Compliance and Governance Through Complex Entitlement Management

Compliance and Governance Through Complex Entitlement Management

Geoff Charron, VP ALES

Noam Bunder, Lead ArchitectDataScan Technologies

© 2006 BEA Systems, Inc. | 2

Agenda Slide

Entitlements in the Context of a SOA

AquaLogic Enterprise Security (ALES) Overview

Implementing Entitlements at DataScan


Business Drivers

Application Security has evolved Firewalls “keep the bad guys out” at the

perimeter

Web server security and Web SSO products provide basic access control at the Web tier

Application security logic still hard-wired and embedded in the application behind the Web tier

Industry trends are driving the need to externalize entitlements from the application Multiple homegrown and embedded

entitlements services

Increasing regulatory pressure and privacy concerns

Proliferation of applications and increasing disparate development teams

Increasing competitive and time to market pressures

Customers Partners

Employees Contractors

Web

Servers

App

Servers

Enterprise

Apps

Data

Stores


What are Entitlements?

Entitlements Questions

Who can transfer funds?

How much can they transfer?

How often can they transfer?

Can they delegate those rights?

Entitlements are the set of privileges that govern what an application user can do

Entitlements systems manage those privileges, the decision process and record the results


Key Challenge: Embedded Decisions

• Security is embedded in applications – creates silos

• Applications are becoming more complex and may be developed

by multiple team (including offshore)

• Developers spend time coding security logic

• Inconsistent policies and lack of central management

• Access decision may not be audited

If (Transfer <TransLimit)

and (User can Transfer) then

Allow Access

else

Deny Access

endif

Data-

base

User Directory

Legacy

App


Key Challenge: Multiple Security Technologies

Identity/

Policy

Legacy

App

User Directory

WebApp

User Provisioning

Web SSO

Main-

frames

Browser

J2EE App

Data-

base

WebServicesWeb

App

WebServices

Identity/

Policy

User

Profile

• Multiple User directories, authentication services, Web SSO services,

IAM products

• How to rapidly and cost effectively deploy new applications that leverage

existing infrastructure?


Agenda Slide

Entitlements in the Context of a SOA

AquaLogic Enterprise Security (ALES) Overview

Implementing Entitlements at DataScan


Process

Modeling &

Simulation

Process

Automation

Process

Monitoring

Process

Analysis

Process

Optimization

Data Access Layer

Interaction

ManagementCollaboration Search

Content

ManagementAnalytics

Legacy ERP CRM Custom

Service

IntegrationRouting Transformation

Operational

Service

Management

Service

Registry

PortalReportsMonitoringExceptions/Alerts

Dashboard

AquaLogic User Interaction

AquaLogic BPM Suite

AquaLogic Service Bus

AquaLogic Service Registry

AquaLogic Data Services Platform

Aq

uaL

og

ic E

nte

rpris

e S

ecu

rity

Business Service

Interaction

Data Access

User Interaction

Shared Data and Business

Services

Messaging

Back End Systems and Data

Security Services and Fine-Grained Access

Control

BEA AquaLogic in Your IT Enterprise


What is AquaLogic Enterprise Security?

Policies

Client

ALES is an Entitlements system that enables the centralized

definition of complex application security policy and the

runtime enforcement of that policy.

ALES consists of: An Administrative Application (PAP)

A Policy Decision Point (PDP) that can be centralized or distributed

A Distributed PDP (SSM) is a Policy Enforcement Point (PEP)

The Administration Application is used to centrally manage

security configuration and policy

App Server

SSM

Entitlements Server

Admin Server•Java API

•Web Service

SSMSSM

•WLS

•WLP

•ALDSP

•ALSB

•Java SDK

•Web Service

•XACML 2.0

•WLS

•Tomcat

Central PDP PAP

XACML 2.0

PolicyEntitlements

Distributed PDP

PEP’s For

PIP

Browser


Connecting Entitlements to the Application

public Forward processTransfer(TransferBean transferBean) throws Exception

{

AuthenticIdentity ai = getAuthenticIdentityFromRequest(req);

RuntimeAction ra = new RuntimeAction(ACTION.TRANSFER, "SIMPLE_ACTION");

AppContextElement q3 = new SimpleContextElement("amount",transferBean.getAmount());

AppContextElement collectorElement =

SimpleResponseContextCollector.makeContextElement();

AccessResult ar = az.isAccessAllowed(ai,rr,ra,appCtx);

if (ar.isAllowed()) {

executeTransfer(transferBean);

....

} Note that code can easily be encapsulated


• Finer control over the protection of

application resources

• Enhanced audit tracking

Enhanced Security and

Compliance

• Remove security logic from the

application

• Free developers up to focus on value-

added business logic

Increased IT Efficiency

Key ALES Benefits

• Change Entitlements without modifying

the application

• Implement changing regulatory and

corporate policies faster

Better Business Agility

DataScan Technologies LLC – All Rights Reserved

12

3

2

1

Development Operational Lifecycle4

DataScan BEA Implementation

Compliance Requirements at DataScan

DataScan Company Overview

6

5

Questions & Answers

Best Practices


13

About DataScan Technologies

DataScan Technologies is a globalleader in wholesale floorplanaccounting and risk managementsystems and services.

Founded in 1989

Located in Alpharetta, Georgia

Over 45 of the most prominent banks and captives

Operating in 15 countries

Currently manages over $45 billion in outstanding collateral

DataScan Technologies Corporate Headquarters


14

Partial Client List

BMW Financial

World Omni Financial Corp.

California Federal Bank

Hibernia National Bank

GE Capital

Yale/Hyster

Bank One

Citizens Bank

JP Morgan Chase Bank

Key Bank

M & T Bank

PNC Bank

Wachovia

Regions Bank

Provident Bank

BB&T

Zions Bank

Huntington Bank

VW Credit, Inc.

