Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Architecture
V2.0
IT Security / Global IT
Telefonica
29.09.2014
Index
Objectives and Core Principles
01
Security Framework
02
IT Security Architecture
03
Conclusions
04
01
Executive
ObjectivesSummary
and Core Principles
Rational 1
o Design of a security baseline that identifies the technologies and best practices to
What meet the security requirements aligned with the business requirements.
o The goal is to provide confidentiality, integrity, availability, accountability and
assurance to IT systems.
4
DISCOVER, DISRUPT, DELIVER
Common Standards 1
Design of Architecture support in the principal frameworks for IT Governance and Compliance.
5
DISCOVER, DISRUPT, DELIVER
02
Executive
IT SecuritySummary
Reference
Architecture
Applying IT Security Processes to IT Assets, consistent with Business
Requirements 2
Business Requirements
Effectiveness Confidentiality Availability
Efficiency Integrity Compliance
IT Assets to secure
IT secure and IT SECURITY FRAMEWORK (*)
Security systems map defined Functional description of the Description of the design
by the combination of IT security components of the patterns and scenarios where
Assets and IT Security high priority security systems. the functional components of
Processes the security systems are used
Focus on some systems based
Technological mapping per on the maturity level and
system and OB aligned with strategic plan
Information
Governance Identity Incident &
Workplace management & Vulnerability
Access Control Management
Applications
8
DISCOVER, DISRUPT, DELIVER
Security Systems in the Functional IT Security Architecture 2
Governance Identity management & Access Incident & Vulnerability
Control Management
GRC
Identity Authentication Vulnerability Security logs
Security Compliance Management & management monitoring
& Dashboard Authorization
Privileged Incident
Security Knowledge Early warning
Users Security Management
Base
9
DISCOVER, DISRUPT, DELIVER
IT Security Architecture Priorities 2
To develop further the architecture for systems analysis and selection and for the elaboration of detailed use
cases, we identify the following priorities:
1
DISCOVER, DISRUPT, DELIVER 0
IT Security Architecture Priorities 2
Database Improve the Database o Facilitate audit of sensitive data and critical
Protection Security transactions.
Centralized log
management. o Aggregation data of many sources.
Turn data into useful o Correlation using common attributes and linking
Security Logs
information. events.
Monitoring o Automated analysis of events and in time report.
Real time Alerting.
Long-term storage of o Compliance requirements and Forensic Analysis.
historical data.
Discover and properly o Improve the system performance and the reliability.
Vulnerability
analyse the system o Reduce many incidents, decreasing the time spent
Management
vulnerabilities. within this kind of processes.
1
DISCOVER, DISRUPT, DELIVER 1
Security Systems in the IT Security Architecture 2
Governance Identity management & Access Control Vulnerability & Incident Management
DLP IRM
SSLDC
PKI
The identified components in the architecture will be further detailed for solution identification and detailed
reference design patterns / use cases
1
DISCOVER, DISRUPT, DELIVER 2
Sourcing strategy 2
Demand o Demand is not aggregated globally except for Do-It-Once deployments (TGT)
Strategy o Select single solutions where:
System operation is performed in consolidated DCs
FS projects with homogeneous providers
Contract o Local RFPs on a reduced number of solutions for synergies in knowledge sharing and capability reuse
Strategy o Negotiate and buy directly from manufacturers or from certified local integrators.
o Corrective and evolutive support and maintenance is critical and shall be included into the
corresponding RFPs.
13
DISCOVER, DISRUPT, DELIVER
Market Solutions – short list 2
Governance Identity management & Access Control Vulnerability & Incident Management
Identity Mgmt Authn & Authz Vulnerability Security logs
ORACLE CA ORACLE CA management monitoring
IBM IBM HP RSA
DLP IRM
SSLDC
PKI
1
DISCOVER, DISRUPT, DELIVER 4
03
Executive
IT SecuritySummary
Functional
Architecture
Components in the IT Security Architecture 3
Identity Management & Access Control
Identity Management Authentication & Authorization Management
Authentication
Identity Directory Services
Administration Virtualization Federation User
Single Sign-On
Service Authentication
Provisioning Synchronization
1
DISCOVER, DISRUPT, DELIVER 6
3.1
IDENTITY MANAGEMENT &
ACCESS CONTROL
IdM & Access Vulnerability &
Privileged Users
Security
1
DISCOVER, DISRUPT, DELIVER 8
IdM & Access Vulnerability &
Identity Management
Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
A
Other
sources not Trusted
Trusted Read/Write Active
Active
Identity Governance loaded in Source directory,
directory,
Source SAP,
SAP,
Identity (HHRR)
(HHRR) Others
Others
Define and manage roles and automate Management
critical identity-based controls,
Identity Provisioning B
managing the role lifecycle, providing Read Write
Virtual C
Identity governance A Read
key identity governance capabilities Directory
including auditing, reporting, Read Connectors Write
Service
User Reconciliation
attestation, certification, and analytics. Manager Update Role User/Account (Write)
s
Mining User
Change
Event
Identity Provisioning B Review
User
User and Event
Certification/ and
Provisioning User
User
Connectors (R/W)
Engine
that automates the process of adding, Application Event
updating, and deleting user Owner/IT
accounts from applications and Role IAM R/W
directories, improving regulatory
Role
Lifecycles Approval Other DS
Change Engine
Management Workflow
compliance by providing granular reports Business
Event
that attest to who has access to what User Engine
Role
resources. Synchronization
Request
Repository
Repository Other
Repository
Repository Sources
C (Rules/
(Rules/
Virtual Directory Service Risk
Policy/
Policy/
Roles)
Roles)
Management
Central user repository for
Identity Management, providing a Audit Audit
Audit Audit Self
scalable, secure, high-performance DB
DB DB
DB
LDAP data store. Service
Reporting
19
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
Identity Management
Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
Other
sources not Trusted
Trusted Read/Write Active
Active
loaded in directory,
Source
Source directory,
SAP,
SAP,
A Identity Governance Identity (HHRR)
(HHRR) Others
Others
Management
Identity Provisioning B
Read Write C
Identity governance A Read Virtual
1 Directory
CERTIFICATION & ATTESTATION Service
o Ensuring compliance with Access User Read Connectors Write
Reconciliation
Control Policies reporting Identity & Manager Update Role User/Account (Write)
s
Access Data to User responsible Mining User
o Updating target systems based on 2 Change
Event
results of certification process. Review
User
User and Event
Certification/ and
Provisioning User
User
Connectors (R/W)
2 Engine
Application Event
ROLE MINING Owner/IT
o Creation, administration and versioning
of role. Role IAM R/W
Role
Lifecycles Approval Other DS
o Roles information is synchronized with Change Engine
Management Workflow
the Role Lifecycles Management which Business
Event
define the rules and conditions to User
2 Engine
Role
determinate whether a user may or Synchronization
Request
may not belong to a certain role. Repository
Repository Other
Repository
Repository Sources
(Rules/
3 (Rules/
Policy/
Policy/
RISK MANAGEMENT Risk Roles)
Roles)
o Compliance & Risk report of gaps, Management
security exceptions and anomalous 3
activity. Audit Audit
REPORTING Audit Audit Self
4 DB
DB 4 DB
DB
o Detect when violations of the roles and Service
conditions defined. Reporting
4 3
AUDIT DB:
o Provides a historical record of
operations that occur in platform of
Identity Management.
20
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
Identity Management
Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
Connectors (R/W)
7 Engine
Application Event
CONNECTORS Owner/IT 4
o Adapters deployed for each endpoint
(Directories, Databases, Oss, Systems, Role IAM R/W
Role
Lifecycles Approval Other DS
Applications). Change Engine
Management Workflow
Event
8 Business 8 Engine
User
IAM ENGINE
Role 6
Synchronization
o Configuration of access control policies Request
Repository
Repository Other
using the users and roles information. Repository Sources
Repository
o Password Management (Rules/
(Rules/
o Self Service Options for Users Risk
Policy/
Policy/
Roles)
Roles)
o Customization and Extensibility Management
9
RECONCILIATION Audit
Audit Audit
Audit Self
o Detecting local changes and attempt to DB
DB DB
DB Service
eliminate them. 5
o Alerting security administrators when Reporting
such changes are detected.
o Reporting inconsistencies in the
systems.
o Detecting changes in authorized
source, and release it to applications
21
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
Identity Management
Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
Other
sources not Trusted
Trusted Read/Write Active
Active
loaded in directory,
Source
Source directory,
SAP,
SAP,
C Virtual Directory Service Identity (HHRR)
(HHRR) Others
Others
Management
Identity Provisioning B
Read Write C
Identity governance A Read Virtual
10 Directory
VIRTUAL DIRECTORY Service
o Directories strategically placed for User Read Connectors Write
Reconciliation
geographic local distribution. Manager Update Role User/Account (Write)
s
o Redundant Directories for fault- Mining User
tolerance and scalability. Change
o Identity information located in more Event
Review
than one identity store (employees User
User and Event
Certification/ and
Provisioning User
User
Connectors (R/W)
Engine
databases). Application Event
Owner/IT
22
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
DIP
Repository WorkFlow DB
DB
and flexible enterprise identity Repository
Connectors (R/W)
Engine
management system that automatically Application Event
manages users' access privileges within Owner/IT
ADF
BTEL
Suite
SOA
Management Workflow
Event
Business
Engine
Virtual
User
Role
Synchronization
Request
C Repository
Repository Other
ORACLE DIRECTORY SERVICES Repository
Repository Sources
Access
(Rules/
Access
(Rules/
Policy/
Policies
Policy/
Risk Policies
Roles)
Oracle Directory is an LDAP service that Management
Roles)
23
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
DIP
Repository WorkFlow DB
DB
Access Provisioning which define rules Repository
Connectors (R/W)
and conditions for access.
