IBM Software Group

Integrated Security Architecture

James Andoniadis
IBM Canada

2004 IBM Corporation

IBM Software Group | Tivoli software

CEO View: Increased Collaboration Brings Rewards

IBM Software Group | Tivoli software

Layers of security

Perimeter Defense
Keep out unwanted with

Perimeter Defense
Control Layer
Assurance Layer

Firewalls
Anti-Virus
Intrusion Detection, etc.

Control Layer
Which users can come in?
What can users see and do?
Are user preferences supported?
Can user privacy be protected?

Assurance Layer
Can I comply with regulations?
Can I deliver audit reports?
Am I at risk?
Can I respond to security events?

IBM Software Group | Tivoli software

Pre SOA Security: Enforcement & Decision Points

Access Enforcement Functionality (AEF)
Access Decision Functionality (ADF)
.Net /
3rd Party
Apps

Other
Security
Decision
Services

Data
Store

CICS
IMS
...

Security
Decision
Services
ADF
Proxy

Data
Store

Portal Server

HTTP

Reverse
Proxy
Server
AEF

Application Server
Business Processes
AEF

Web
Servers
AEF

J2EE
Apps
J2EE
Container
AEF

Access Decision Functionality

Audit Infrastructure

Data
Store

IBM Software Group | Tivoli software

Directory Management View

Network
Operating
Systems
Certificate
Status
Responder

Customer

Network
Access
Control

External
SMTP
Gateway

Application
Directory

Internal
SMTP
Gateway

LOB
Applications
Employee

LDAP Directory
Proxy

External
ePortal

Network
Dispatcher

Delegated User
Management

Identity
Management

External
Directory

Databases

Meta-Directory

Internal
Directory

Messaging

Transactional
Web
Integration

Web Access
Control

Web
Single Sign On

Informational
Web
Presentation

Certifcate
Authority

Internal
ePortal, LDAPenabled apps

Transactional
Web
Presentation
CRM/ ERP
(PeopleSoft)

Network
Authentication
& Authorization

Application
Access Control

Single Sign On

IBM Software Group | Tivoli software

Identity and Access Management Portfolio

Apps/Email
NOS

Identity
Stores
CRM,
Partners
ITDS
Directory
Server

HR

ITDI
Directory
Integration

Enterprise Directory
Personal Info
Credentials
Entitlements

ITAM:
Web Access
Management
SSO,
Authentication,
Authorization

ITFIM:
Federated Identity
Web Services Security

UNIX/Linux

ITIM:
Provisioning
Policies
Workflow
Password
Self-service
Audit trails

Security Mgmt
Objects

Portal
Presentation
Personalization

Databases &
Applications
MF/Midrange

TAM for
ESSO

IBM Software Group | Tivoli software

Operational Deployment Pattern - Security Zones

Management (secured)
Access
Policy
Server
(ITAM)

Directory
Server
(ITDS)

Federated
Identity
Mgmt
(ITFIM)

Identity
Management,
MetaDirectory,
Directory Sync

Employees
Contractors

Customers
Employees
Business Partners

Web
Browser

Load
Balancer

Internet

Content
Management

Websphere
Portal
(WPS)

Reverse
v
Proxy
(Webseal)

Internal Directories:
- MS AD
- Enterprise LDAP
- BP DB Table

Reverse
Proxy
(Webseal)

Collaboration
Services (Lotus)

HTTP/S

Web
Browser
Enterprise
External Web
Applications
Internet DMZ
(Controlled)

Internet (Uncontrolled)
protocol
firewall

domain
firewall
Operational Security Tools:
- Host IDS, Network IDS
- AntiVirus
- Tripwire

Server Production Zone

(restricted)

- Auditing scanners
- Vulnerability scanners (host, network, web)
- Audit/logging, event correlation

Intranet (Controlled)

- weak password crackers

- Intrusion prevension
- ...

