identity Management are all intertwined and has to be planned and implemented correctly to ensure that “Attack Surface” of an organization is minimized