2 Engine
Application Event
o Establishment of mechanisms for risk Owner/IT
reporting and security compliance for Role IAM R/W
identifying gaps, Security exceptions Role
Lifecycles Approval Other DS
Change Engine
ADF
BTEL
Suite
and anomalous activity.
SOA
Management Workflow
Event
Business
Engine
Virtual
User
Role
2 Synchronization
Request
CERTIFICATION ENGINE: Repository
Repository Other
Repository
Repository Sources
o Attestation enables users designated as Access
(Rules/
Access
(Rules/
Policy/
Policies
Policy/
reviewers to be notified of reports they Risk Policies
Roles)
Roles)
must review. These reports describe Management
provisioned resources of other users. A
reviewer can attest to the accuracy of Audit Audit
Audit Audit Self
Request
the entitlements by providing a DB DB
DB DB Service
Engine
response. The attestation action, along
with the response the reviewer 1 Oracle Bi
Reporting
provides, any associated comments, Publisher
and an audit view of the data that the
reviewer views and attests to, is
tracked and audited to provide a
complete trail of accountability
24
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
DIP
BUSINESS PROCESS EXECUTION LANGUAGE Repository
Repository WorkFlow DB
DB
Connectors (R/W)
Engine
(SOA SUITE BPEL): Event
Application
o Oracle SOA transforms complex Owner/IT 3
application integration into agile and
Role IAM R/W
re-usable service-based connectivity to Role
Lifecycles Approval Other DS
Change Engine
ADF
BTEL
Suite
speed time to market, respond faster to
SOA
Management Workflow
Event
business requirements, and lower costs. Business
Engine
Virtual
User
Role
ORACLE APPLICATION DEVELOPMENT Synchronization
4
Request
FRAMEWORK (ADF ): Repository
Repository Other
o Oracle ADF is an end-to-end Java EE Repository
Repository Sources
framework that simplifies application Access
(Rules/
Access
(Rules/
Policy/
Policies
Policy/
development by providing out-of-the- Risk Policies
Roles)
Roles)
box infrastructure services and a visual Management
and declarative development
experience.
Audit
Audit Audit
Audit Self
Request
DB
DB DB
DB Service
Engine
Oracle Bi
Reporting
Publisher
25
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
DIP
Repository
Repository WorkFlow DB
DB
Connectors (R/W)
Engine
Event
6 Application
Owner/IT
ORACLE BI PUBLISHER:
o Oracle BI Publisher is an Oracle's Role IAM R/W
Role
Lifecycles Approval Other DS
enterprise reporting solution and Change Engine
ADF
BTEL
Suite
SOA
provides a single reporting environment Management Workflow
Event
Business
to author, manage, and deliver all of Engine
Virtual
User
Role
your reports and business documents.
Synchronization
Request
Repository
Repository Other
7
Repository
Repository Sources
Access
(Rules/
Access
(Rules/
ACCESS POLICIES: Policy/
Policies
Policy/
Policies
o Access policies are a list of user groups Risk Roles)
Roles)
Management 7
and the resources with which users in
the group are to be provisioned or
deprovisioned. Audit
Audit Audit
Audit Self
Request
DB
DB DB
DB Service
Engine
Oracle Bi 5
Reporting
Publisher
6
26
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
DIP
Repository
Repository WorkFlow DB
DB
Connectors (R/W)
o Oracle Virtual Directory (OVD) Engine
provides identity aggregation and Application Event
transformation. It unifies identity data Owner/IT
across heterogeneous data sources Role IAM R/W
without consolidating, and re-uses
Role
Lifecycles Approval Other DS
Change Engine
ADF
BTEL
Suite
SOA
identity data without copying. Management Workflow
Event
Business
Engine
Virtual
User
o ORACLE DIRECTORY INTEGRATION Role
Synchronization
PLATFORM (DIP): The Oracle Directory Request
Integration Platform enables you to
Repository
Repository Other
synchronize Oracle Internet Directory Repository
Repository Sources
Access
(Rules/
Access
(Rules/
data with other data sources. You save Policy/
Policies
Policy/
Risk Policies
time and resources by using Oracle
Management
Roles)
Roles) 8
Internet Directory as the central
repository for different LDAP-enabled
applications and connected directories. Audit
Audit Audit
Audit Self
Request
Synchronization can be one-way or two- DB
DB DB
DB
way. Service
Engine
Oracle Bi
Reporting
Publisher
27
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
Connectors (R/W)
Engine
Application Event
Owner/IT
Role Policy
IAM R/W
Role
Lievecycle Approval Other DS
B Change Engine
Xpress WorkPoint
Management Workflow
Event Workflow
Business
CA IDENTITYMINDER User Engine
Role
Synchronization
Request
Delivers a unified solution for user Repository
Repository Other
provisioning and user management that Repository
Repository Sources
(Rules/
(Rules/
manages users’ identities throughout Policy/
Policy/
Risk Roles)
their entire lifecycle, providing them Management
Roles)
28
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
Connectors (R/W)
Engine
o Designed for role analysts and technical Application Event
auditors, these tools provide a Owner/IT
complete environment for development Role Policy
IAM R/W
and maintenance of the role and Role
Lievecycle Approval Other DS
Change Engine
Xpress WorkPoint
compliance model. Management
Event Workflow
Business Workflow
User Engine
Role
Synchronization
Request
Repository
Repository Other
Repository
Repository Sources
(Rules/
(Rules/
Policy/
Policy/
Risk Roles)
Roles)
Management
Audit
Audit
CA
CA Audit
Audit Audit
CA
CA Audit
Audit
Audit Self
DB
DB
DB
DB DB
DB IDM APP
Service
1 IAM Report
Reporting
Server
29
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
Connectors (R/W)
Engine
Application Event
Owner/IT
3 Role Policy
IAM R/W
POLICY XPRESS
Role
Lievecycle Approval Other DS
Change Engine
Xpress WorkPoint
o Creates complex business logic or Management Workflow
Business 3 Event Workflow
policies without the need to develop Engine
User
custom code. Role
Synchronization
Request
Repository
Repository Other
Repository
Repository Sources
(Rules/
4 (Rules/
Policy/
Policy/
IDENTITY MANAGER APPLICATION (IDM Risk Roles)
Roles)
APP): Management
o This standards-based J2EE application
serves as the user interface and Audit Audit
Audit
CA
CA Audit
Audit CA
CA Audit
Audit
Audit Self
business logic layer. It includes the web DB
DB
DB
DB DB
DB IDM APP
Service
user interface, delegated 9
administration framework and IAM Report 4
Reporting
Server
workflow, policy evaluation, audit and
reporting services.
30
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
Connectors (R/W)
o The CA IdentityMinder Provisioning Engine
Event
Manager manages the Provisioning Application
Owner/IT 6
Server through a graphical interface.
This is used for administrative tasks Role Policy
IAM R/W
Role
Lievecycle Approval Other DS
such as managing Provisioning Server Change Engine
Xpress WorkPoint
Management Workflow
options. In some cases, you may also Event Workflow
Business
use the Provisioning Manager to manage User Engine
certain endpoint attributes, which you Role
Synchronization
7
cannot manage in the CA Repository
Repository
Request
Other
IdentityMinder User Console. Repository
Repository Sources
(Rules/
(Rules/
Policy/
Policy/
7 Risk Roles)
Roles)
Management
WORKPOINT WORKFLOW:
o These components enable you to place
a CA IdentityMinder task under Audit
Audit Audit
CA Audit
CA
CA Audit
Audit Audit
CA Audit Self
workflow control, and to modify DB
DB
DB
DB DB
DB IDM APP
Service
existing workflow process definitions or
IAM Report
create new definitions. Reporting
Server
31
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
connect to databases that store Manager Update Role User/Account Server (Write)
server
s
information required to support CA Mining User
IdentityMinder functionality. These Change
Event
Connectors (R/W)
Engine
includes global users, which associate Application Event
users in the Provisioning Directory with Owner/IT
accounts on endpoints such as Microsoft Role Policy
IAM R/W
Exchange, Active Directory, and SAP.
Role
Lievecycle Approval Other DS
Change Engine
Xpress WorkPoint
Management Workflow
Event Workflow
Business
9 User Engine
CA AUDIT DB: Role
o Provides a historical record Synchronization
of Request
operations that occur in a CA
Repository
Repository Other
IdentityMinder environment. Repository
Repository Sources
(Rules/
(Rules/
Policy/
Policy/
Risk Roles)
Roles)
10 Management
IAM REPORT SERVER:
o CA IdentityMinder provides reports that
you can use to monitor the status of a Audit
Audit
CA
CA Audit
Audit Audit
CA
CA Audit
Audit
Audit Self
CA IdentityMinder environment. To use DB
DB
DB
DB DB
DB IDM APP
Service
9 9
the reports provided with CA IAM Report
Reporting
Server
IdentityMinder, you install the IAM
Report Server, which is included with
10
CA IdentityMinder.
