Integrated Security Architecture IBM Software Group James Andoniadis IBM Canada

®
IBM Software Group
Integrated Security Architecture
James Andoniadis
IBM Canada
© 2004 IBM Corporation
IBM Software Group | Tivoli software
CEO View: Increased Collaboration Brings Rewards
IBM Software Group | Tivoli software
Layers of security
Perimeter Defense
Keep out unwanted with
Perimeter Defense
Control Layer
Assurance Layer
• Firewalls
• Anti-Virus
• Intrusion Detection, etc.
Control Layer
• Which users can come in?
• What can users see and do?
• Are user preferences supported?
• Can user privacy be protected?
Assurance Layer
• Can I comply with regulations?
• Can I deliver audit reports?
• Am I at risk?
• Can I respond to security events?
IBM Software Group | Tivoli software
Pre SOA Security: Enforcement & Decision Points
Access Enforcement Functionality (AEF)
Access Decision Functionality (ADF)
.Net /
3rd Party
Apps
Other
Security
Decision
Services
Data
Store
CICS
IMS
...
Security
Decision
Services
ADF
Proxy
Data
Store
Portal Server
HTTP
Reverse
Proxy
Server
AEF
Application Server
Business Processes
AEF
Web
Servers
AEF
J2EE
Apps
J2EE
Container
AEF
Access Decision Functionality
Audit Infrastructure
Data
Store
IBM Software Group | Tivoli software
Directory Management View
Network
Operating
Systems
Certificate
Status
Responder
Customer
Network
Access
Control
External
SMTP
Gateway
Application
Directory
Internal
SMTP
Gateway
LOB
Applications
Employee
LDAP Directory
Proxy
External
ePortal
Network
Dispatcher
Delegated User
Management
Identity
Management
External
Directory
Databases
Meta-Directory
Internal
Directory
Messaging
Transactional
Web
Integration
Web Access
Control
Web
Single Sign On
Informational
Web
Presentation
Certifcate
Authority
Internal
ePortal, LDAPenabled apps
Transactional
Web
Presentation
CRM/ ERP
(PeopleSoft)
Network
Authentication
& Authorization
Application
Access Control
Single Sign On
IBM Software Group | Tivoli software
Identity and Access Management Portfolio
Apps/Email
NOS
Identity
Stores
CRM,
Partners
ITDS
Directory
Server
HR
ITDI
Directory
Integration
Enterprise Directory
•Personal Info
•Credentials
•Entitlements
ITAM:
Web Access
Management
SSO,
Authentication,
Authorization
ITFIM:
Federated Identity
Web Services Security
UNIX/Linux
ITIM:
Provisioning
• Policies
• Workflow
• Password
Self-service
• Audit trails
Security Mgmt
Objects
Portal
Presentation
Personalization
Databases &
Applications
MF/Midrange
TAM for
ESSO
IBM Software Group | Tivoli software
Operational Deployment Pattern - Security Zones
Management (secured)
Access
Policy
Server
(ITAM)
Directory
Server
(ITDS)
Federated
Identity
Mgmt
(ITFIM)
Identity
Management,
MetaDirectory,
Directory Sync
Employees
Contractors
Customers
Employees
Business Partners
Web
Browser
Load
Balancer
Internet
Content
Management
Websphere
Portal
(WPS)
Reverse
v
Proxy
(Webseal)
Internal Directories:
- MS AD
- Enterprise LDAP
- BP DB Table
Reverse
Proxy
(Webseal)
Collaboration
Services (Lotus)
HTTP/S
Web
Browser
Enterprise
External Web
Applications
Internet DMZ
(Controlled)
Internet (Uncontrolled)
protocol
firewall
domain
firewall
Operational Security Tools:
- Host IDS, Network IDS
- AntiVirus
- Tripwire
Server Production Zone
(restricted)
- Auditing scanners
- Vulnerability scanners (host, network, web)
- Audit/logging, event correlation
Intranet (Controlled)
- weak password crackers
- Intrusion prevension
- ...
