choosing the best business intelligence security model for your app
TRANSCRIPT
Choosing the Best Security Model for Your App
Steve Morecraft
#Logi16
Steve MorecraftTechnical Manager for Europe, Middle East and AfricaLogi [email protected]
Claim to fame: Went to school with Oscar winning actor Colin Firth
ABOUT ME
#Logi16
1. Categorize the various security needs we experience in the field and learn how to select the best approach for your application
2. Learn how to implement a solution which meets requirements
3. Hear and see detail from John Fuller of Ironclad Technology services of two implementations to meet specific needs
WHAT WE ARE GOING TO LEARN TODAY
SECURITY NEEDSUnderstanding Your Requirements
#Logi16
Authentication – determine the user’s identity
Authorization – assign roles to the user to allow implementation of rights in the application
Auditing or Accounting – keeping track of what happens when an application is used
The Core Three A’s of Security
#Logi16
In order of simplicity of needs we experience:• Standalone• Integrated Authentication and Centralized SSO• Federated Single Sign-On• Embedded
Four Broad Authentication Requirement Categories
#Logi16
Standalone Authentication
#Logi16
• What is it? Logi Info Server is to manage its own user credentials
• Why Would I Use It?– When integration is not required with other systems however the Logi application
needs to include user authentication, authorization and auditing
• Considerations:– Multiple user names and passwords for different systems– Source of user credentials, assigned roles and rights typically stored in relational
database or directory service– Normally prompt user for credentials– Roles and rights to be adopted by authenticated user to be controlled in Logi Info
Standalone Authentication
#Logi16
Integrated Authentication & Centralized SSO
#Logi16
• What is it? Logi Info Server to be integrated into an existing infrastructure so user
management and authentication can to be carried out in same way as current systems.
• Why Would I Use It?– For an internal use case using, for example, Integrated Windows Authentication
and Active Directory group membership for roles
• Considerations:– All user administration can be carried out using standard networking tools– Authorization Roles can be defined in infrastructure to be used to implement
rights in Logi application
Integrated Authentication & Centralized SSO
#Logi16
Federated Single Sign-On
#Logi16
• What is it? – Users can access multiple systems and resources following a single login to
identity provider
• Why Would I Use It?– Scenario where Single Sign On has been deployed in an Enterprise or to support
a product– Examples PingOne, Windows Identity Foundation
• Considerations:– Likely need is for Logi system to be included as a target resource will require
configuration and some customization– Roles and rights can be defined inside or outside the SSO system
Federated Single Sign-On
#Logi16
Embedded Authentication
Example: Embedded Security
Trusted
#Logi16
• What is it? Info is contained within a web application or portal using user identity and roles which have been assigned in the hosting application
• Why Would I Use It?– Create embedded dashboards, reports and analytics into a commercial or
internal web application– Allows for control over the application experience
• Considerations:– Re-uses hosting web application’s own user and rights management system– Requires some work upfront to set it up– Authorization Roles and rights can be defined in the hosting web application to be
implemented in Logi
Embedded Authentication
#Logi16
• Audit Trail – Mostly for security assurance – Can provide usage confirmation
• Usage Data – Can be used to build metrics– Data can be used for performance tuning
Auditing
Our RecommendationHow Logi Tackles Each Security Model
#Logi16
• Logi Info Security Element allows:– Authentication sources– Authorization through separate User Roles and User
Rights• Logi Info Event Logging Element allows processes to
record:– Authenticate User, Build Report, RunSP, RunSQL– Can also run processes to record other user activities
IMPLEMENTATION OF SECURITY
#Logi16
STANDALONE SECURITYUse Logi Standard Security Mode
• Present the user with a login form based on the Logi sample• Can use server side code behind login form or just collect
credentials• Authenticate using a data layer such as a stored procedure, web
service, plugin etc• Resolve roles and rights using data layer queries• Samples on DevNet
#Logi16
INTEGRATED SECURITY AND CENTRALIZED SSO Configure the web application server to authenticate using the same settings as other web applications in the infrastructure
• Configure web application to authenticate users• For example - Windows Authentication• Use AuthNT security mode for Logi Info• Get user’s roles from directory service such as Active Directory• Resolve user’s rights from roles
#Logi16
FEDERATED SINGLE SIGN-ONTwo main alternatives
• Configure the Logi Application to use the SSO system natively- Use AuthSession Security mode- Include SSO libraries in project, use SSO functions in custom login