32
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
Server
B Review
User
User and Event
IBM SECURITY IDENTITY AND ACCESS Certification/ and
Provisioning User
User
Engine
Review accounts
accounts
Attestation Update DB
ASSURANCE Repository
Repository WorkFlow DB
Connectors (R/W)
Engine
Directory
Application Event
This solutions helps provide efficient and
IBM SECURITYIAMIDENTITY
Directory
Owner/IT
Security
Management
preconfigured set of five IBM software Business
Event
Engine
Virtual
products helps administer, protect and User
Role
monitor user access to online Synchronization
Request
applications and data. Other
IBM
Repository
Repository
Repository
Repository Sources
(Rules/
(Rules/
Policy/
Policy/
C Risk Roles)
Roles)
DIRECTORY SERVICES Management
33
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
Server
security by reducing the risk of identity Review
User
User and Event
fraud. It automates the creation, Certification/ and
Provisioning User
User
Engine
Review accounts
accounts
Attestation Update DB
modification, recertification and Repository
Repository WorkFlow DB
Connectors (R/W)
termination of user privileges and Engine
Directory
Application Event
supports policy-based password
IBM SECURITYIAMIDENTITY
Directory
Owner/IT
management throughout the user
lifecycle. Role R/W
Role Other DS
Change
MANAGER
Lifecycles
- ISIM Workflow
Engine Approval
Security
Management
Event
Business
2 Engine
Virtual
User
Role
IBM COGNOS ACTIVE REPORT: Synchronization
Request
Other
IBM
Repository
Repository
o IBM Cognos Active Report provides an Repository Sources
Repository
interactive analytics experience in a (Rules/
(Rules/
Policy/
Policy/
self-contained Cognos Business Risk Roles)
Roles)
Intelligence application for browsing Management
and exploring data offline
Audit
Audit Audit
Audit Self
DB
DB DB
DB Service
1 COGNOS
Reporting
2
34
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
Server
Event
Directory Server provides a trusted Review
User
Certification/ User and
and Event User
identity data infrastructure for Provisioning User
Engine
Review accounts
accounts
Attestation Update DB
authentication. Repository
Repository WorkFlow DB
Directory
Connectors (R/W)
Engine
Application Event
4
IBM SECURITYIAMIDENTITY
Directory
Owner/IT
IBM SECURITY DIRECTORY INTEGRATOR: Role R/W
Role Other DS
MANAGER - ISIM Workflow
o It helps you build an authoritative data Lifecycles Approval
Engine
Security
Change
infrastructure by integrating data from Management
Event
directories, databases, collaborative Business
Engine
Virtual
User
systems, applications and other data Role
sources. Synchronization
Request
IBM
Repository
Repository Other
Repository
Repository Sources
(Rules/
(Rules/
Policy/
Policy/
Risk Roles)
Roles)
Management
3 4
Audit
Audit Audit
Audit Self
DB
DB DB
DB Service
COGNOS
Reporting
35
DISCOVER, DISRUPT, DELIVER
Identity Management – Use case IdM & Access Vulnerability &
Description
Description
• Changes in the HR repository, that acts as trusted source, are propagated to the Identity Management system through a connector.
• The changes are committed to the internal Identity Management repository and depending on the internal rules, provisioning
events are triggered.
• Through specific connectors accounts are created , modified, disabled or deleted in the end repositories.
• User attributes such as organization unit and position are used to create policy rules and to automate the creation of the accounts
in the systems.
Identity
Provisioning App1
App1
Connector Repository
Repository
Provisioning
Trusted
Trusted Connector
Source
Workflow Engine
Source (HR)
(HR)
Connector
Users
Users App
App N
N
Repository
Repository Repository
Repository
36
DISCOVER, DISRUPT, DELIVER
Identity Management – Use case IdM & Access Vulnerability &
Description
Description
• If there is a repository with external user information, a synchronization process similar to the employee scenario can be
deployed.
• In most cases, a workflow is deployed in the Identity Management . A person in the organization, responsible for the external user,
must register him and default accounts are generated in the target systems.
• User managers must review periodically the list of their external users and disable the accounts that no longer have to access the
organization systems.
Identity
Provisioning App1
App1
Connector Repository
Repository
Provisioning
External
External user
user Connector
repository
Workflow Engine
repository
Connector
Users
Users App
App N
N
Repository
Repository Repository
Repository
37
DISCOVER, DISRUPT, DELIVER
Identity Management – Use case IdM & Access Vulnerability &
Reconciliation
Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Description
Description
• The reconciliation is a process of comparing and synchronizing accounts information between the target repository and the
identity management system.
• Changes that have not been originated in the identity management system, are detected on the target repository. This happens
typically when an administrator makes a change on the target system directly.
• Depending on the connector technology, changes are detected in real-time or at scheduled times.
• In the identity management system events are triggered when these changes are detected. These changes can be used only to
update the account information that is stored in the internal identity management repository or to create some provisioning tasks
in the same or on other target systems.
Identity Users
Users
Provisioning Repository
Repository
2 1
App1
App1
Reconciliation Connector Repository
Repository
Engine
3 4
Provisioning App
App N
N
Connector Repository
Workflow Engine Repository
38
DISCOVER, DISRUPT, DELIVER
Identity Management – Use case IdM & Access Vulnerability &
Describe the process of request and approval for managing users and permissions
Description
Description
• The actors in this scenario are the requester, the organizational user manager and the target application owner. Delegation can be
implemented for each of this roles in the workflow.
• Based on the attributes and roles of the requester, only a subset of operations can be selected. To guarantee the separation of
duties, role constrains must be enforced.
• The user manager approves request and several provision workflows are created depending on the target applications involved.
• Once the owner of the target application has approved the request the operation executed through the connector.
• All the approvals can be explicit or implicit. The requests can also be generated automatically when some event is triggered such
as a reconciliation event.
39
DISCOVER, DISRUPT, DELIVER
Identity Management – Use case IdM & Access Vulnerability &
Attestation
Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Description
Description
• Attestation is an ongoing process where managers and designated approvers review who has access to what to confirm that each
user/role has access only to the resources necessary to perform their job function.
• With the Governance module, the reviewers have a 360º view of users roles and permissions and can recertify them.
• Also a compliance dashboard is presented and it is possible to remediate problems with conflicting roles.
Governance Identity
Provisioning App1
App1
Connector Repository
Repository
Provisioning
Attestation
Workflow Engine
Reviewer Connector
App
App N
N
Repository
Repository
40
DISCOVER, DISRUPT, DELIVER
Identity Management – Use case IdM & Access Vulnerability &
Describe the different scenarios for application integration in the Identity Management Solution
Description
Description
• The ideal scenario is when the application can use an existing corporate user repository that is already integrated in the identity
management solution. The application user roles are mapped to attributes or objects in the repository, typically, user groups.
• If the application has its own user repository, the identity management platform needs a connector to make the provision and the
reconciliation of users. If no standard connector is available, the application must expose an API to provide the required functions
to manage the users. A web service is the preferred solution.
• It is frequent a mix of the previous scenarios. The application can delegate the authentication and a coarse grained authorization
to external repository but needs additional information of the user in its internal repository.
Application
Custom
Connector API App
Provisioning App User
User
Repository
Repository
Workflow Engine
Standard Application
Connector
App
App User
User
Repository
Repository
41
DISCOVER, DISRUPT, DELIVER
Identity Management – Use case IdM & Access Vulnerability &
Describe the different scenarios for application integration in the Identity Management Solution
Description
Description
• Sometimes it is not possible to develop a custom connector or the development cost is high. In this case only the workflow is
integrated in the IdM.
• Administrators can manage the users in the application repository, but the request is made through the IdM and also the approvals.
• When the request has been approved, a task is generated for the administrator. After the task is completed, the administrator
marks it as finished in IdM.
• As there is no connector, a periodic manual reconciliation is needed to check if users have been modified direcltly in the
application repository.
Self Approval
Request Task generation
Service App App
App N
N
Repository
Repository
Admin
User App owner
42
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
SSO Token
Generation External Domain
B
& Authentication
Authentication
Remote
Centralized PDP
Security
Attrib
Attrib Services
C ute
ute
EXTERNAL SECURITY DOMAIN Store
Store PRP
43
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
AUTHENTICATION SERVICE
1
o LDAP SMART CARD OTHERS
User attempts to access a internal 4
protected resource.
SSO Token
2 Generation
o Web Agent check the presence of a External Domain
& Authentication
security token. Authentication
SEC ADMIN
44
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
AUTHENTICATION SERVICE
5
o In case of user's password needs to be LDAP SMART CARD OTHERS
reset or changed: Authentication server
redirect the user a self-service SSO Token
management interface.
Generation External Domain
& Authentication
Authentication
Remote
Centralized PDP
Security
Attrib
Attrib Services
ute
ute
Store
Store PRP
PIP
Fine
Fine –– Grained
Grained Coarse
Coarse –– Grained
Grained
PAP Policies &
Policies & Rules
Rules Policies
Policies &
& Rules
Rules
SEC ADMIN
45
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
A
B AUTHORIZATION END USER
A C
AUTHENTICATION SERVICE
LDAP SMART CARD OTHERS
Remote
Centralized PDP
Security
Attrib
Attrib Services
ute
ute
Store
Store PRP
PIP
Fine
Fine –– Grained
Grained Coarse
Coarse –– Grained
Grained
PAP Policies &
Policies & Rules
Rules Policies
Policies &
& Rules
Rules
SEC ADMIN
46
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
A
B AUTHORIZATION END USER
A C
7
APP SERVER or LEGACY APP: AUTHENTICATION SERVICE
o Access to protected resources when
LDAP SMART CARD OTHERS
both authentication and authorization
are successful. App Server can either
validate it based on a digital signature. SSO Token
Generation External Domain
PEP: & Authentication
o Intercepts user's access request to a Authentication
SEC ADMIN
47
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
A
B AUTHORIZATION END USER
A C
AUTHENTICATION SERVICE
9
PIP: LDAP SMART CARD OTHERS
o PDPs may require additional
information, such as user attributes,
etc., in order to make access decisions.
