Technical Insight:Costpoint 7 Advanced SecurityDmitri Tyles,Director of Java EE Framework Development, DeltekGC-49
AgendaAuthentication     Authentication use cases     Seven user-level authentication options     Authentication for we...
Key TakeawaysUnderstanding Authentication and Authorization MethodsAvailable in Deltek Costpoint Web3          Copyright ©...
Authentication
Authentication5    Copyright © 2012 Deltek, Inc.
AuthenticationSupported Security Use Cases     In-house users      Members of corporate Active Directory      Always lo...
User-Level Authentication OptionsCostpoint DatabaseActive DirectorySingle Sign-OnSingle Sign-On or Active DirectoryWindows...
User-Level Authentication OptionsCostpoint Database     Technical implementation      User ID and password are stored in...
User-Level Authentication OptionsActive Directory     Technical implementation       User ID is stored in both Active Di...
User-Level Authentication OptionsSingle Sign-On      Technical implementation       User ID is stored in both Active Dir...
User-Level Authentication OptionsSingle Sign-On or Active Directory      Technical implementation       User ID is store...
User-Level Authentication OptionsWindows Domain and Active Directory      Technical implementation       User ID is stor...
User-Level Authentication OptionsWindows Domain and Costpoint Database      Technical implementation       User ID and p...
User-Level Authentication OptionsCertificate Single Sign-On      Technical implementation       User ID and certificate ...
AuthenticationAuthentication for Web Services      Implementation is based on Username Token and SAML profiles from      ...
Authentication (cont’d)Login and Password Control Policies      Password complexity (corporate settings)       Minimum l...
Authorization
AuthorizationUser and User Group rights      A user may belong to more than one user group      Though there is one corp...
AuthorizationModule and Application Level Security      Full, Read-Only, and Deny rights      User and user group rights...
AuthorizationResult Set Level Security      Costpoint Web has more granular security model than client/server      Acces...
AuthorizationProcess and Report Level Security      Costpoint Web has more granular security model than client/server    ...
AuthorizationReporting Archive Security      Can control who can view or manage archived reports      Access rights for ...
Authorization (cont’d)23     Copyright © 2012 Deltek, Inc.
Authentication and AuthorizationApplication Vulnerability Assessment (AVA)      Performed by Cybertrust for Costpoint 5.x...
Authorization             Segregation of Duties (SOD)Segregation of Duties Added in 6.0Clients Define the List of Conflict...
Conclusion
ConclusionCostpoint 7 Offers Seven User-Level Authentication OptionsTwo Single Sign-On Options Are SupportedCostpoint 7 Of...
Questions and Answers28    Copyright © 2012 Deltek, Inc.
Learn MoreSee Deltek Costpoint in the Solutions PavilionAttend Additional Sessions on Deltek Costpoint for More In-Depth I...
Thank You!
Upcoming SlideShare
Loading in...5
×

Deltek Insight 2012: Technical Insight: Costpoint 7.0 Advanced Security

752
-1

Published on

Join this session for a deep dive into the Costpoint security options. We will explain the seven user-level authentication options, including active directory and single sign-on. We will also review the fine-grain authorization options and review the security options for Costpoint Web services. Advanced Level.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
752
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • I’m going to very briefly describe the Costpoint Architecture to you, particularly for those who aren’t familiar with the product to give them some basic understanding. 
  • I’m going to very briefly describe the Costpoint Architecture to you, particularly for those who aren’t familiar with the product to give them some basic understanding. 
  • Deltek Insight 2012: Technical Insight: Costpoint 7.0 Advanced Security