IBM Software Group | Tivoli software
Governments as Identity Providers
Users
Users
“TRUST provides
ACCESS”
Germany:Identity Provider
USA:Identity Provider
The United States is an “Identity Provider”
because it issues a Passport as proof of
identification
USA Vouches for its Citizens
Users
China:Identity Provider
IBM Software Group | Tivoli software
Roles: Identity Provider and Service Provider
“Vouching” party in transaction
Identity
Provider
“Validation” party in transaction
Mutual TRUST
1. Issues Network / Login credentials
2. Handles User Administration/ ID Mgmt
3. Authenticates User
4. “Vouches” for the user’s identity
Service
Provider
Service Provider controls access to services
Third-party user has access to services for
the duration of the federation
Only manages user attributes relevant to SP
IBM Software Group | Tivoli software
Federated Identity Standards
IBM Software Group | Tivoli software
Agenda
 Enterprise Security Architecture – MASS Intro
 Identity, Access, and Federated Identity
Management
 SOA Security
IBM Software Group | Tivoli software
SOA Security Encompass all Aspects of Security
55
Service Consumer
consumers
SCA
Portlet
WSRP
B2B
Other
SOA Security
44
business
businessprocesses
processes
 Identity
process choreography
 Authentication
33
Services
services(Definitions)
atomic and composite
22
Service Provider
Service
components
 Authorization
 Confidentiality,
Integrity
 Availability
ISV
Operational
systems
Packaged
SAP
Packaged
Application
Outlook
Application
Platform
Unix
OS/390
Custom
Application
Custom
Application
OO
Application
Custom Apps
Supporting Middleware
MQ
DB2
11
 Auditing &
Compliance
 Administration and
Policy Management
IBM Software Group | Tivoli software
Message-based Security : End-to-End Security
Connection
Integrity/Privacy
HTTPS
?
Connection
Integrity/Privacy
HTTPS
SOAP Message
 Message-based security does not rely on secure transport
 message itself is encrypted  message privacy
 message itself is signed  message integrity
 message contains user identity  proof of origin
IBM Software Group | Tivoli software
Web Service Security Specifications Roadmap
Secure
Conversation
Federation
Authorization
Security
Policy
Trust
Privacy
WSS – SOAP Security
SOAP Messaging
IBM Software Group | Tivoli software
SOAP Message Security: Extensions to Header
Envelope
Security Element
Header
Security Token
Security Element
Signature
Body
<application data>
Encrypted Data
 SOAP Header allows for extensions
 OASIS standard “WS-Security: SOAP Message Security”
 defines XML for Tokens, Signatures and Encryption
 defines how these elements are included in SOAP Header
IBM Software Group | Tivoli software
Security Drill Down
1st Layer Message Security
2nd Layer Message Security
Nth Layer Message Security
 Signature Validation/
Origin Authentication
 Requestor Identification &
Authentication & Mapping
 Requestor Identification &
Authentication & Mapping
Element Level Decryption
 Message Level Encryption
Message Level Decryption
Transport Layer Security
Application Security
(Authorization with ESB
asserted identifier)
SSL/TLS Termination
Edge Security
(Transport
Layer)
Reverse Proxy
XML FW/GW
ESB
SES (incl Trust Client)
ESB
Apps
ESB
SES (incl
Trust Client)
SES (incl
Trust Client)
SES (incl
Trust Client)
Security Decision Services
(Trust Services)
Security Policy
Security Token Service
Key Store, Management
Authorization
IBM Software Group | Tivoli software
Moving to SOA – Accommodate Web Services
.Net/ 3rd
Party
Apps
MSFT
Security
Decision
Services
Data
Store
CICS
IMS
...
Security
Decision
Services
SDS
Proxy
Data
Store
Portal Server
HTTP
Reverse
Proxy
Server
SES
Application Server
Business Processes
HTTP
SES
Web
Servers
SES
SOAP
SOAP
J2EE
Apps
J2EE
Container
SES
Gate
way
SES
Security Decision Services
Audit Infrastructure
Data
Store
IBM Software Group | Tivoli software
Moving to SOA – Accommodate Web Services
.Net/ 3rd
Party
Apps
MSFT
Security
Decision
Services
Data
Store
CICS
IMS
...