SSO Token
The policy information point (PIP) Generation External Domain
provides this sort of information. & Authentication
Authentication
48
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
A
C EXTERNAL SECURITY DOMAIN END USER
A C
AUTHENTICATION SERVICE
12
FEDERATION IDENTITY PROVIDER: LDAP SMART CARD OTHERS
o User request is forwarded to the local
federation identity provider in order to
generate a SAML assertion that is
SSO Token 12 13
trusted by the remote service provider. Generation External Domain
& Authentication
Authentication
PIP
Fine
Fine –– Grained
Grained Coarse
Coarse –– Grained
Grained
PAP Policies &
Policies & Rules
Rules Policies
Policies &
& Rules
Rules
SEC ADMIN
49
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
OAM
Web IDENTITY ACCESS
DIRECTORY SERVICES
WEBGATE
Server MANAGEMENT
END USER
A
B A C
ORACLE ACCESS MANAGER
PIP
Fine ––OES
Fine Grained
OES
Grained Coarse
Coarse –– Grained
Grained
OES PAP
Console Policies &
& Rules
Repository
Policies
RepositoryRules Policies
Policies &
& Rules
Rules
SEC ADMIN
50
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
OAM
Web IDENTITY ACCESS
DIRECTORY SERVICES
WEBGATE
Server MANAGEMENT
1
OAM WEBGATES:
2
AUTHENTICATION SERVICE
OAM ACCESS SERVER Oracle AM Suite
o A web server plug-in access client LDAP SMART CARD OTHERS
analogous to Sun OpenSSO Enterprise
Policy Agent. WebGate intercepts HTTP 2
requests for Web resources and
SSO Token
forwards them to the Access Server for OAM
Generation
ACCESS External Domain
authentication and authorization. SERVER
& Authentication
Authentication
SEC ADMIN
51
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
OAM
Web IDENTITY ACCESS
DIRECTORY SERVICES
WEBGATE
Server MANAGEMENT
A
B ORACLE ACCESS MANAGER END USER
A C
4
OES SM:
AUTHENTICATION SERVICE
OAM ACCESS SERVER Oracle AM Suite
o Standards-based, policy-driven security LDAP SMART CARD OTHERS
solution that provides real time fine-
grained authorization in Application.
SSO Token
OAM
Generation
ACCESS External Domain
5 SERVER
& Authentication
Authentication
PIP
5 Fine ––OES
Fine Grained
OES
Grained Coarse
Coarse –– Grained
Grained
OES PAP
Console 6 Policies
Policies &
& Rules
Repository
RepositoryRules Policies
Policies &
& Rules
Rules
SEC ADMIN
52
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
OAM
Web IDENTITY ACCESS
DIRECTORY SERVICES
WEBGATE
Server MANAGEMENT
A
C ORACLE ACCESS MANAGER END USER
A C
AUTHENTICATION SERVICE
OAM ACCESS SERVER Oracle AM Suite
LDAP SMART CARD OTHERS
7
AM IDENTITY FEDERATION:
SSO Token
o Oracle Identity Federation (OIF) is a OAM
Generation
ACCESS 7
complete, enterprise-level solution for External Domain
SERVER
& Authentication
Authentication
secure identity information exchange
OES SM Remote
Centralized PDP
(Centralized) Security
Attrib
Attrib Services
ute
ute
Store
Store PRP
PIP
Fine ––OES
Fine Grained
OES
Grained Coarse
Coarse –– Grained
Grained
OES PAP
Console Policies &
& Rules
Repository
Policies
RepositoryRules Policies
Policies &
& Rules
Rules
SEC ADMIN
53
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
A
B
CA SITEMINDER SM
Web IDENTITY ACCESS
DIRECTORY SERVICES
Agent
Server MANAGEMENT
CA SiteMinder provides a shared END USER
authentication service that can be
leveraged across all web-based resources CA SiteMinderA CA SiteMinder Federation C
and applications. By centralizing this SM Agent SERVICE
AUTHENTICATION
service, CA SiteMinder offers
unparalleled control over what type of LDAP SMART CARD OTHERS
authentication method/credential is
used to protect a web resource, and how SSO Token
that authentication scheme is deployed Generation
SM Agent External Domain
and managed. & Report,
Report,
Authentication
Authentication
Audit
54
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
SM
Web IDENTITY ACCESS
DIRECTORY SERVICES
Agent
Server MANAGEMENT
2
Remote
SECURE PROXY SERVER: Policy Server
Centralized PDP
Security
Attrib
Attrib Services
o The secure proxy server is an optional ute
ute
standalone server component that Store
Store Policy Server
PRP
provides a proxy-based PEP for CA
SiteMinder access control on web
applications and resources. This PIP
component provides a network gateway *Axiomatics
*Axiomatics
Fine
Fine –– Grained
Grained Coarse
Coarse –– Grained
Grained
for the enterprise and supports multiple Admin User Reveres
Reveres Policies
PAP Policies
Policies && Rules
Rules Policies &
& Rules
Rules
session schemes that do not rely on Interface Query
Query
traditional cookie-based technology. In SEC ADMIN
addition, it can also support mobile
devices, identity federation, and REST-
based web services.
55
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
SM
Web IDENTITY ACCESS
DIRECTORY SERVICES
Agent
Server MANAGEMENT
REPORT DATABASE:
Remote
Policy Server
Centralized PDP
o Stores snapshot data, which reflects Security
Attrib
Attrib Services
the current state of objects in CA ute
ute
Identity Manager at the time the Store
Store Policy Server
PRP
snapshot is taken. You can generate
reports from this information to view
the relationship between objects, such PIP
as users and roles. *Axiomatics
*Axiomatics
Fine
Fine –– Grained
Grained Coarse
Coarse –– Grained
Grained
Admin User Reveres
Reveres Policies
PAP Policies
Policies && Rules
Rules Policies &
& Rules
Rules
Interface Query
Query
SEC ADMIN
56
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
SM
Web IDENTITY ACCESS
DIRECTORY SERVICES
Agent
Server MANAGEMENT
6 5 Remote
ADMIN USER INTERFACE: Policy Server
Centralized PDP
Security
Attrib
Attrib Services
o CA SiteMinder is managed by an ute
ute
application-based user interface that Store
Store Policy Server
PRP
provides a centralized Policy 5
Administration Point (PAP); one
instance of the Admin UI server can PIP
connect to and manage multiple Policy *Axiomatics
*Axiomatics
6 Admin User Fine
Fine –– Grained
Grained
Reveres
Coarse
Coarse –– Grained
Grained
Servers and agents. This interface also PAP Reveres
Policies
Policies && Rules
Rules Policies
Policies &
& Rules
Rules
supports both restricted delegation for Interface Query
Query
fine-grained control and unlimited SEC ADMIN
delegation to simplify security policy
administration.
57
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
SM
Web IDENTITY ACCESS
DIRECTORY SERVICES
Agent
Server MANAGEMENT
7
*PARTNER AXIOMATICS: SSO Token
Generation External Domain
SM Agent
& Report,
o Axiomatics offers a technology platform Report,
Authentication
Authentication
Audit
PIP
*Axiomatics
*Axiomatics
Fine
Fine –– Grained
Grained Coarse
Coarse –– Grained
Grained
Admin User Reveres
Reveres Policies
PAP Policies
Policies && Rules
Rules Policies &
& Rules
Rules
Interface 7 Query
Query
SEC ADMIN
58
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
SM
Web IDENTITY ACCESS
DIRECTORY SERVICES
Agent
Server MANAGEMENT
A
C CA SITEMINDER FEDERATION END USER
8
CA SITE MINDER FEDERATION: SSO Token
Generation External Domain
o CA SiteMinder can support identity SM Agent
& Report,
Report,
Authentication
federation, such that user identity Authentication
Audit
Remote
Policy Server
Centralized PDP
Security
Attrib
Attrib Services
ute
ute
Store
Store Policy Server
PRP
PIP
*Axiomatics
*Axiomatics
Fine
Fine –– Grained
Grained Coarse
Coarse –– Grained
Grained
Admin User Reveres
Reveres Policies
PAP Policies
Policies && Rules
Rules Policies &
& Rules
Rules
Interface Query
Query
8
SEC ADMIN
59
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
END USER
IBM SECURITY ACCESS MANAGER FOR
WEB A C
SEC ADMIN
60
DISCOVER, DISRUPT, DELIVER
Authentication & Authorization – Use case IdM & Access Vulnerability &
Describe the Single sign-On process with web access managements platform that rely on agent for authentication and authorization
Description
Description
• Web Access management (WAM) is the name commonly used for the identity management platform to control the access to web
resources. One common scenario is the use of agents or plugins in the Web Server.
• The agent acts as a PEP (Policy Enforcement Point). If the user is not authenticated is redirected to the Access Management
Server. After the user is successfully authenticated, he is sent back to the web resource he was trying to access.
• Until the session expires, the user can access resources protected by the WAM platform without authenticating again.
• Depending on the policy, the user is granted access to the URL he is trying to access. This is usually called coarse-grained access
control because once the user has been granted access to the URL, the Web access Management platform does not limit specific
operations.