page to extract user name and other important security data to set session variables
- Or implement by Plugin• Use embedded security SecureKey from a web application
already SSO enabled
#Logi16
Logi SecureKey provides the best approach in the majority of scenarios especially if the hosting system is on a different machine or different platform
• Pass parameters securely from hosting server as session variables
• Can pass user name, roles, and rights directly from application session
• Integrated fully with embedded reports API• Fully documented with sample code on DevNet
EMBEDDED SECURITY
USING LOGIJohn Fuller, Ironclad Technology Services
#Logi16
John Fuller Business Intelligence DeveloperIRONCLAD TECHNOLOGY SERVICES
ABOUT ME
#Logi16
Quick Facts• Founded in January 2008• Consulting/Professional services for Government CFO’s,
CIO’s, Supply Chain Managers, and other Senior Decision Makers
• Offices in Virginia Beach, VA (HQ), Tampa, FL, and Arlington, VA
• 150+ employees in 17 states and overseas• TS facility clearance, 91% cleared workforce • Leveraging the Logi Analytics platform over the past 4
years to build applications for Government customers
CORPORATE SNAPSHOT
Core Competencies Big Data & Business Analytics Software Development Supply Chain/Logistics Information Assurance Enterprise Resource Planning
(ERP) Enterprise IT Support Intelligence Support
#Logi16
Two Examples1. Standalone Security2. Single Sign-On
IRONCLAD APPLICATION
#Logi16
• User level authentication- Standard username and password login
• User level authorization on both a screen level and individual element level- Roles and rights defined for each user
• User auditability for user input screens- Track user activity on a transaction level for reporting and
auditability
1. SECURITY REQUIREMENTS
#Logi16
• Utilize Logi’s Standard security option– Use Logi supplied logon page or apply simple HTML code
modifications to customize the logon page– Write simple database stored procedure to authenticate the user
and determine right/roles based on a user table
1. SECURITY SOLUTION AUTHENTICATION
#Logi16
• Use the roles and rights retrieved from the Standard security child elements coupled with the database stored procedure to easily control authorization throughout the application
• Use the Security Right ID attribute to control user authorization- Applicable to entire Logi reports- Applicable to specific elements on any given report
• Individual records in data table elements can also be restricted by including the UserRoles~ and UserRights~ tokens within the SQL queries feeding the reports
1. SECURITY SOLUTION AUTHORIZATION
#Logi16
• Use the @Function.UserName~ token coupled with Logi Processes and database user stored procedures to track user activity
1. SECURITY SOLUTION AUDITABILITY
#Logi16
• User level authentication- DoD Common Access Card (CAC) login
• User level authorization on both a screen level and individual element level
- Roles and rights defined for each user• User auditability for user input screens
- Track user activity on a transaction level for reporting and auditability
2. SECURITY REQUIREMENTS - SSO
#Logi16
• Export functionality and file management and security for user generated files – Populate and retain Adobe .pdf and MS Excel templates with
user input data
2. SECURITY REQUIREMENTS - SSO
#Logi16
• Authentication – Build, configure and deploy custom CAC enabled login process
to feed into Logi’s AuthSession security option• Authorization
– Use the roles and rights retrieved from the AuthSession security child elements coupled with a database stored procedure to easily control authorization throughout the application
2. SECURITY SOLUTION SSO
#Logi16
• Auditability – Use the @Function.UserName~ token coupled with Logi
Processes and database user stored procedures to track user activity
2. SECURITY SOLUTION SSO
#Logi16
• File management and Security– Build file management system with built in Logi elements
coupled with database code– The custom CAC enabled login process along with the
AuthSession Logi security option secures the entire Logi application, including user generated files not associated with the Logi software
2. SECURITY SOLUTION SSO
#Logi16
SSO EXAMPLE – HOW IT WORKS
#Logi16
The built in Logi security options are easy to use and provide a very high level of control
The Standard security option requires very little configuration and can be used for securing applications that do not generate new files within the application
IRONCLAD: LESSONS LEARNED
#Logi16
Custom built Single Sign On processes securing the entire application folder can be plugged into Logi applications using the AuthSession option.
This approach is best used for applications that provide the functionality for users to generate new files. The custom security layer secures the entire application while Logi handles the authentication through its built-in elements.
IRONCLAD: LESSONS LEARNED
Extensible SolutionThe Logi Info product provides a flexible and extensible means to solving your security needs for your application
Questions?Contact our Professional Services team, Expert On-Demand or your Logi Analytics Partner.