IBM Software Group | Tivoli software

Governments as Identity Providers

Users
Users

TRUST provides
ACCESS

Germany:Identity Provider

USA:Identity Provider

The United States is an Identity Provider

because it issues a Passport as proof of
identification

USA Vouches for its Citizens

Users

China:Identity Provider

IBM Software Group | Tivoli software

Roles: Identity Provider and Service Provider

Vouching party in transaction

Identity
Provider

Validation party in transaction

Mutual TRUST

1. Issues Network / Login credentials

2. Handles User Administration/ ID Mgmt

3. Authenticates User
4. Vouches for the users identity

Service
Provider

Service Provider controls access to services

Third-party user has access to services for
the duration of the federation
Only manages user attributes relevant to SP

IBM Software Group | Tivoli software

Federated Identity Standards

IBM Software Group | Tivoli software

Agenda
Enterprise Security Architecture MASS Intro
Identity, Access, and Federated Identity
Management
SOA Security

IBM Software Group | Tivoli software

SOA Security Encompass all Aspects of Security

55
Service Consumer

consumers

SCA

Portlet

WSRP

B2B

Other

SOA Security
44
business
businessprocesses
processes

Identity

process choreography

Authentication
33
Services
services(Definitions)
atomic and composite

22

Service Provider

Service
components

Authorization
Confidentiality,
Integrity
Availability

ISV
Operational
systems

Packaged
SAP
Packaged
Application
Outlook
Application
Platform

Unix

OS/390

Custom
Application
Custom
Application

OO
Application
Custom Apps

Supporting Middleware

MQ

DB2

11

Auditing &
Compliance

Administration and
Policy Management

IBM Software Group | Tivoli software

Message-based Security : End-to-End Security

Connection
Integrity/Privacy
HTTPS

Connection
Integrity/Privacy
HTTPS

SOAP Message

Message-based security does not rely on secure transport

message itself is encrypted message privacy
message itself is signed message integrity
message contains user identity proof of origin

IBM Software Group | Tivoli software

Web Service Security Specifications Roadmap

Secure
Conversation

Federation

Authorization

Security
Policy

Trust

Privacy

WSS SOAP Security

SOAP Messaging

IBM Software Group | Tivoli software

SOAP Message Security: Extensions to Header

Envelope

Security Element

Header
Security Token
Security Element
Signature
Body
<application data>

Encrypted Data

SOAP Header allows for extensions

OASIS standard WS-Security: SOAP Message Security
defines XML for Tokens, Signatures and Encryption
defines how these elements are included in SOAP Header

IBM Software Group | Tivoli software

Security Drill Down

1st Layer Message Security

2nd Layer Message Security

Nth Layer Message Security

Signature Validation/
Origin Authentication

Requestor Identification &

Authentication & Mapping

Requestor Identification &

Authentication & Mapping

Element Level Decryption

Message Level Encryption

Message Level Decryption

Transport Layer Security

Application Security
(Authorization with ESB
asserted identifier)

SSL/TLS Termination

Edge Security
(Transport
Layer)

Reverse Proxy
XML FW/GW
ESB
SES (incl Trust Client)

ESB

Apps

ESB

SES (incl
Trust Client)

SES (incl
Trust Client)

SES (incl
Trust Client)

Security Decision Services

(Trust Services)

Security Policy
Security Token Service
Key Store, Management
Authorization

IBM Software Group | Tivoli software

Moving to SOA Accommodate Web Services

.Net/ 3rd
Party
Apps

MSFT
Security
Decision
Services

Data
Store

CICS
IMS
...

Security
Decision
Services
SDS
Proxy

Data
Store

Portal Server

HTTP

Reverse
Proxy
Server
SES

Application Server
Business Processes

HTTP

SES

Web
Servers
SES

SOAP

SOAP

J2EE
Apps
J2EE
Container
SES

Gate
way
SES

Security Decision Services

Audit Infrastructure

Data
Store

IBM Software Group | Tivoli software

Moving to SOA Accommodate Web Services

.Net/ 3rd
Party
Apps

MSFT
Security
Decision
Services

Data
Store

CICS
IMS
...