Access
Management Coarse
Coarse –– Grained
Policies
Policies &
Grained
& Rules
Rules
Server
2
3 Corporate
Corporate User
User
Repository
Repository
Web Server
Web Agent /
Web Browser Plugin
1
61
DISCOVER, DISRUPT, DELIVER
Authentication & Authorization – Use case IdM & Access Vulnerability &
Describe the Single Sign-On process with Web Access Managements platform that rely on a reverse proxy configuration
Description
Description
• In this scenario no plugins are used and a reverse proxy architecture is deployed.
• All the web browser requests go through the Access Management Server which performs the authentication and the authorization
of the user.
• The Access Management Server that acts as a reverse proxy, is usually placed in the DMZ.
• Sometimes mixed architectures can web deployed. The reverse proxy is mandatory when no agent is available for a particular web
server technology
Coarse
Coarse –– Grained
Grained Corporate
Corporate User
User
Policies
Policies &
& Rules
Rules Repository
Repository
62
DISCOVER, DISRUPT, DELIVER
Authentication & Authorization – Use case IdM & Access Vulnerability &
Describe the fine-grained access control scenario vs the coarse-grained access control
Description
Description
• With Web Access Managements solutions the URL based perimeter authorization (coarse-grained) is externalized but the core
application side authorization is often handled by custom application code.
• The fine-grained access control restricts the operations that a user can make on a resource based on his attributes (ABAC) or his
role (RBAC).
• The externalization of the authorization requires very low latency because a single web access to a single page can generate
multiple authorization requests.
• Changes can be made in real time without deploying a new version of the application if changes in the authorization policy must
be applied.
• Protocol XACML is used to evaluate access requests according to the rules defined in policies.
XACML
Grant
Request Fine-grained
Application
Policy Server Fine
Fine –– Grained
Grained
Policies
Policies &
& Rules
Rules
Deny
63
DISCOVER, DISRUPT, DELIVER
Authentication & Authorization – Use case IdM & Access Vulnerability &
Describe the Single Sign-On process when users are in different repositories and a Virtual Directory is used
Description
Description
• Web Access Managements solutions usually can authenticate users residing un a LDAP directory server.
• Virtual Directories create an integrated view of multiple data sources without changing their structure. This structure is accessible
with LDAP protocol and enable Web Access platforms to use multiple repositories natively without developing special connectors.
• Sometimes the repositories are also LDAP but that contains different type of users such as employees or external users.
Access
Management Coarse
Coarse –– Grained
Policies
Policies &
Grained
& Rules
Rules
User
User repository
repository
Server
2
3 Virtual
Virtual Directory
Directory
User
User repository
repository
Web Server
Web Agent / User
User repository
repository
Web Browser Plugin
1
64
DISCOVER, DISRUPT, DELIVER
Authentication & Authorization – Use case IdM & Access Vulnerability &
Description
Description
• Identity federation enable users of one domain to securely access data or systems of another domain seamlessly, and without the
need for completely redundant user administration.
• In this scenario, a Federated Identity Provider (IP) authenticates the user and generates a token (asserts the identity) that it is
trusted by the service provider (SP). Information of the user attributes can also be shared.
• The flow is similar to the Web SSO use case but in this case, the users belong to a different domain than the service they are trying
to access
• There are some standards to support the identity Federation such as SAML, Oauth and Open ID.
Domain 1
Federated
Identity User
User Repository
Repository
Provider
2
3
Service
Provider
Web Agent /
Web Browser Plugin
1
Domain 2
65
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
Regulates and audits access to the critical servers consistently across platforms:
Agents
1 DIRECTORY
requirements - reporting server access SERVICES
Shared Account Infrastructure
policies. EXTERNAL
Manager
PARTIES
o Enables authenticate UNIX and Linux
privileged users from an external Applications
2 AUTHORIZATION
repository MNG.
o Hardens the operating system which SYSTEM
Fine-grained Access
ADMINISTRATORS Controls Fine
Fine –– Grained
reduces external security risks and Grained
Policies &
Policies & Rules
Rules
facilitates operating environment
reliability. 3
o Integrates Out Of the Box with an External AUTHENTICATION
Authentication MNG.
auditing infrastructure that produces in- Module
depth regulation specific reports.
SECURITY
SIEM
ADMINISTRATORS
1 2 3 4
Provides secure storage and Harden the operating system Allows UNIX and Linux users to Agents integrate natively with
access to privileged user and enforce segregation of authenticate using an external the operating system to enforce
passwords. duties. repository. and audit the granular policies.
66
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
Regulates and audits access to the critical servers consistently across platforms:
1
SHARED ACCOUNT MANAGER:
Agents
Agents
accounts with shared password 1 DIRECTORY
management. CA ControlMinder SERVICES
Shared Account
EXTERNAL Shared Account Infrastructure
PARTIES Manager
2
Manager
Applications
FINE GRAIN ACCESS CONTROL
2 AUTHORIZATION
CA ControlMinder MNG.
Fine-grained Access
o Fine-grained access controls include the SYSTEM Fine Grain Access
Controls
ADMINISTRATORS Fine
core elements of CA ControlMinder, Control Fine –– Grained
Grained
Policies &
Policies & Rules
Rules
which are used to harden the operating
system and enforce segregation of 3
duties. CA ControlMinder
External AUTHENTICATION
UNAB Unix MNG.
Authentication
Authentication
Module
3 Broker
UNAB UNIX AUTHENTICATION BROKER
SECURITY
SIEM
ADMINISTRATORS
o UNIX Authentication Bridge (UNAB)
allows UNIX and Linux® users to
authenticate using their Active
Directory credentials.
4
CONTROLMINDER OS AGENT:
67
DISCOVER, DISRUPT, DELIVER
Privileged user security– Use case IdM & Access Vulnerability &
Describe the process of managing in a secure way the password of privileged accounts in the systems
Description
Description
• The necessity to share privileged accounts among many users makes it difficult to hold people accountable for privileged activity.
• With shared password management platform it is possible to mitigate both internal and external risk by controlling how users
access shared privileged accounts.
• Without needing agents in the platform it is possible to check-out and check-in password for privileged users.
• The user authenticates to the shared password manager platform using his personal login and password and then, based on his
role, he can checkout the password for an account. No agent is needed to perform this operation that basically consists in setting
a new password for the account.
• When users no longer need the password, they make a check-in and the password is changed for a random one so nobody can use
it.
Check-in /
Check-out password
Shared
Authn & AuthZ
Password Corporate
Corporate User
User
Repository
User Manager Repository
Password change
Login
Target system
68
DISCOVER, DISRUPT, DELIVER
Privileged user security– Use case IdM & Access Vulnerability &
Describe the process of managing in a secure way the password of privileged accounts in the systems using a jumper host
Description
Description
• In this scenario the Shared Password Manager does not give the newly generated password to the user. Instead, the user is logged
automatically in the target system.
• This prevents “over-the-shoulder” password theft and speeds up the process for the password requester.
• The session can be recorded so all the actions made with the privileged account can be tracked and logged.
Check-in /
Check-out
Shared
Authn & AuthZ
Password Corporate
Corporate User
User
Repository
User
Manager Repository
Target system
69
DISCOVER, DISRUPT, DELIVER
Privileged user security– Use case IdM & Access Vulnerability &
Describe the process of managing in a secure way the password of privileged accounts for applications
Description
Description
• This scenario resolves the problems of having service account passwords hard-coded in scripts or in configuration files.
• A shared account agent can be used inside a script to replace hard-coded passwords with passwords that can be checked out.
Script Check-out
Shared Authn & AuthZ
Agent
Password Corporate
Corporate User
User
Repository
Repository
Manager
Password change
Login
Target system
70
DISCOVER, DISRUPT, DELIVER
Privileged user security– Use case IdM & Access Vulnerability &
Description
Description
• To enforce a fine-grained access control in server hosts and agent is deployed in target systems.
• This agent enforces the policy an restricts what can be done using a privileged account.
• Users should log in the target machine with his personal account and depending on their role can escalate privileges to another
account to execute specific actions.
• All actions are audited and referenced to the user that originally logged in the target machine.
• Users in the target systems are provisioned with the Identity Management Platform.
Identity
Management
Platform
Provision
Target system
71
DISCOVER, DISRUPT, DELIVER
Privileged user security– Use case IdM & Access Vulnerability &
Describe the process of fine-grained access control in targets systems that use external user repository
Description
Description
• This scenario is very similar to the previous one, but in this case the target systems do not use an internet user store.
• Typically an existing Corporate LDAP / Directory Active is user to authenticate the users.
• This simplifies the provision task because no new target systems must be managed.
Provision
Identity Corporate
Corporate User
User
Repository
Repository
Management
Platform
Target system
72
DISCOVER, DISRUPT, DELIVER
3.2
Executive
DataSummary
Base Protection
IdM & Access Vulnerability &
1 5
DB firewall: inspection of SQL Centralized and remote audit
commands and blocks commands policy management:
that are not permitted by consolidation of audit data into
firewall rules. Eliminate a secure repository which
malicious access (e.g. SQL- Database Platform includes audit policies, access
injection or any clients that control, audit alerts, and
attempt commands that have reports.
not been previously approved). DB
Firewall Auditing Features:
2 1 2 Access Control Authentication 3 DIRECTORY o Logging of transactions.
Access Control: SERVICES o Logging of administrative
o Limits operations based on SINGLE MULTI operations.
the user's role and rules. ROLES RULES FACTOR FACTOR o Audit data is transmitted to
o Limits access to columns and a secure centralized store
DATA CLASSIFICATION
rows based on user and data where reports can be run
ADM USER
classification rules and REALM PARTITIONING and alerts triggered.
policies.
o Limits DBA access to realms, Audit 6
or portions of the database, Persisted Data Server Track and manage database
in order to support the Encryption configuration, compare it to
principle of least privilege.