Nissan/Renault-Mexico

New South Federal

Comerica Bank

SunTrust Bank

National City Bank

US Bank

Toro Credit Corp

PACCAR

Manheim (MAFS)

ScotiaBank

CitiCapital

CIT Group

Toyota Financial Services

Hyundai Motor Finance

Mitsubishi Motors Credit

Banknorth


15

Wholesale Management System

Wholesale Management System (WMS)A wholesale finance and accounting systembuilt specifically for the wholesale floorplanindustry.

Dealer Access System (DAS)Allows dealerships to have Internet accessto key information in the system.

Collateral Management System (CMS)An automated floorplan data collection andrisk management system utilizing touchscreen technology.

Nationwide Audit Services (NAS)A turnkey audit inspection service featuringa professional staff utilizing CMS.


16

Risk Management

Step 1

Step 2Auditor and Kit

Step 3Workflow Engine and E-mail Notification

Step 4

Step 5Risk Managers


17

3

2

1





6

5

Questions & Answers

Best Practices


18

Business Drivers

Mission critical application for banking and automotive industry managing over $45 billion in assets

• Time to market

• Buy vs. Build

• Time/resources required for implementation and policy changes << Key

• Performance impact

• Security compliance

SAS70 Type 2

GLBA/SoX

BITS/CC-MSR

ISO 27001

BRMMI/PriSM


19

Challenges

Require a new Security Platform for replacement of legacy-based ASP financial services system with global existing install base

Legacy system has embedded, customer-specific security logic

High maintenance required for security policy changes

Annual corporate audits (internal, SAS70 Type 2)

Bi-annual customer security open-house

Unscheduled customer ethical hacks

Rapidly evolving financial industry security requirements (BITS, ISO 27001)


20

Compliance Overview

Sarbanes Oxley Regulations• Requires internal controls or rules in place to ensure

integrity of financial information• Section 404 – Internal controls

Graham Leech Biley Act (GLBA)• SEC 501 is centered around the admin., physical, and

technical safeguards over non-public customer information

BITS • Common Criteria Master Security Requirements• Security for the security system

ISO 27001

• IT Systems Management and Governance

BRMMI/PrISM• Upcoming Business Resiliency Maturity Model• Over 750 practices merging

COBIT, BS7799/ISO17799, ITIL, ISF, NIST 800 series, SEI BOK, DRII


21

Compliance-Based Design

Prioritize design around “required” BITS topics

Consolidate past ethical hacks and audits

Time boxed delivery, focus on good design

Balance delivery priorities with risk analysis

Security Compliance Road Map

• Policies

• Processes

• Controls

• Audits/Monitoring


22

ALES Compliance Mapping

Compliance based requirements and design

Transparent security implementation

Standards support

• SAML

• XACML


23

3

2

1





6

5

Questions & Answers

Best Practices


24

SOA Based Implementation


25

ALES Implementation

Architecture Overview

• Plain Java, Leverage BEA


26

ALES Deployment

1. Cluster

2. JVM

3. Managed Server

4. Sessions

5. ALES SSM

6. Connection Pools

7. EAR Deployment

8. Security Policy Administration

9. Portal Desktop Administration

Operational Overview


27

3

2

1





6

5

Questions & Answers

Best Practices


28

Development Team Composition

BEA Professional Services

• Initial Proof of Concept

• Assistance with design

• Working construction road map

Development Team

• Back End and Front End teams

• Security team

• Continuous builds to QA

• Authentication only

• Portal based security


29

Operational Lifecycle

Security Development Team

• Specialized, with contractors

IT Administration

• Security administrators (2-3)

• Dedicated with back-up

Documentation and Checklists

• Packaged deployment


30

Operational Environments

Distinct Environments

• Development, QA Smoke Testing and Functional Testing “Live”, Customer Beta/UAT, Support, Production and Disaster Recovery

Utilizing Virtualization

Growth and Performance

• Current production list includes four major financial institutions

• Rolling out to all customers over the next two years

• Utilizing virtualization

2 x 4-way Dual Core 64 bit RedHat Linux AS 4.0, 32Gb RAM, XEN environments

800+ users daily CPU load not exceeding 3%

Risk Managers, Bank Users, Dealerships


31

3

2

1





6

5

Questions & Answers

Best Practices


32

Why BEA?

BEA Selection Criteria

• Track record and solution completeness

• Product suitability

Architecture

Road Map

• Support

Key Factors

• Provides an elegant means to extract Security Logic from the application

• Disconnected design provides high performance and resiliency

• Provides flexible configuration with minimal maintenance and operational resiliency


33

Kick Off

Step by Step – Key Success Factors

• Proposed Project

Project plan called for a three month implementation for pilot target

• Gain Sponsorship

Demonstrate value: Prototype and POC

Leverage existing platform

• Establish Goals and Value Proposition

Capitalize on performance

Create gurus: Early mastery and battle scars


34

Best Practices

Partner with BEA Professional Services, leverage BEA Support (Hotline, Website) and BEA Educational Services classes

Train IT first! System administration is key

Build a workable environment (workstation/server)

Integrate prototypes into plan

Focus on what works, take risks where they are manageable

Integrate BEA with other departments early (IT, Support, etc.)


35

Looking Forward

Customer and Regulation Driven

• SAML Implementation

• Refinement of standards and compliance

• Full security-visibility throughout architectural stack


36

3

2

1





6

5

Questions & Answers

Best Practices

Thank You!

Questions?

Compliance and Governance Through Complex Entitlement Management

Documents

Transcript of Compliance and Governance Through Complex Entitlement Management