Documente Academic
Documente Profesional
Documente Cultură
Layers of security
Perimeter Defense
Keep out unwanted with
Perimeter Defense
Control Layer
Assurance Layer
Firewalls
Anti-Virus
Intrusion Detection, etc.
Control Layer
Which users can come in?
What can users see and do?
Are user preferences supported?
Can user privacy be protected?
Assurance Layer
Can I comply with regulations?
Can I deliver audit reports?
Am I at risk?
Can I respond to security events?
Other
Security
Decision
Services
Data
Store
CICS
IMS
...
Security
Decision
Services
ADF
Proxy
Data
Store
Portal Server
HTTP
Reverse
Proxy
Server
AEF
Application Server
Business Processes
AEF
Web
Servers
AEF
J2EE
Apps
J2EE
Container
AEF
Audit Infrastructure
Data
Store
Customer
Network
Access
Control
External
SMTP
Gateway
Application
Directory
Internal
SMTP
Gateway
LOB
Applications
Employee
LDAP Directory
Proxy
External
ePortal
Network
Dispatcher
Delegated User
Management
Identity
Management
External
Directory
Databases
Meta-Directory
Internal
Directory
Messaging
Transactional
Web
Integration
Web Access
Control
Web
Single Sign On
Informational
Web
Presentation
Certifcate
Authority
Internal
ePortal, LDAPenabled apps
Transactional
Web
Presentation
CRM/ ERP
(PeopleSoft)
Network
Authentication
& Authorization
Application
Access Control
Single Sign On
Identity
Stores
CRM,
Partners
ITDS
Directory
Server
HR
ITDI
Directory
Integration
Enterprise Directory
Personal Info
Credentials
Entitlements
ITAM:
Web Access
Management
SSO,
Authentication,
Authorization
ITFIM:
Federated Identity
Web Services Security
UNIX/Linux
ITIM:
Provisioning
Policies
Workflow
Password
Self-service
Audit trails
Security Mgmt
Objects
Portal
Presentation
Personalization
Databases &
Applications
MF/Midrange
TAM for
ESSO
Directory
Server
(ITDS)
Federated
Identity
Mgmt
(ITFIM)
Identity
Management,
MetaDirectory,
Directory Sync
Employees
Contractors
Customers
Employees
Business Partners
Web
Browser
Load
Balancer
Internet
Content
Management
Websphere
Portal
(WPS)
Reverse
v
Proxy
(Webseal)
Internal Directories:
- MS AD
- Enterprise LDAP
- BP DB Table
Reverse
Proxy
(Webseal)
Collaboration
Services (Lotus)
HTTP/S
Web
Browser
Enterprise
External Web
Applications
Internet DMZ
(Controlled)
Internet (Uncontrolled)
protocol
firewall
domain
firewall
Operational Security Tools:
- Host IDS, Network IDS
- AntiVirus
- Tripwire
- Auditing scanners
- Vulnerability scanners (host, network, web)
- Audit/logging, event correlation
Intranet (Controlled)
TRUST provides
ACCESS
Germany:Identity Provider
USA:Identity Provider
Users
China:Identity Provider
Identity
Provider
Mutual TRUST
3. Authenticates User
4. Vouches for the users identity
Service
Provider
Agenda
Enterprise Security Architecture MASS Intro
Identity, Access, and Federated Identity
Management
SOA Security
consumers
SCA
Portlet
WSRP
B2B
Other
SOA Security
44
business
businessprocesses
processes
Identity
process choreography
Authentication
33
Services
services(Definitions)
atomic and composite
22
Service Provider
Service
components
Authorization
Confidentiality,
Integrity
Availability
ISV
Operational
systems
Packaged
SAP
Packaged
Application
Outlook
Application
Platform
Unix
OS/390
Custom
Application
Custom
Application
OO
Application
Custom Apps
Supporting Middleware
MQ
DB2
11
Auditing &
Compliance
Administration and
Policy Management
Connection
Integrity/Privacy
HTTPS
Connection
Integrity/Privacy
HTTPS
SOAP Message
Secure
Conversation
Federation
Authorization
Security
Policy
Trust
Privacy
SOAP Messaging
Security Element
Header
Security Token
Security Element
Signature
Body
<application data>
Encrypted Data
Signature Validation/
Origin Authentication
Application Security
(Authorization with ESB
asserted identifier)
SSL/TLS Termination
Edge Security
(Transport
Layer)
Reverse Proxy
XML FW/GW
ESB
SES (incl Trust Client)
ESB
Apps
ESB
SES (incl
Trust Client)
SES (incl
Trust Client)
SES (incl
Trust Client)
Security Policy
Security Token Service
Key Store, Management
Authorization
MSFT
Security
Decision
Services
Data
Store
CICS
IMS
...
Security
Decision
Services
SDS
Proxy
Data
Store
Portal Server
HTTP
Reverse
Proxy
Server
SES
Application Server
Business Processes
HTTP
SES
Web
Servers
SES
SOAP
SOAP
J2EE
Apps
J2EE
Container
SES
Gate
way
SES
Audit Infrastructure
Data
Store
MSFT
Security
Decision
Services
Data
Store
CICS
IMS
...
Security
Decision
Services
SDS
Proxy
Data
Store
Portal Server
HTTP
Reverse
Proxy
Server
SES
Application Server
Business Processes
HTTP
SES
Web
Servers
SES
SOAP
SOAP
J2EE
Apps
J2EE
Container
SES
Gate
way
SES
Audit Infrastructure
Data
Store
Portal Server
Application Server
Business Processes
HTTP
SOAP
Reverse
Proxy
Server
SES
Gateway
E
S
B
.Net/ 3rd
Party
Apps
MSFT
Security
Decision
Services
CICS
IMS
...
Security
Decision
Services
SDS
Proxy
SES
SES
Data
Store
Data
Store
ESB
SES
J2EE
Apps
J2EE
Container
Web
Servers
SES
SES
Audit Infrastructure
Data
Store
Further Reading
On Demand Operating Environment: Security Considerations in an
Extended Enterprise
http://publib-b.boulder.ibm.com/abstracts/redp3928.html?Open
http://www.redbooks.ibm.com/redpieces/abstracts/sg246316.html?Open
Summary
End-to-end Security Integration is complex
Web Services and SOA security are emerging areas
Moving from session level security to message level security
Questions?
Asset Protection
Data Confidentiality, Integrity, Data Privacy
Availability
Backup/recovery, disaster recovery, high availability/redundance
Agenda
Enterprise Security Architecture MASS Intro
Identity, Access, and Federated Identity
Management
SOA Security
Encryption
Storage mechanisms: cryptography and hardware security modules
Sample Technologies:
Firewalls, VPNs, SSL
Functions:
Collection of security audit data, including capture of the appropriate
data, trusted transfer of audit data, and synchronization of
chronologies
Protection of security audit data, including use of time stamps, signing
events, and storage integrity to prevent loss of data
Analysis of security audit data, including review, anomaly detection,
violation analysis, and attack analysis using simple heuristics or
complex heuristics
Alarms for loss thresholds, warning conditions, and critical events
Sample Technologies:
syslog, application/platform access logs
Intrusion
Defense
Anti-Virus
Management
Authorization
Service/Endpoint Policy
Mapping
Rules
Virtual Org
Policies
Assurance
Privacy
Policy
Secure Logging
Key
Management
Identity
Federation
Trust Model
Identity
Management
Credential
Exchange
Network
Security
Solutions
(VPNs,
firewalls,
intrusion
detection
systems)