fast deployment of iam (‘aaa’) in certificate – based contexts eid and etrust siteminder...
TRANSCRIPT
Fast Deployment of IAM (‘AAA’) in Certificate – based Contexts
eID and eTrust SiteMinder
Coexistence
Ir. Guy Duray
Business Technologist
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Agenda
CA, EIM & Security
Certificates, PKI & the eID
Challenges of eID implementations
eTrust SiteMinder as an approach for fast deployment
Other Security functions of importance
Q&A
Thank You and further sessions
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Management Software @ CA
Enterprise Infrastructure Management
Simplifies Management
Increases Utilization
Real-time & On-Demand
Aligns IT with Business
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
The Problem is Growing
Partners
Customers
Contractors
Hackers
Malware
Spam
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
eTrust Security Management
Partners
Customers
Contractors
Hackers
Malware
Spam
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
eTrust™ Security Management Solutions
Security Management Who has access to what? What is happening in your
environment? How to address it?
Enabled by world-class research team
Integration with Network and Systems management
On-Demand Security Management
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Brave New World…
Is this really a dog?Is this really a dog?Do we know this dog?Do we know this dog?Who’s backing this dog?Who’s backing this dog?
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Paper Based Information Electronic Information
Signature RecognitionPhysical RepresentationPhysical OwnershipLegally SupportedPublicly EntrenchedSupported by Forensic Testing
ie Socially and Legally Accredited System
Electronic SignaturesDisks and Archives ?Logical OwnershipSometimesEvolving?????
Some way to go…
Information Evolution
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Certificates & PKI are the only technologies able to deliver Users Authentication (true~) Communications Confidentiality Transactions Integrity Non - Repudiation
PKI implementations have long (…) stayed at trial stage
PKI has always been perceived as complex … and costly
But
Companies (now) look upon strong authentication differently
Solution providers brought along technologies that really address their client needs
The Solution Suite Pendulum…
Quotes…
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
GLOBAL - DISTRIBUTEDOnline User Identification.Online User - Service Profiles.Instant, scalable User recognition.Customer Self ManagementProof of Identity to Others.Proof of Warrantee to Others.Proof of Payment to Others.Users Can Find Each OtherBusiness RelationshipsProduct and Service CataloguesMultiple CA/PKI RegimesVirtual Private Groups.
Why a PKI and Directory Service
This is a business information system design issue - not a protocol spec!
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
How Does PKI Work?
A MERRY CAN X PRESS
1234 56789 1234507/96 THRU 06/99JOHN SMITHCREDIT CO PTY LTD
12345678
Issuer Name
IssuerKey Material
SubjectKey Material Subject Name
Validity Dates
(sometimes with a PIN)
Issuer and Subject Names are Directory System Names
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Vulnerabilities in Today’s Apps/RDBMS Architectures
WebClient
WebServer
AppServer
AppServer
App Client
DBServer2
2
1
1 DB
2
5
5 6
3 4
3 4
3
3 4
7
4
2 2
1. Unauthorized access to transactions2. Eavesdropping3. Unauthorized access to app servers4. Attacks on server availability5. Unauthorized access to app data6. Unprotected database7. Database availability…
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Organisational Application of Directories & PKI
A MERRY CAN X PRESS
1234 56789 1234507/96 THRU 06/99JOHN SMITHCREDIT CO PTY LTD12345678
12345678
A MERRY CAN X PRESS
1234 56789 1234507/96 THRU 06/99JOHN SMITHCREDIT CO PTY LTD12345678
12345678
User to User - Digital Proof
Services Offered
OfficeAutomationDirectoriesand LDAPServers.
WEB enabled Databases forService Delivery
Credit Card authentication.
White, Blue,Green, YellowPage Services,Document Mgtand Catalogues
Customer /UserServices and Application Environments(VISP-env)
True Business Services (Digital Signatures, Certificates - Identity and Warrantee services)
Internal Systems -> Customer Facing -> Customer Services and Management
Customer’s Electronic Wallet
Small Scale (Proprietary) integrated with Distributed Large Scale (Standard)
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
But What Is An Infrastructure?
What is Infrastructure?• It’s roads, power grids, water supply and sewers. Things you need in life but you personally may not want to think about too much.
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Secure Transactions : Business Challenges
WebAS, Portals
AppsDBs
OS’es
?
Maximize the added – value of PKI Enforce Strong Authentication
Use Digital Certificates Unify the Authentication process around the certificate
Independently of the accessed application Independently of the user’s location
Minimize Risks and Costs Avoid to modify applications (the hidden face of the PKI Iceberg) What did a user do? How do I audit across multiple applications?