    1. 1. Technical Insight:Costpoint 7 Advanced SecurityDmitri Tyles,Director of Java EE Framework Development, DeltekGC-49
    2. 2. AgendaAuthentication  Authentication use cases  Seven user-level authentication options  Authentication for web servicesAuthorization  User and user group rights  Module and application level security  Result set level security  Process and report level security  Reporting archive security2 Copyright © 2012 Deltek, Inc.
    3. 3. Key TakeawaysUnderstanding Authentication and Authorization MethodsAvailable in Deltek Costpoint Web3 Copyright © 2012 Deltek, Inc.
    4. 4. Authentication
    5. 5. Authentication5 Copyright © 2012 Deltek, Inc.
    6. 6. AuthenticationSupported Security Use Cases  In-house users  Members of corporate Active Directory  Always logged in to the corporate LAN  Consultants  Members of corporate Active Directory  May or may not be logged in to the corporate LAN  Remote office users  Not registered in a corporate Active Directory  Not logged in to a corporate LAN6 Copyright © 2012 Deltek, Inc.
    7. 7. User-Level Authentication OptionsCostpoint DatabaseActive DirectorySingle Sign-OnSingle Sign-On or Active DirectoryWindows Domain and Active DirectoryWindows Domain and Costpoint DatabaseCertificate Single Sign-On7 Copyright © 2012 Deltek, Inc.
    8. 8. User-Level Authentication OptionsCostpoint Database  Technical implementation  User ID and password are stored in a Costpoint database  Oracle or SQL Server database user accounts are not used  Password is stored in a hashed form (SHA-1) with user ID used as a salt  Challenge-response algorithm is used for authentication with server-side generated nonce  User-credentials combined with nonce are passed from the client in an encrypted form (AES)  User perspective  A user must enter user ID and password on the login screen  This method can be used for all three security use cases8 Copyright © 2012 Deltek, Inc.
    9. 9. User-Level Authentication OptionsActive Directory  Technical implementation  User ID is stored in both Active Directory and Costpoint database  Costpoint user ID can be mapped to a different Active Directory user ID  Password is stored only in Active Directory  User perspective  A user must enter user ID and password on the logon screen  Either Costpoint or Active Directory user ID can be used to log on to Costpoint  This method can be used either for “in-house users” or “consultants” use cases  Note: Costpoint 7 makes the setup of this option easier and also improves performance for authenticating a user against large and/or multi-domain Active Directory configurations  For more information, please attend GC-52: Technical Insight: Costpoint 7.0 Configuration9 Copyright © 2012 Deltek, Inc.
    10. 10. User-Level Authentication OptionsSingle Sign-On  Technical implementation  User ID is stored in both Active Directory and Costpoint database  Costpoint user ID can be mapped to a different Active Directory user ID  Password is stored only in Active Directory  User perspective  A user should not enter user ID and password on the logon screen  This method can be used only for “in-house users” use case10 Copyright © 2012 Deltek, Inc.
    11. 11. User-Level Authentication OptionsSingle Sign-On or Active Directory  Technical implementation  User ID is stored in both Active Directory and Costpoint database  Costpoint user ID can be mapped to a different Active Directory user ID  Password is stored only in Active Directory  User perspective  A user is allowed to log on using either Active Directory or Single Sign-On method  Single Sign-On method requires a user to be logged on to the LAN  This method is intended for “consultants” use case  Users can still log on using Active Directory method while traveling or at a customer site11 Copyright © 2012 Deltek, Inc.
    12. 12. User-Level Authentication OptionsWindows Domain and Active Directory  Technical implementation  User ID is stored in both Active Directory and Costpoint database  Costpoint user ID can be mapped to a different Active Directory user ID  Password is stored only in Active Directory  User perspective  The following two conditions must be met for a successful logon:  A user must enter user ID and password on the logon screen  A user must be logged on to the LAN  This method can be used only for “in-house users” use case12 Copyright © 2012 Deltek, Inc.
    13. 13. User-Level Authentication OptionsWindows Domain and Costpoint Database  Technical implementation  User ID and password are stored in a Costpoint database  Same rules for password storage and transmission apply as for Costpoint Database authentication method  User perspective  The following two conditions must be met for a successful logon:  A user must enter user ID and password on the logon screen  A user must be logged on to the LAN  This method can be used only for “in-house users” use case13 Copyright © 2012 Deltek, Inc.
    14. 14. User-Level Authentication OptionsCertificate Single Sign-On  Technical implementation  User ID and certificate ID are stored in a Costpoint database  Certificate user ID may be different from Costpoint user ID  Upon establishing two-way SSL connection, Costpoint user ID is determined through certificate user ID  User perspective  A user should not enter user ID and password on the logon screen  A user must have a certificate installed in the browser  This method can be used for all three security use cases14 Copyright © 2012 Deltek, Inc.