Security
Decision
Services
SDS
Proxy

Data
Store

Portal Server

HTTP

Reverse
Proxy
Server
SES

Application Server
Business Processes

HTTP

SES

Web
Servers
SES

SOAP

SOAP

J2EE
Apps
J2EE
Container
SES

Gate
way
SES

Security Decision Services

Audit Infrastructure

Data
Store

IBM Software Group | Tivoli software

Moving to SOA, Adding the ESB

(Mandatory Scary Picture)

Portal Server
Application Server
Business Processes

HTTP

SOAP

Reverse
Proxy
Server
SES
Gateway

E
S
B

.Net/ 3rd
Party
Apps

MSFT
Security
Decision
Services

CICS
IMS
...

Security
Decision
Services
SDS
Proxy

SES

SES

Data
Store

Data
Store

ESB

SES

J2EE
Apps
J2EE
Container

Web
Servers
SES

SES

Security Decision Services

Audit Infrastructure

Data
Store

IBM Software Group | Tivoli software

Further Reading
On Demand Operating Environment: Security Considerations in an
Extended Enterprise
http://publib-b.boulder.ibm.com/abstracts/redp3928.html?Open

Web Services Security Standards, Tutorials, Papers

http://www.ibm.com/developerworks/views/webservices/standards.jsp
http://www.ibm.com/developerworks/views/webservices/tutorials.jsp
http://webservices.xml.com/

Websphere Security Fundamentals / WAS 6.0 Security Handbook

http://www.redbooks.ibm.com/redpieces/abstracts/redp3944.html?Open

http://www.redbooks.ibm.com/redpieces/abstracts/sg246316.html?Open

IBM Tivoli Product Home Page

http://www.ibm.com/software/tivoli/solutions/security/

IBM Software Group | Tivoli software

Summary
End-to-end Security Integration is complex
Web Services and SOA security are emerging areas
Moving from session level security to message level security

Identity Management incorporates several security services, but other

security services need to be integrated as well
Audit and Event Management, Compliance and Assurance
Etc.

Security technology is part process, policy, people are the others

and often harder to change

Only Constant is Change, but evolve around the fundamentals

Establish separation of application and security management
Use of open standards will help with integration of past and future
technologies

IBM Software Group | Tivoli software

Questions?

IBM Software Group | Tivoli software

Security 101 Definitions

Authentication - Identify who you are
Userid/password, PKI certificates, Kerberos, Tokens, Biometrics

Authorization What you can access

Access Enforcement Function / Access Decision Function
Roles, Groups, Entitlements

Administration Applying security policy to resource protection

Directories, administration interfaces, delegation, self-service

Audit Logging security success / failures

Basis of monitoring, accountability/non-repudiation, investigation, forensics

Assurance Security integrity and compliance to policy

Monitoring (Intrusion Detection, AntiVirus, Compliance), Vulnerability Testing

Asset Protection
Data Confidentiality, Integrity, Data Privacy

Availability
Backup/recovery, disaster recovery, high availability/redundance

IBM Software Group | Tivoli software

Agenda
Enterprise Security Architecture MASS Intro
Identity, Access, and Federated Identity
Management
SOA Security

IBM Software Group | Tivoli software

MASS Processes for a Security Management Architecture

IBM Software Group | Tivoli software

Access Control Subsystem

Purpose:
Enforce security policies by gating access to, and execution of, processes and
services within a computing solution via identification, authentication, and
authorization processes, along with security mechanisms that use credentials
and attributes.
Functions:
Access control monitoring and enforcement: Policy Enforcement Point/Policy
Decision Point/ Policy Administration Point
Identification and authentication mechanisms, including verification of secrets,
cryptography (encryption and signing), and single-use versus multiple-use
authentication mechanisms