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Put challenges in the eID Context
Citizen – Enterprises (+++) – Government (+++)
Provide Fast Deployed Authentication services Authorization services Auditability Non Repudiation
Provide exits to workflow (provisional)
Provide Federation
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
eTrustSiteMinder
Agent
eIDRun Time
(ApplicationClientSide)
eTrustTransactionMinder Agt
SmartCard
Smart CardReader
CLIENT
AUTHENTICATION SERVER
IPC
PC/SC
Directory Certificate
Manager
XML LDAP
eTrust SM Policy Server &
OSCP Responder
eTrust Infrastructure
Other ID (eTrust)Services
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
High security administration costsExpensive coding and maintenancePoor user experience
J_Doe1211960
John DoeA23JJ4
John Doe John_D Johnd Mobile Phone
Application Layer
User Store
Operating System
SQL 2000SunONELDAP
OracleOID
OracleRDBMS
Active Directory
Oracle
PKI Cert
LDAP
CRM ERP HRPartner Extranet
SCMCustomer
Self-Service E-Commerce
Employees PartnersCustomers
The Application Silo Challenge
Security Layer
No centralized security enforcementNo standardized security processNo central auditing capability
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Application Layer
User Store
Operating System
SQL 2000SunONELDAP
OracleOID
OracleRDBMS
Active Directory
OracleLDAP
CRM ERP HRPartner Extranet SCM
Customer Self-Service E-Commerce
The Solution
Security Layer
Reduced administrative costsReduced development costsSingle sign-on & sign-off
Faster application deploymentIncreased overall system securityMeet regulatory requirements
Employees PartnersCustomers
eTrust™SiteMinder®
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
eTrust™SiteMinder®
Broad Platform Support
Federation Security Services
Federation Security Services
AuthorizationManagement
AuthorizationManagement
Auditing &ReportingAuditing &Reporting
AuthenticationManagementAuthenticationManagement
SingleSign-OnSingle
Sign-On
Enterprise Manageability
Op
en &
Ext
ensi
ble
Hig
h P
erform
ance
Arch
itecture
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Authentication management & multiple authentication scheme support Levels, fall backs, chaining of PKI,
passwords & more
Centralized, policy-based authorization management
Robust federated single sign-on environment Agent & Proxy-based, Comprehensive SAML platform,
Passport, Kerberos
Extensive integration Directories, application servers,
Web servers, RDBMS, & ERP applications
Proven scalability, reliability, & availability Enterprise-class manageability with full
auditing & reporting
eTrust™ SiteMinder® Key Features
Provisioning& User
Administration
Access Control& Management
Web Services
eTrust™ IdentityMinder®
eProvision™
eTrust™ SiteMinder®
eTrust™ TransactionMinder®
eTrust™SiteMinder®Market-leading access
management solution for Web-based applications
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
SiteMinder in Action
1
1
2
2
3
3
4
5
5
66
7
7 7 7
Web Serverwith Agent
DestinationWeb Server
SecureProxy Server
6
7User & Entitlement Stores
•LDAP•RDBMS•Mainframe•NT Domain•PKI
• Employees• Partners• Customers
Secured Applications
• Customer Service• Supply Chain• Intranet
Secured Applications
• Customer Service• Supply Chain• Intranet
Policy Server
6
7
5
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Key Features
Native Directory Enablement
Single Sign – On for Microsoft Applications Proxy implementations Application Servers OS 390 Applications (ERPs, Grouwpwares)
Password Management
Authorization Management
Federation
Manageability
High Performance & Availability
Openess
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Single Sign-OnApplication Server Environment
User & Entitlement
Stores
Web Apps
ERP/CRM
J2EE Apps
Web Server
Firewalls
J2EEApplication
Server
Backend Resources J2EE Application Server Agents IBM WebSphere & BEA WebLogic
Enables SSO across the enterprise
Including J2EE application server based applications
Leverages the eTrust
SiteMinder broad range of authentication
system support
Centralized authorization management & audit services
Firewalls
Users
eTrust™SiteMinder®Policy Server
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Authentication Management
Methods Passwords Two factor tokens X.509 certificates Passwords over SSL Smart cards SAML Combination of methods Forms-based Custom methods Full CRL & OCSP support Biometric devices
Management Authentication Levels Directory chaining Configured fallbacks to other authentication
schemes
Broad Support for Authentication Systems
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Restrict access by user, role, groups, dynamic groups, or exclusions Controlled “impersonation” of users by other users
Fine-grained authorization at the file, page, or object level Determine access based on location and time Policies
Send static, dynamic (SQL queries), or profile attributes in responses Redirect users based on type of authentication or authorization failure Can have global or local policies
Authorization ManagementCentralized Policy Management
SiteMinder Policy
Rule orRule Group
Users or GroupsIn a Directory Time IP Address
Active Response
eTelligentRule
Response or Response
Group
=
Allows ordenies
access to a resource