Security
Decision
Services
SDS
Proxy
Data
Store
Portal Server
HTTP
Reverse
Proxy
Server
SES
Application Server
Business Processes
HTTP
SES
Web
Servers
SES
SOAP
SOAP
J2EE
Apps
J2EE
Container
SES
Gate
way
SES
Security Decision Services
Audit Infrastructure
Data
Store
IBM Software Group | Tivoli software
Moving to SOA, Adding the ESB…
(Mandatory Scary Picture)
Portal Server
Application Server
Business Processes
HTTP
SOAP
Reverse
Proxy
Server
SES
Gateway
E
S
B
.Net/ 3rd
Party
Apps
MSFT
Security
Decision
Services
CICS
IMS
...
Security
Decision
Services
SDS
Proxy
SES
SES
Data
Store
Data
Store
ESB
SES
J2EE
Apps
J2EE
Container
Web
Servers
SES
SES
Security Decision Services
Audit Infrastructure
Data
Store
IBM Software Group | Tivoli software
Further Reading
 On Demand Operating Environment: Security Considerations in an
Extended Enterprise
 http://publib-b.boulder.ibm.com/abstracts/redp3928.html?Open
 Web Services Security Standards, Tutorials, Papers
 http://www.ibm.com/developerworks/views/webservices/standards.jsp
 http://www.ibm.com/developerworks/views/webservices/tutorials.jsp
 http://webservices.xml.com/
 Websphere Security Fundamentals / WAS 6.0 Security Handbook
 http://www.redbooks.ibm.com/redpieces/abstracts/redp3944.html?Open
 http://www.redbooks.ibm.com/redpieces/abstracts/sg246316.html?Open
 IBM Tivoli Product Home Page
 http://www.ibm.com/software/tivoli/solutions/security/
IBM Software Group | Tivoli software
Summary
 End-to-end Security Integration is complex
 Web Services and SOA security are emerging areas
 Moving from session level security to message level security
 Identity Management incorporates several security services, but other
security services need to be integrated as well
 Audit and Event Management, Compliance and Assurance
 Etc.
 Security technology is part – process, policy, people are the others
and often harder to change
 Only Constant is Change, but evolve around the fundamentals
 Establish separation of application and security management
 Use of open standards will help with integration of past and future
technologies
IBM Software Group | Tivoli software
Questions?
IBM Software Group | Tivoli software
Security 101 Definitions
 Authentication - Identify who you are
 Userid/password, PKI certificates, Kerberos, Tokens, Biometrics
 Authorization – What you can access
 Access Enforcement Function / Access Decision Function
 Roles, Groups, Entitlements
 Administration – Applying security policy to resource protection
 Directories, administration interfaces, delegation, self-service
 Audit – Logging security success / failures
 Basis of monitoring, accountability/non-repudiation, investigation, forensics
 Assurance – Security integrity and compliance to policy
 Monitoring (Intrusion Detection, AntiVirus, Compliance), Vulnerability Testing
 Asset Protection
 Data Confidentiality, Integrity, Data Privacy
 Availability
 Backup/recovery, disaster recovery, high availability/redundance
IBM Software Group | Tivoli software
Agenda
 Enterprise Security Architecture – MASS Intro
 Identity, Access, and Federated Identity
Management
 SOA Security
IBM Software Group | Tivoli software
MASS – Processes for a Security Management Architecture
IBM Software Group | Tivoli software
Access Control Subsystem
Purpose:
 Enforce security policies by gating access to, and execution of, processes and
services within a computing solution via identification, authentication, and
authorization processes, along with security mechanisms that use credentials
and attributes.
