Security in application integration Kari Nordström.

Security in application integration

Kari Nordström

09.08.2005

Security in application integration – Kari Nordström2

TopicsTopics

Objectives Application integration

– Enterprise Application Integration – EAI– Business-to-Business integration – B2Bi

Information security– Basic concepts & ideas– Network security– Segmented networks– Security of application integration systems

Results

09.08.2005


Background and objectives of the thesisBackground and objectives of the thesis

Find out the current level of security in the application integration systems of a certain company

– Conduct security reviews with a panel of experts

Make suggestions on improving the security level based on findings

Implement improvements if possible

Supervisor: Docent Timo O. Korhonen

09.08.2005


Application IntegrationApplication Integration

Integrating various applications enables information sharing between applications and organisations, not between people (System-to-System connections)

Internal and external integration– EAI & B2Bi

Traditionally integration has dealt with sharing business data and documents

– B2Bi is usually used for exchanging business documents– EAI integrates applications to work together, data can be

gathered from various sources (applications) before processing

09.08.2005


Application integration platforms in the companyApplication integration platforms in the company

Company

EAI

EDI

RosettaNetInternet

VAN

VAN

ERP

Application

Application

Application

Application

Application

Application

EDI partner

RN partner

EDI partner

EDI partner

EDI partner

RN partner

RN partner

RN partner

RN partner

RN partner

RN partner

09.08.2005


Enterprise Application Integration (1/2)Enterprise Application Integration (1/2)

Integration within a single enterprise A centralised integration solution

– Error handling, monitoring, cost savings over time

ad hoc

application

application

application

application

application

application

application

application

application

application

application

application

application

application

application

application

application

application

EAIplatform

Data-base

Data-base

Data-base

Data-base

Data-base

Data-base

EAI

09.08.2005


Enterprise Application Integration (2/2)Enterprise Application Integration (2/2)

Integrating diverse applications requires transformations between formats

Processing and / or enrichment of data is also required in some integrations (defined in the workflow)

EAI platform

application A application BWorkflowadapter adapter

A's format Canonical format B's format

09.08.2005


Business-to-business integrationBusiness-to-business integration

Integration between separate enterprises (partner integration)

– Business data, demand / supply planning …

B2Bi relies on standards, otherwise it would be very cumbersome to connect to other companies, each using their own data formats and processes

Two B2Bi platforms used in the company:– EDI, Electronic Data Interchange– RosettaNet

09.08.2005


Electronic Data Interchange (1/3)Electronic Data Interchange (1/3)

EDI is the “granddaddy” of all B2Bi systems– Designed to automate exchanging business documents a

quicker and cheaper way

Dates back all the way to the 1960’s, in active use since the 1980’s

Two main standards in use– EDIFACT (EDI For Administration, Commerce and Transport)– ANSI X12

09.08.2005


VAN-based EDI (2/3)VAN-based EDI (2/3)

VAN (Value Added Network) operators used to relay messages

– “An electronic post office”

Company

ERP system

VAN

Application X

Trading partner

ERP system Application Y

Company'smailbox

Tradingpartner'smailbox

VAN operator'sprocessing systemEDI system

Translator

EDI system

Translator

09.08.2005


Internet EDI (3/3)Internet EDI (3/3)

EDI-INT has been thought up to eliminate VAN costs to companies

Standards used:– AS1 (SMTP)– AS2 (HTTP)– AS3 (FTP)

The basic idea: sending EDI messages directly to trading partners over the Internet

Company A Company B

HTTP server

AS2compliant

server

Translator

ERP system

HTTP server

ERP system

The Internet

AS2compliant

server

Translator

09.08.2005


RosettaNet (1/2)RosettaNet (1/2)

XML-based integration standard– Developed and maintained by the RosettaNet Consortium, a

non-profit organisation of more than 500 corporations

Integrations are based on Partner Interface Processes (PIP), which define how data is processed and the sequence of transactions between trading partners

RosettaNet Implementation Framework (RNIF) describes the basic architecture (RNIF 1.1 & 2.0)

Document Type Definition (DTD) describes the format of messages and data

09.08.2005


RosettaNet (2/2)RosettaNet (2/2)

RosettaNet aims in integrating the whole supply chain, not just passing business documents

Marketed as more flexible and easier to implement than EDI

– Using VANs actually makes EDI more simple than RosettaNet where companies need to implement all connections themselves

09.08.2005


Information securityInformation security

Traditional way to model information security: CIA

CIA

Confidentiality

Integrity Availability

09.08.2005


General security conceptsGeneral security concepts

Authentication– Making sure the user is who

she claims to be Authorisation

– Giving an authenticated user the right to do something

Accounting– All operations performed by

users are logged

Non-repudiation– If a user performs a task, she

can’t later deny having done so, the system also can’t later deny the user’s action

Antivirus protection– Protecting computers and

network elements against malicious software

Cryptography– Scrambling information in a

way that only the correct recipient can decipher it

09.08.2005


Network securityNetwork security

Host security vs. network security Systems are protected on the network level by

controlling network traffic– More cost-effective than host security

Typical misconception: network security = firewalls– Firewalls are a central part of network security, but there are

numerous other things to consider (understanding the network architecture is key)

09.08.2005


A few key security strategiesA few key security strategies

Use multiple, diverse layers of security Give the lowest possible rights to users Deny everything that’s not explicitly allowed Use choke points to monitor traffic “KISS – Keep It Simple, Stupid”

Make users aware of security issues!– The human factor is often the weakest link in security

09.08.2005


Network segmentationNetwork segmentation

A new network architecture in the company that divides an internal network into smaller parts called cells

Naturally also affects AI systems

In practice: more firewalls GRE

tunnel

Access Network

BackboneBackbone

Access Network

FirewallFirewallFirewallFirewallFirewallFirewall

Cell Cell Cell Cell Cell Cell

IntranetInternet

Extranet

Firewall Firewall Firewall Firewall Firewall Firewall

FirewallFirewallFirewallFirewall Firewall Firewall




GREtunnel

09.08.2005


Security requirements for application integration systemsSecurity requirements for application integration systems

An AI system is central and crucial in any network that has one

Connected to many other systems attacker could gain access to virtually the whole network if e.g. the EAI system is hacked

Availability requirements are very high– Many other systems are dependant on integration systems

09.08.2005


Results of the security reviewsResults of the security reviews

Risk level is high for all three systems Security implementations do not match the current

requirements– Requirements have changed significantly from the 1990’s

RosettaNet was found more secure than EAI and EDI– Age, standardisation, segmented network

EDI’s problem is the number of unknown factors– VAN operator responsible for most of the implementation

EAI’s biggest problem is the lack of security standards

09.08.2005


EAI security improvementsEAI security improvements

User management (no super-users) access control Certain authentication issues have been addressed

– A component was not authenticating connections properly

Client software used (fewer vulnerabilities) The migration to new architecture will bring major

advancements in the security of the system– Border security

Hosts have been hardened

09.08.2005


B2Bi security improvementsB2Bi security improvements

It’s hard to fundamentally change security implementations in standardised systems

User management has been improved vastly in EDI EDI will also be migrated into new architecture

(RosettaNet has already been migrated) RNIF specifies many security features, such as various

forms of encryption, digital certificates and checksums– They just weren’t always used in the company new policy

09.08.2005


Any questions or comments?Any questions or comments?

If not, thank you!

Security in application integration Kari Nordström.

Documents

Transcript of Security in application integration Kari Nordström.