4 pre-defined configuration
Backup AUDIT POLICIES
Encryption
Auditing
Systems
3 Database ALERTS & REPORTS based on configuration and
Access Control leverages:
Trail Audit Police
Realms patch levels, and provide
o Identity Management and
compliance metrics.
o Authentication mechanisms 5 Audit
Audit
database
database
(single factor - user id and
password, or multi-factor -
7
tokens and/or certificates). Enabling testing of applications,
6 7 data are extracted from
4 production databases and loaded
Configuration & into staging areas. The database
Data Encryption features: Data Masking Staging
Staging
o Persisted Data Encryption.
Vulnerability Manager database
database management system includes a
o Online historical archives & masking component in order to
backup media encryption, in transpose actual values into
order to (data retention false values while
requirements, end-to-end maintaining rules of integrity.
data protection).
74
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
1 3
DATABASE FIREWALL: *PARTNER VORMETRIC:
SecureSphere
database compliance
Management
Persisted Data Server
2 Vormetric through automated
Encryption
DATABASE USERIGHT processes, audit analysis,
Backup 3 4 AUDIT POLICIES
and customizable reports
Encryption
Auditing
Systems
*Vormetric
75
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
5
SECUREPHERE MANAGEMENT:
Database Platform
o The MX Management Server
unifies the administration,
logging, and reporting of DB
Database
multiple SecureSphere Firewall
Firewall 7
gateways. SecureSphere Access Control Authentication DIRECTORY *PARTNER INFORMATICA:
SERVICES
Operations Manager goes one
SINGLE MULTI o It helps your IT organization
step further, allowing you to Database
centrally manage up to 50 ROLES RULES
Database FACTOR FACTOR manage access to your most
UserRight
MX Management Servers. Management Firewall sensitive data. Informatica
DATA CLASSIFICATION Persistent Data Masking
ADM USER
REALM PARTITIONING shields confidential data—
such as credit card numbers,
Audit addresses, and phone
6
SecureSphere
Management
Persisted Data Server numbers—from unintended
DATABASE ASSESSMENT: Vormetric exposure by creating
Encryption
Backup AUDIT POLICIES realistic, de-identified data
o SecureSphere solves this by
Encryption
Auditing
Systems
Vormetric
quickly identifying sensitive Database Database Activity ALERTS & REPORTS internally or externally.
data, database Trail Audit Police
Realms Monitor
vulnerabilities and
misconfigurations so that 5 Audit
Audit
database
database
you can prioritize and
mitigate them. Database
Assessment helps you stay 6 7
out of the headlines by
ensuring that database Configuration & *Persistent Data
protection conforms to Database Assessment Data Masking Staging
Staging
Vulnerability Manager Masking database
database
regulations, best practices,
and a company’s internal
standards.
76
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
1 3
DataBase firewall: Oracle Advanced Security option
o a SQL grammar analysis (ASO) delivers encryption and data
engine that inspects SQL redaction capabilities, vital to
statements going to the protecting sensitive application
database and determines Database Platform data. ASO is composed of
with high accuracy whether Transparent Data Encryption
to allow, log, alert, (TDE) and Data Redaction that
substitute, or block the SQL. DB
Database help prevent unauthorized access
Oracle Database Firewall Firewall
Firewall to sensitive information at the
supports white list, black 1 1 Access Control 2 Authentication DIRECTORY application layer, in the operating
list, and exception list based SERVICES system, on backup media, and
polices. SINGLE MULTI within database exports.
o Policies can be enforced Database
ROLES Database
RULES FACTOR FACTOR
based upon attributes, Firewall Vault
DATA CLASSIFICATION
including SQL category, time ADM USER 4
of day, application, user, REALM PARTITIONING Oracle Key Vault Audit Vault:
and IP address. o Consolidates audit data and
o Database Firewall events are 4 Audit
Persisted Data Server logs generated by databases,
logged to the Audit Vault 3 Oracle Advanced
operating systems, directories,
Server enabling reports to Encryption
Security Option (ASO) Audit file systems, and custom
span information observed Backup AUDIT POLICIES
Vault sources into a secure
Encryption
Audit Control
Audit Audit Vault
Auditing
on the network alongside Systems
T Server
Database A ALERTS & REPORTS centralized repository
audit data. D Trail Audit Police
S o Information from the network
E Realms O is combined with detailed
2 Audit
Database Vault: Audit audit information for easy
database
database
o Implement preventive compliance reporting and
controls on privileged user alerting.
o The Audit Vault is the central,
access to application data
o Control database access with highly scalable and secure
multifactor policies that are Configuration & DataMasking & repository that stores the
Data Masking Staging
Staging consolidated audit data as well
based on built-in factors Vulnerability Manager Subsetting database
database
such as time of day, IP as event logs generated by the
address, application name, Database Firewall.
o The Audit Vault is the central
and authentication method
platform for reporting,
alerting, and policy
management.
77
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
Database Platform
5
DataMasking and Subsetting
o Oracle Data Masking and 6
DB
Database Oracle Key Vault:
Subsetting enables entire Firewall
Firewall o Centralizes keys in a secure,
copies or subsets of Access Control Authentication DIRECTORY
and robust key management
application data to be SERVICES
platform.
extracted from the SINGLE MULTI o Manages key lifecycle stages
database, obfuscated, and Database
ROLES Database
RULES FACTOR FACTOR
including creation, rotation,
shared with partners inside Firewall Vault
DATA CLASSIFICATION and expiration
and outside of the business.
o The integrity of the ADM USER 6 o Audits all access to keys and
REALM PARTITIONING Oracle Key Vault key lifecycle changes
database is preserved o It is optimized for managing
assuring the continuity of Audit
Oracle Advanced Security
the applications. Persisted
Oracle Data
Advanced Server Transparent Data Encryption
o Uses a template library and Encryption
Security Option (ASO) Audit (TDE) master keys
format rules, consistently Backup AUDIT POLICIES
Vault
Encryption
Auditing
Systems
T A Server
maintain referential
D
Database Trail Audit Police
ALERTS & REPORTS
S
integrity for applications
E Realms O
Audit
Audit
database
database
5
Configuration & DataMasking &
Data Masking Staging
Staging
Vulnerability Manager Subsetting database
database
78
DISCOVER, DISRUPT, DELIVER
Data Base Security – Use cases IdM & Access Vulnerability &
Data
DataBase
BaseFirewall
Firewall&&
Monitoring
Monitoring
• Monitoring of all the privileged activities, schema changes, creation and modification of accounts, roles and privileges.
• Monitoring of security exceptions such as failed logins and SQL errors and data modification monitoring.
• Monitors database activity in real-time and analyzes database traffic, looking for attacks at the protocol and OS level, as well as
unauthorized SQL activity.
• A baseline of all user activity is established. When users perform unexpected queries or violate access policies, and it alerts or
blocks the access.
• It can be deployed in the network inline as transparent bridge or sniffing only (monitor mode) or in the host with an agent.
Network Host
Deployments Deployment
SQL Transparent
Bridge Database Data
Data Base
Base
Protection
Server host
SQL Database
SQL Protection Data
Data Base
Base
Data
Data Base
Base
Agent
Server host
Sniffing only Server host
Database Protection
79
DISCOVER, DISRUPT, DELIVER
Data Base Security – Use cases IdM & Access Vulnerability &
• This prevents attackers to gain access to sensitive information directly in physical storage
• This is required for compliance when critical information is stored in the data base
• It can be deployed in the network inline as transparent bridge or sniffing only or in the host with an agent.
Data
Dataredaction
redaction
• Data redaction is the modification on the fly of sensitive data in database query results prior to display by applications so that
unauthorized users cannot view the sensitive data.
• Data Redaction reduces exposure of sensitive information and helps prevent exploitation of application flaws that may disclose
sensitive data in application pages
Data
Datamasking
masking
• With data masking production data can be safely used for development, testing, or sharing with external development partners.
• Sensitive data is transformed while maintaining referential integrity and replaced with realistic values.
• Helps comply with data privacy regulations such as SOX and PCI
80
DISCOVER, DISRUPT, DELIVER
Data Base Security – Use cases IdM & Access Vulnerability &
555-346-786-667
Data Redaction
Data
Data file
file &&%!hfgc%&%&
Restricted OS
User User
Data Masking
111-222-3333-444
Development
Data Base
Developer
81
DISCOVER, DISRUPT, DELIVER
3.3
Security Logs Monitoring
IdM & Access Vulnerability &
A
Data Sources
A
DATA SOURCES
Applications
PLATFORM
SECURITY
IT Assets that generate Audit Events, AUDIT
hosted or not by Application Servers. Infrastructure
CONTROL
B
Audit Manager SIEM
B
Audit Data
Loader
SIEM Report
Generator IT SECURITY
INFORMATION SECURITY & FRAUD
Core component to aggregate, normalize Event Collector Audit
Audit AUDIT
Records
Records Search
and monitor security events across a INTERVENTION
83
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
1 Applications
PLATFORM
SECURITY
Audit events are stored in a common database
AUDIT
(Audit Records), in order to: Infrastructure
CONTROL
2
An audit data loading component support B
transformation and loading of events from files 2 Audit Manager SIEM
into the audit database. Audit Data
Loader
Report
3 1
All events or filtered subset of events can be 3 Generator IT SECURITY
INFORMATION SECURITY & FRAUD
forwarded to the Information Manager and stored Event Collector Audit
Audit AUDIT
in the Data Base Records
Records 5
Search INTERVENTION
4 Engine
4 Event
Correlation Rules describe the logic that is Correlation SECURITY
applied to an event or set of events to Incidents Dashboard ADMINISTRATORS
detect possible security concerns.