Functions:
 Access control monitoring and enforcement: Policy Enforcement Point/Policy
Decision Point/ Policy Administration Point
 Identification and authentication mechanisms, including verification of secrets,
cryptography (encryption and signing), and single-use versus multiple-use
authentication mechanisms
 Authorization mechanisms, to include attributes, privileges, and permissions
 Enforcement mechanisms, including failure handling, bypass prevention,
banners, timing and timeout, event capture, and decision and logging
components
Sample Technologies:
 RACF, platform/application security, web access control
IBM Software Group | Tivoli software
Identity and Credential Subsystem
Purpose:
 Generate, distribute, and manage the data objects that convey identity and
permissions across networks and among the platforms, the processes, and the
security subsystems within a computing solution.
Functions:
 Single-use versus multiple-use mechanisms, either cryptographic or noncryptographic
 Generation and verification of secrets
 Identities and credentials to be used in access control: identification,
authentication, and access control for the purpose of user-subject binding
 Credentials to be used for purposes of identity in legally binding transactions
 Timing and duration of identification and authentication
 Lifecycle of credentials
 Anonymity and pseudonymity mechanisms
Sample Technologies:
 Tokens (PKI, Kerberos, SAML), User registries (LDAP,AD,RACF,…),
Administration consoles, Session management
IBM Software Group | Tivoli software
Information Flow Control Subsystem
Purpose:
 Enforce security policies by gating the flow of information within a computing
solution, affecting the visibility of information within a computing solution, and
ensuring the integrity of information flowing within a computing solution.
Functions:
 Flow permission or prevention
 Flow monitoring and enforcement
 Transfer services and environments: open or trusted channel, open or trusted
path, media conversions, manual transfer, and import to or export between
domain
 Encryption
 Storage mechanisms: cryptography and hardware security modules
Sample Technologies:
 Firewalls, VPNs, SSL
IBM Software Group | Tivoli software
Security Audit Subsystem
Purpose:
 Provide proof of compliance to the security policy.
Functions:
 Collection of security audit data, including capture of the appropriate
data, trusted transfer of audit data, and synchronization of
chronologies
 Protection of security audit data, including use of time stamps, signing
events, and storage integrity to prevent loss of data
 Analysis of security audit data, including review, anomaly detection,
violation analysis, and attack analysis using simple heuristics or
complex heuristics
 Alarms for loss thresholds, warning conditions, and critical events
Sample Technologies:
 syslog, application/platform access logs
IBM Software Group | Tivoli software
Solution Integrity Subsystem
Purpose:
 address the requirement for reliable and correct operation of a computing
solution in support of meeting the legal and technical standard for its processes
Functions:
 Physical protection for data objects, such as cryptographic keys, and physical
components, such as cabling, hardware, and so on
 Continued operations including fault tolerance, failure recovery, and self-testing
 Storage mechanisms: cryptography and hardware security modules
 Accurate time source for time measurement and time stamps
 Alarms and actions when physical or passive attack is detected
Sample Technologies:
 Systems Management solutions - performance, availability, disaster recovery,
storage management
 Operational Security tools: , Host and Network Intrusion Detection Sensors
(Snort), Event Correlation tools, Host security monitoring/enforcement tools
(Tripwire, TAMOS), Host/Network Vulnerability Monitors/Scanners (Neesus),
Anti-Virus software
IBM Software Group | Tivoli software
On Demand Security Architecture (Logical)
On Demand Solutions
On Demand Infrastructure – Services and Components
Policy
Management
(authorization,
privacy,
federation, etc.)
Intrusion
Defense
Anti-Virus
Management
Authorization
Service/Endpoint Policy
Mapping
Rules
Virtual Org
Policies
Assurance
Audit & NonRepudiation
Privacy
Policy
Security Policy Expression
Bindings Security and Secure Conversation
(transport, protocol, message security)
Secure Logging
Key
Management
Identity
Federation
Trust Model
Identity
Management
Credential
Exchange
Network
Security
Solutions
(VPNs,
firewalls,
intrusion
detection
systems)
Secure Networks and Operating Systems
On Demand Security Infrastructure
On Demand Infrastructure – OS, application, network
component logging and security events logging; event
management; archiving; business continuity