Authorization mechanisms, to include attributes, privileges, and permissions

Enforcement mechanisms, including failure handling, bypass prevention,
banners, timing and timeout, event capture, and decision and logging
components
Sample Technologies:
RACF, platform/application security, web access control

IBM Software Group | Tivoli software

Identity and Credential Subsystem

Purpose:
Generate, distribute, and manage the data objects that convey identity and
permissions across networks and among the platforms, the processes, and the
security subsystems within a computing solution.
Functions:
Single-use versus multiple-use mechanisms, either cryptographic or noncryptographic
Generation and verification of secrets
Identities and credentials to be used in access control: identification,
authentication, and access control for the purpose of user-subject binding
Credentials to be used for purposes of identity in legally binding transactions
Timing and duration of identification and authentication
Lifecycle of credentials
Anonymity and pseudonymity mechanisms
Sample Technologies:
Tokens (PKI, Kerberos, SAML), User registries (LDAP,AD,RACF,),
Administration consoles, Session management

IBM Software Group | Tivoli software

Information Flow Control Subsystem

Purpose:
Enforce security policies by gating the flow of information within a computing
solution, affecting the visibility of information within a computing solution, and
ensuring the integrity of information flowing within a computing solution.
Functions:

Flow permission or prevention

Flow monitoring and enforcement
Transfer services and environments: open or trusted channel, open or trusted
path, media conversions, manual transfer, and import to or export between
domain

Encryption
Storage mechanisms: cryptography and hardware security modules
Sample Technologies:
Firewalls, VPNs, SSL

IBM Software Group | Tivoli software

Security Audit Subsystem

Purpose:
Provide proof of compliance to the security policy.

Functions:
Collection of security audit data, including capture of the appropriate
data, trusted transfer of audit data, and synchronization of
chronologies
Protection of security audit data, including use of time stamps, signing
events, and storage integrity to prevent loss of data
Analysis of security audit data, including review, anomaly detection,
violation analysis, and attack analysis using simple heuristics or
complex heuristics
Alarms for loss thresholds, warning conditions, and critical events
Sample Technologies:
syslog, application/platform access logs

IBM Software Group | Tivoli software

Solution Integrity Subsystem

Purpose:
address the requirement for reliable and correct operation of a computing
solution in support of meeting the legal and technical standard for its processes
Functions:
Physical protection for data objects, such as cryptographic keys, and physical
components, such as cabling, hardware, and so on
Continued operations including fault tolerance, failure recovery, and self-testing
Storage mechanisms: cryptography and hardware security modules
Accurate time source for time measurement and time stamps
Alarms and actions when physical or passive attack is detected
Sample Technologies:
Systems Management solutions - performance, availability, disaster recovery,
storage management
Operational Security tools: , Host and Network Intrusion Detection Sensors
(Snort), Event Correlation tools, Host security monitoring/enforcement tools
(Tripwire, TAMOS), Host/Network Vulnerability Monitors/Scanners (Neesus),
Anti-Virus software

IBM Software Group | Tivoli software

On Demand Security Architecture (Logical)

On Demand Solutions
On Demand Infrastructure Services and Components
Policy
Management
(authorization,
privacy,
federation, etc.)

Intrusion
Defense
Anti-Virus
Management

Authorization

Service/Endpoint Policy

Mapping
Rules

Virtual Org
Policies

Assurance

Audit & NonRepudiation

Privacy
Policy

Security Policy Expression

Bindings Security and Secure Conversation
(transport, protocol, message security)

Secure Logging

Key
Management

Identity
Federation

Trust Model

Identity
Management

Credential
Exchange

Network
Security
Solutions
(VPNs,
firewalls,
intrusion
detection
systems)

Secure Networks and Operating Systems

On Demand Security Infrastructure

On Demand Infrastructure OS, application, network
component logging and security events logging; event
management; archiving; business continuity