5
Security reporting and analysis: generation of
reports customized for different consumers.
SECURITY OPERATION (SOC)
84
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
A
1
ARCSIGHT SMARTCONNECTORS (AGENTS): Data Sources
o SmartConnectors, hosted individually, or as part of an
ArcSight Connector Appliance, are the interface to the
objects on the network that generate correlation-relevant Applications
data on the network.
PLATFORM
SECURITY
AUDIT
o Intelligently collect, pre-process and manage the transmission Infrastructure
CONTROL
of event data to ensure high performance and complete
information processing. SOA Services
2 B
ARCSIGHT MANAGER: 1 Audit Manager SIEM
o This component drives ArcSight´s analyses, workflow and Audit
ArcSight
Data
services. The ArcSight Manager is portable across a wide SmartConnectors
Loader
variety of operating systems and hardware platforms, and ArcSight
Report
intelligently correlates output from a wide variety of security 2 3
ArcSight CORR Generator
Web IT SECURITY
an security-relevant systems. CORR
Audit INFORMATION SECURITY & FRAUD
Event Collector Audit
ENGINE AUDIT
Manager ENGINE
Records
Records
STORAGE
STORAGE ArcSight
Search INTERVENTION
o The Manager evaluate and tag the events with network and Incidents
actor modeling information, and priority levels.
Console
Engine
Event
CORR Engine Command
Correlation SECURITY
Dashboard
Center ADMINISTRATORS
3
CORR ENGINE STORAGE:
o Events are stored in the CORR-Engine’s event retention
period, where correlation operations take place, then copied
daily into archives for long-term storage.
SECURITY OPERATION (SOC)
o The CORR-Engine consists of event storage and archiving, and
system storage.
85
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
A
Data Sources
B ESM- Enterprise Security Management
Applications
PLATFORM
SECURITY
4 AUDIT
CORR ENGINE: Infrastructure
CONTROL
o The Correlation Optimized Retention and Retrieval (CORR)
Engine is a proprietary data storage and retrieval SOA Services
framework that receives and processes events at high
rates, and performs high-speed searches.
Legacy Systems
5
ARCSIGHT CONSOLE:
o ArcSight Console is designed specifically for security B
analysts, and provides the utmost in flexibility for intuitive Audit Manager SIEM
administration, rich graphical views and in-depth Audit
ArcSight
Data
investigation capabilities. SmartConnectors
Loader
ArcSight
Report
ARCSIGHT WEB
o ArcSight Web brings role-relevant security situational ArcSight Generator
Web IT SECURITY
86
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
DATA SOURCES
1
Smart Connector Flex ArcSight
Forwarding User Interfaces IT SECURITY
Connector Appliance Connector NCM/TRM INFORMATION SECURITY & FRAUD
Connector
AUDIT
ArcSight INTERVENTION
ArcSight Console
LOGGER
Active
2
Memory ArcSight
Manager Web
Incidents
ARCHIVE
ArcSight
Command
ArcSight Center
CORR ENGINE Compliance SECURITY
ADMINISTRATORS
87
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
DATA SOURCES
88
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
DATA SOURCES
89
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
7 8
ARCSIGHT NCM/TRM (OPTIONAL): ARCSIGHT COMPLIANCE (OPTIONAL):
o ArcSight Network Configuration Manager and Threat Response o The HP Compliance Insight Packages provide a suite of content that
Manager (NCM/TRM) is an appliance that builds and maintains a delivers log review and security monitoring, based on security
detailed understanding of your network’s topology, enabling you to compliance and audit best practices.
centrally manage your network infrastructure and respond instantly,
even automatically, to incidents as they occur.
DATA SOURCES
7 ArcSight
Smart Connector Flex Forwarding User Interfaces IT SECURITY
Connector Appliance Connector NCM/TRM INFORMATION SECURITY & FRAUD
Connector
AUDIT
ArcSight INTERVENTION
ArcSight Console
LOGGER
Active
Memory ArcSight
Manager Web
Incidents
ARCHIVE
ArcSight
8 Command
ArcSight Center
CORR ENGINE Compliance SECURITY
ADMINISTRATORS
90
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
A
Data Sources
B RSA- SECURITY ANALYTICS
Applications
PLATFORM
SECURITY
AUDIT
Infrastructure
1 CONTROL
WAREHOUSE:
o Hadoop (distributed file system, scalable and SOA Services
portable) based distributed computing system
which collects, manages, and enables
advanced analytics and reporting on longer Legacy Systems
term sets of various security data. The
Warehouse can be made up of 3 or more nodes
depending on the organization's analytic, and
resiliency requirements.
B
ARCHIVER: 2 RSA Security Analytics
o Indexes and compresses log data and sends to Audit Data
Decoder
Loader
archiving storage. The archiving storage is then
optimized for long term data retention through Report
compression, forensic analysis, and compliance 1
Generator IT SECURITY
INFORMATION SECURITY & FRAUD
reporting. Concentrator
Event Collector Audit
Archiver/
Audit AUDIT
Records
WareHouse
Records Analytic
Search INTERVENTION
2 Server/
Engine
DECODER : Event Stream
Event Broker
o Captures, parses, and reconstructs, all network Analysis Engine
Correlation
Dashboard
SECURITY
traffic from Layers 2-7 or log and event data ADMINISTRATORS
91
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
A
Data Sources
B RSA- SECURITY ANALYTICS
Applications
PLATFORM
SECURITY
3 AUDIT
Infrastructure
CONTROL
CONCENTRATOR:
o Indexes metadata extracted from network or SOA Services
log data and makes it available for enterprise-
wide querying and real-time analytics while
also facilitating reporting and alerting. Legacy Systems
4
EVENT STREAM ANALYSIS ENGINE:
o Processes large volumes of disparate event
data and brings meaning through correlation to B
the events flowing through your enterprise. RSA Security Analytics
Audit Data
Decoder
Loader
5
ANALYTIC SERVER/BROKER: Report 5
o Hosts the web server for reporting, 3 Generator IT SECURITY
INFORMATION SECURITY & FRAUD
investigation, administration, and other Concentrator
Event Collector Audit
Archiver/
Audit AUDIT
aspects of the analyst’s interface. Bridges the Records
WareHouse
Records Analytic
Search INTERVENTION
multiple real-time data stores held in the Server/
Engine
various decoder/concentrator pairs throughout 4 Event Stream
Event Broker
the infrastructure. Also enables reporting on Analysis Engine
Correlation SECURITY
data held in the Warehouse and in archived Dashboard ADMINISTRATORS
storage. Incidents
92
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
DATA SOURCES
1
Log Collector Audit Manager SIEM
2 Security Analytics
Packed Decoder LOG Decoder Broker Server
Unified
Dashboard
WAREHOUSE Administration
SECURITY
3 LOG Investigation
ADMINISTRATORS
Concentrator ARCHIVER
Concentrator
(DAC) Live
IT SECURITY
Warehouse INFORMATION SECURITY & FRAUD
AUDIT
MALWARE Analysis Broker INTERVENTION
Event Stream Analysis Reporting &
Alerting
(ESA)
Incidents
Log Collector
IPDB
IPDB
WAREHOUSE
(DAC)
93
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
DATA SOURCES
WAREHOUSE Administration
Investigation SECURITY
LOG ADMINISTRATORS
Concentrator ARCHIVER
Concentrator
(DAC) Live
IT SECURITY
Warehouse INFORMATION SECURITY & FRAUD
6 AUDIT
5 MALWARE Analysis Broker INTERVENTION
Event Stream Analysis Reporting &
Alerting
(ESA)
Incidents
Log Collector
IPDB
IPDB
WAREHOUSE
(DAC)
94
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
10
8 ADMINISTRATION
SECURITY ANALYTICS SERVER o Is the user interface for administering and monitoring appliances, devices, and
o The web server for reporting, investigation, administration, and other aspects of services. When configured, appliances, devices, and services are available to
the analysts interface. Also enables reporting on data held in the Warehouse. other Security Analytics modules.
Virtual Log
Collector
DATA SOURCES
WAREHOUSE Administration 10
Investigation SECURITY
LOG ADMINISTRATORS
Concentrator ARCHIVER
Concentrator
(DAC) Live
IT SECURITY
Warehouse INFORMATION SECURITY & FRAUD
AUDIT
MALWARE Analysis Broker INTERVENTION
Event Stream Analysis Reporting &
(ESA) 7 Alerting
Incidents
Log Collector
IPDB
IPDB
WAREHOUSE
(DAC)
95
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
13
WAREHOUSE
o The Warehouse module is the user interface for searching and querying Warehouse devices.
