Rakuten Tech Conf 2015 Yet Another Security Talk
-
Upload
junichi-okamura -
Category
Software
-
view
438 -
download
0
Transcript of Rakuten Tech Conf 2015 Yet Another Security Talk
![Page 1: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/1.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.1
Yet Another Security TalkJUNICHI OKAMURA @ Rakuten Technology Conference 2015 Nov. 21 2015
![Page 2: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/2.jpg)
2
Who am I?
Junichi Okamura
PayPal Integration Manager/Evangelist
Scala/Ruby/Node.js/Python/../Mobile/../pptROCK/BEER/WINE/JOJO/API (& meetup) lover@[email protected]
![Page 3: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/3.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
What I want to talk about today
3
Data Security with the keyword, “Delegation”
![Page 4: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/4.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
What is “Delegation”?
4
From Printer to RealPrinter
By Wikipedia
![Page 5: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/5.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Today’s definition by me
5
Let an expert who has core value
provide it instead of me
By Wikipedia
![Page 6: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/6.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
In case of service
6
Printer (delegator) = Service provider
RealPrinter (delegated) = Feature expert
Provider Expert
Printer
![Page 7: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/7.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Drill down in real service
7
Provider Expert
Chat
Provider Expert
Account
Provider Expert
Payment
![Page 8: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/8.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Actual situation
8
Provider + Expert
Chat
Provider Expert
Account
Provider Expert
Payment
Core value = Expert
![Page 9: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/9.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Ideal “Delegation”
9
Focus on your core value as expert,with other ones delegated
![Page 10: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/10.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Take a look at security features
10
Provider + Expert
Chat
Provider Expert
Account
Provider Expert
Payment
![Page 11: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/11.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Case 1: Account handling in delegation
11
Provider
Expert
Account
Provider
Account
Provider
Account
IDPassword
Token
Token
Token
Authorize
Authorize
Authorize
Security Core
OAuth API
![Page 12: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/12.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
If not in delegation…
12
Provider + Expert
Account
Provider + Expert
Account
Provider + Expert
Account
Security Core
IDPassword
ID
Password
IDPassword
![Page 13: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/13.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Case 2: Payment handling in delegation
13
Provider
Expert
Payment
Provider
Payment
Provider
Payment
Credit Card
ID
ID
ID
Charge
Carge
Charge
Security Core
Vault API
![Page 14: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/14.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
If not in delegation…
14
Provider + Expert
Payment
Provider + Expert
Payment
Provider + Expert
Payment
Security Core
Credit Card
Credit Card
Credit Card
![Page 15: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/15.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Under delegation
15
Users:You only have to give your key data to
reliable expert
Providers:You can focus on your core data as
reliable expert
![Page 16: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/16.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
That is…
16
Reliable and No duplicated!
By Wikipedia
![Page 17: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/17.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Out of delegation
17
Users:You have to give your key data to each
unreliable expert
Providers:You need care about not core data as
unreliable expert
![Page 18: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/18.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
That is…
18
By Wikipedia
Unreliable and Duplicated!
![Page 19: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/19.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
What is successful delegation cases?
19
Account: OAuth and Open ID,Payment: Vault and Tokenization,Encrypt: SSL and certification,…
![Page 20: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/20.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
What is not successful?
20
Identification: Physical address and health,Banking: Account number and pass phrase,Storage: No vender locked and user chosen,…
![Page 21: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/21.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Why not successful?
21
These are difficult to be standardized and
strongly related to business and have no open/general frameworks
BUT NOT IMPOSSBILE!WE CAN TRY!
![Page 22: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/22.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.22
So it is 2015 in JP,
![Page 23: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/23.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.23
Government starts “MY NUMBER”
(Social Security and Tax Number System)
![Page 24: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/24.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.24
They are going to be a privacy expert
![Page 25: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/25.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.25
Do you have a good idea about security design
as a software engineer?
![Page 26: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/26.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.26
How do you think of your data security?
![Page 27: Rakuten Tech Conf 2015 Yet Another Security Talk](https://reader031.fdocuments.in/reader031/viewer/2022030209/58ae24061a28ab7e4a8b603f/html5/thumbnails/27.jpg)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.27
Thank youJUNICHI OKAMURA @ Rakuten Technology Conference 2015 Nov. 21 2015