User, GroupsExclusions,
Roles
+ +
Action thatoccurs whena rule fires
+ + + 1.2.3.4
Expressionusing
ContextualData, Web Services
IP addressthat the policy
applies toTime when thepolicy can or
cannot fire
Dynamic extension of
the policy (optional)
Option(s)
e
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
www. SiteMinder.com
Authenticate
www. PartnerB.com
www.PartnerA.comFederated Security Services:SAML Producer with SAML Affiliate Agent (SAA)
User
SSO
SSO
InternetInternet
SiteMinder site conducts authentication
User profile must exist at www.SiteMinder.com
Light-weight Web plug-in at partners
Security product/SAML support not required at partners
Converts SAML attribute assertions into HTTP header variables
Provides user profile information to Web application
Synchronized session between sites
Single sign-on/off
Centralized auditing & reporting
Event notification services
SAA
SAA
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Manageability
Reports Access Activity Intrusions Audit
Monitor SNMP Web based
Central Management of Distributed Agents, Installation Scripting Interface Environment Collector Testing Tool
Connection, Functionality, Troubleshooting, Regression
Security Confidentiality, mutual authentication, revocation, session cookies, cross site
scripting, nothing stored on agents
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Directory Server Directory Server
High Performance Architecture
Automatic fail-over Cluster-to-cluster
fail-over
Agent to Policy Server dynamic load balancing
Policy Server to directory server load balancing & failover
2-level caching in Policy Server & agents
PolicyCache
Policy Server
RulesCache
PolicyCache
Policy Server
RulesCache
128 Bit RC4encryption
Audit Log(ODBC)
Replication
Web ServerWeb Agent w/Cache
Web ServerWeb Agent w/Cache
Web ServerWeb Agent w/Cache
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Open & ExtensibleFull Java & C SDKs
Use the SiteMinder Agent API to: Build custom agents Manipulate user entries
Use Policy Server APIs to: Integrate authentication schemes Include external data in authorization
policies Define custom event handlers Connect to proprietary
directories for user authentication & authorization
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Application Servers BEA WebLogic IBM WebSphere
ERP/CRM Peoplesoft Siebel SAP Oracle
RADIUS Network Access Devices
Firewalls Communication
Servers
Web Agents Microsoft IIS Sun ONE Apache HP Apache Lotus Domino IBM HTTP Oracle HTTP Domino Go
Policy Server MS NT/Win
2000/Win2003 Sun Solaris HP-UX Red Hat
Enterprise Linux
Sun Java System Directory Server
NT Domains Microsoft Active
Directory IBM Directory Server Novell eDirectory MS SQL Server Oracle RDBMS Siemens DirX Oracle Internet
Directory Critical Path
Directory Server Lotus Domino LDAP CA eTrust
Passwords Passwords over SSL Forms-based X.509 certificates Full CRL & OSCP
support Smart cards Two factor tokens Method Chaining SAML Custom methods Biometric devices Combination of
methods
Platforms UserDirectories
Other Systems
Broad Platform SupportLeverages Existing Investments
AuthenticationSystems
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Web Applications: User, through a Web client, interacts directly with the application
Web Services: Local application, acting on behalf of the user, interacts with the Web service application
Securing Web ServicesHow is this different?
Customer
InternetInternet
ApplicationWeb Server
InternetInternet
Web Service Consumer ApplicationWeb Service Platform
HTML/HTTP
XML/HTTP, FTP, JMS, MQ,
SECURITY POLICYAuthentication – Username/Password, X509 cert, Token
Authorization – Action on URL & Roles, Group or Entitlements
SECURITY POLICYAuthentication – Username/Password, X509 cert, Token
Authorization – Action on URL & Roles, Group or Entitlements
SiteMinder World
TransactionMinder World
© 2004 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
(not so) Future:eTrust™ Security Management
Architecture
© 2004 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Today’s Limitations
Event correlation is limited by event data- Hard to correlate different user ids across different hosts
Federation is limited by its externalization
Policy decisions are limited by in-silo session data
Customer must deploy multiple policy infrastructures which all use different policy syntax
© 2004 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Sample context management object
TomcAt
MQ
CICS
DB2
APACHE
Identity Authentication methodExecution context:• Program/application• State information
User context
Apache context
Tomcat context
MQ context
CICS context
Rules,Auditing and so
on
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Conclusion
Identity is a prerequisite for securing and managing eID based applications (as any others) Should externalize security and policy from Web services Identity binding is done at deployment time, not development time
CA provides an enterprise-wide set of shared Identity and Access Management (IAM) services
Identity lifecycle management
Authentication
Authorization
Audit
Directory
Sessioning / Federation
Fast Deployment of IAM (‘AAA’) in Certificate – based Contexts
eID and eTrust SiteMinder
Coexistence
Ir. Guy Duray
Business Technologist