Virtual Log
Collector
DATA SOURCES
WAREHOUSE Administration
SECURITY
LOG Investigation 11 ADMINISTRATORS
Concentrator ARCHIVER
Concentrator
(DAC) Live 12
IT SECURITY
Warehouse INFORMATION SECURITY & FRAUD
13 AUDIT
MALWARE Analysis Broker INTERVENTION
Event Stream Analysis Reporting &
Alerting
(ESA)
Incidents
Log Collector
IPDB
IPDB
WAREHOUSE
(DAC)
96
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
Virtual Log
Collector
DATA SOURCES
WAREHOUSE Administration
Investigation SECURITY
LOG ADMINISTRATORS
Concentrator ARCHIVER
Concentrator
(DAC) Live
IT SECURITY
Warehouse INFORMATION SECURITY & FRAUD
AUDIT
MALWARE Analysis Broker INTERVENTION
Event Stream Analysis Reporting & 14
Alerting
(ESA)
Incidents
Log Collector
IPDB
IPDB
WAREHOUSE
(DAC)
97
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
Critical capabilities
98
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
• Event correlation establishes relationships among messages or events that are generated by devices, systems or applications,
based on characteristics such as the source, target, protocol or event type
• A security event console should provide the real-time presentation of security incidents and events.
• This is important for threat management and for user activity monitoring
Threat
ThreatIntelligence
Intelligence
• Integration with data feeds to identity the latest threats such as botnet and C&C communication detection and IP, URL and
domain reputation data-
• Threat intelligence can be used for triage, incident response and threat assessment increasing the success rate of early breach
detection and as context for enriching alerts and other monitoring data
Behavior
Behaviorprofiling
profiling
• Recognition of suspicious behavior and advanced threats by using a learning phase that builds profiles of normal activity for
various event categories, such as network flows, user activity and server access.
• The platform analyzes against a baseline the massive volume of log, flow and machine data generated every second to discover
anomalies in real time.
99
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
• This capability establishes user and data context, and enables data access and activity monitoring.
• Functions include integration with IAM infrastructure to obtain user context and the inclusion of user context in correlation,
analytics and reporting.
• The data access monitoring includes Data Bases, File Integrity monitoring and also integration with DLP functions
Application
ApplicationMonitoring
Monitoring
• Integration with packaged applications, and an interface that allows customers to define log formats of unsupported event
sources, and the inclusion of application and user context.
• The application log information can be enriched with WAF, Web server, middleware and database logs.
Analytics
Analytics
• Security event analytics are composed of dashboard views, reports and ad hoc query functions to support the investigation of user
activity and resource access in order to identify a threat, a breach or the misuse of access rights.
• Big Data enables various capabilities, for instance, forensics and the analysis of long-term historical trends. By collecting data on a
large scale and analyzing historical trends, you would be able identify when an attack started, and what were the steps that the
attacker took to get ahold of your systems.
100
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
• Compliance oriented deployments are simplified when the SIEM technology includes predefined and modifiable reports for user
activity, resource access and model reports for specific regulations.
• Reporting capabilities should include predefined reports, as well as the ability to define ad hoc reports or use third-party reporting
tools.
• Log management has become part of the standard of due care for many regulations but it is important to define the security
controls of access, deletion and modification of logs and also the time of retention of logs.
101
DISCOVER, DISRUPT, DELIVER
IdM & Access Vulnerability &
SERVERS Results
2
SIEM
External Data
2 3
1
Enhance Existing Security Systems Combine Data and Correlate Activity External Cyberthreat and Fraud
With Canned Analytics Using Custom or Ad Hoc Analytics Intelligence
1
2 3
Corporate
Application
External Environment
Service
Consumer Service
API Provider
ESB
GATEWAY
Service
Provider
External
Service
Consumer
Service
Provider
External
Service Internal
Consumer Consumer
4
Identity
Identity
Repository
Repository
1 2 3 4
Identity Repository
API Gateway Enterprise Service Bus Corporate Application
Environment
Repository to enforce the access
Gateway to expose, secure and Software model used for designing and
control with authentication and
manage any backend implementing communication between Applications in J2EE or others
authorization mechanisms
application, infrastructure or mutually interacting software
network system as an API applications in in a service-oriented
architecture
104
DISCOVER, DISRUPT, DELIVER
Security in Service Oriented Architecture 3.4
Main Components
Untrusted Zone / Internet DMZ Trusted Zone / Internal Network
Corporate
Application
External Environment
Service
Consumer S Service
API E Provider
ESB
GATEWAY C
U
6 RI Service
5 T Provider
External SECURITY Y
Service SECURITY
Consumer
Service
7 Provider
External
Service Internal
Consumer Consumer
Identity
Identity
Repository
Repository
5 6 7
Security in API Gateway Security Enterprise Service Bus Security in Corporate
Application Environment
Security mechanisms MUST be Security mechanisms MUST be
implemented in the API implemented in the integration ESB Security mechanisms CAN be
Gateway to protect internal but can be less restrictive implemented depending on the
services from external accesses service
105
DISCOVER, DISRUPT, DELIVER
Security in Service Oriented Architecture 3.4
Mapping with security products
Untrusted Zone / Internet Trusted Zone / Internal Network
A
IBM
b a ORACLE b
d
C
SERVICE BUS O Corporate
Application
DATAPOWER W Environment
External
Service (OSB)
Consumer
API API
SS Service
AXWAY ESB M
E Provider
GATEWAY C
GATEWAY U
RI Service
External T Provider
Service
Consumer ORACLE API
SECURITY OWSM
SECURITY b
Y
GATEWAY Service
Provider
External
Service Internal
Consumer Consumer
Identity
Identity
Managemnent
Managemnent
a b
API Gateways from IBM, Axway or Oracle placed in Oracle Web Services Manager (OWSM) is part of the Oracle
the DMZ to protect services from 3 rd party SOA suite
consumers It is a runtime that can be enabled in the Oracle Service
Bus (OSB) and in the endpoints
106
DISCOVER, DISRUPT, DELIVER
Security in Service Oriented Architecture – Use case IdM & Access Vulnerability &
Protect a service published in the Oracle Service Bus without making changes neither in the internal client nor the web service
Description
Description
• The OWSM agent runtime must be deployed in the client and the server (OSB)
• With a WS-Security Username token policy, a user and password is required to access the service.
• OWSM Agent in the client modifies the SOAP message to insert in the request the user name and password
• OWSM Agent in the OSB validates the username and password and checks the authorization against the IdM infrastructure
• Other authentication mechanisms can be used such as X509 Certificates, SAML and Kerberos
Identity
Identity
Repository
Repository
WS-Security
Internal OSB
Consumer OWSM Web Service
Agent OWSM Agent
107
DISCOVER, DISRUPT, DELIVER
Security in Service Oriented Architecture – Use case IdM & Access Vulnerability &
Prevent the web service to be accessed from a source different than the OSB
Description
Description
• The OWSM agent runtime is also deployed in the web server where the service is running
• An alternative it would be to restrict at network level the communication so only the OSB is able to connect to the end service
• The OWSM agent in the OSB can do a credentials mapping. After a successful invocation from the internal consumer the OSB can
find a matching credentials to authenticate to the Web Service.
• It is possible to require different authentication mechanisms at OSB and Web services level (i.e. require a X509 certificate at OSB
layer and a Username token in web service)
Identity
Identity
Repository
Rogue
Repository
consumer
WS-Security WS-Security
Internal OSB OWSM
Consumer Agent Web Service
OWSM Agent
OWSM Agent
108
DISCOVER, DISRUPT, DELIVER
Security in Service Oriented Architecture – Use case IdM & Access Vulnerability &
Protect the access to an internal service that must be accessed form an external 3rd party
Description
Description
Identity
Identity
Repository
Repository
External WS-Security
API WS-Security
Consumer OSB
GATEWAY Web Service
REST/OAuth 2.0 OWSM Agent
109
DISCOVER, DISRUPT, DELIVER
Security in Service Oriented Architecture – Use case IdM & Access Vulnerability &
Propagation to the end service the identity of the consumer that initiates the transaction
Description
Description
• In cases where the Web service requires the identity of the user that initiated the transaction, a SAML token should be used.
• Users authenticate in the Web application using their login/password
• The Web Access Management plugin that acts as a Policy Enforcement Point (PEP) controls the access to the web application
• When the access has been granted to the application, the OWSM Agent can generate a SAML token to invoke service in the OSB. The
SAML token identifies the original user that was authenticated.
• The OSB invoked the web service including the SAML token in the message
Identity
Identity
Repository
Repository
WAM PEP
User credentials SAML SAML
Browser WEB OSB OWSM
Web Service
Agent
SERVER OWSM Agent
OWSM Agent
Protection of the messages content end to end: from external consumer to the backend service
Description
Description
Identity
Identity
Repository
Repository
XML-Signature XML-Signature
XML-Signature
External XML-Encryption
API XML-Encryption XML-Encryption
Consumer GATEWAY OSB OWSM
Agent Web Service
OWSM Agent
111
DISCOVER, DISRUPT, DELIVER
Security in Service Oriented Architecture – Use case IdM & Access Vulnerability &
Description
Description
• When accessing external services the security requirements depend on the 3rd party.
• Using the API Gateway this requirements can be met while offering a homogeneous access mechanism on the internal side.
• On the internal side a WS-Security authentication policy based on User Name token can be applied to control what internal services
can contact with external services.
• The API Gateway has access to the credentials needed to connect to the remote service.
• After the API Gateway has authenticated the request, it applies a security policy to comply with the 3rd party security requirements.
Identity
Identity
Repository
Repository
112
DISCOVER, DISRUPT, DELIVER
4
Executive Summary
Conclusions
o Evolve further the Security Architecture to: o Apply the Security Architecture to:
Align with IT Global Architecture Blueprint. Check its applicability based on the
criticality of the services / information
Extend with Telefonica Operational supported by IT systems
context.
Self-assess and derive a Gap Analysis by
Apply to specific environments / scenarios matching current security capabilities with
(e.g. Full Stack). reference to security architecture
114
DISCOVER, DISRUPT, DELIVER