    15. 15. AuthenticationAuthentication for Web Services  Implementation is based on Username Token and SAML profiles from WS Security specification  Each Costpoint user account must be explicitly enabled to be used with web services  Use of SSL with web services  Design-time option in Integration Console  We recommend SSL except for testing  Hot fix was released to add support for AD authentication for Web services  Detailed information on this topic can be found in session:  GC-50: Extending Costpoint: Web Services Integration15 Copyright © 2012 Deltek, Inc.
    16. 16. Authentication (cont’d)Login and Password Control Policies  Password complexity (corporate settings)  Minimum length / require number / special character / mixed case  Password “black list”: User ID, employee ID, password, etc.  Password aging/control  Password life (corporate)  Disable inactive users period (corporate)  Deactivation date (user)  Last login date (user)  Force password change (user)  Re-using of passwords (company)  Account locking after N unsuccessful attempts  Weblogic feature: account is locked for X minutes after N unsuccessful attempts within Y minutes (configuration console)16 Copyright © 2012 Deltek, Inc.
    17. 17. Authorization
    18. 18. AuthorizationUser and User Group rights  A user may belong to more than one user group  Though there is one corporate list of users and user groups, a user may belong to a user group in selected companies or all companies  User and user group rights are cumulative  They are combined at run-time to determine effective user rights for a selected company18 Copyright © 2012 Deltek, Inc.
    19. 19. AuthorizationModule and Application Level Security  Full, Read-Only, and Deny rights  User and user group rights are combined according to two rules:  Deny always takes precedence  Full and Read-Only rights are cumulative  User rights do not act as overwrite rights for user group rights  Application rights overwrite module rights  Module and application rights for users and user groups can be granted at a company level or for all companies19 Copyright © 2012 Deltek, Inc.
    20. 20. AuthorizationResult Set Level Security  Costpoint Web has more granular security model than client/server  Access to each result set (screen/table) inside an application can be controlled separately  Result set level rights overwrite module and application rights  In the absence of explicit result set level rights, module/application level rights are used to determine result set rights  Select/Insert/Update/Delete rights can be turned on and off for each result set  Result set rights for users and user groups can be granted at a company level or for all companies20 Copyright © 2012 Deltek, Inc.
    21. 21. AuthorizationProcess and Report Level Security  Costpoint Web has more granular security model than client/server  Access to each process or report inside an application can be controlled separately  In the absence of process or report level rights, result set level rights are used to determine whether a user can execute a process or report  Deny/Execute rights can be turned on or off for each process or report  Process or report rights for users and user groups can be granted at a company level or for all companies21 Copyright © 2012 Deltek, Inc.
    22. 22. AuthorizationReporting Archive Security  Can control who can view or manage archived reports  Access rights for archived reports can be managed at the following levels:  Report group: user-defined collection of reports (such as Post Bills and Print Bills)  Single report type: all archived reports for Print Bills  Single archived report  Specific instance of an archived report (such as a Print Bills report printed by user Joe on 01/10/2009)  Organizational security and labor suppression are analyzed to determine whether a user can view an archived report22 Copyright © 2012 Deltek, Inc.
    23. 23. Authorization (cont’d)23 Copyright © 2012 Deltek, Inc.
    24. 24. Authentication and AuthorizationApplication Vulnerability Assessment (AVA)  Performed by Cybertrust for Costpoint 5.x, 6.x, and 7.0  No major security issues discovered  Uniform application development methodology enforced by a common metadata driven framework  Not necessary to review every single application to assess vulnerabilities of the product  Ongoing relationship with Verizon/Cybertrust  Plan to do AVAs for each major release24 Copyright © 2012 Deltek, Inc.
    25. 25. Authorization Segregation of Duties (SOD)Segregation of Duties Added in 6.0Clients Define the List of Conflicting Rights Based on TheirPoliciesConfiguration Options  Enforce SOD rules by preventing a user from having conflicting privileges, or  Report on SOD violations without limiting user privilegesSOD Analysis Covers Both C/S and Web User RightsGet More Details and Try It Out at Costpoint Demo Stands25 Copyright © 2012 Deltek, Inc.
    26. 26. Conclusion
    27. 27. ConclusionCostpoint 7 Offers Seven User-Level Authentication OptionsTwo Single Sign-On Options Are SupportedCostpoint 7 Offers Fine-Grained Screen Component/FunctionAuthorization Policies27 Copyright © 2012 Deltek, Inc.
    28. 28. Questions and Answers28 Copyright © 2012 Deltek, Inc.
    29. 29. Learn MoreSee Deltek Costpoint in the Solutions PavilionAttend Additional Sessions on Deltek Costpoint for More In-Depth Information  GC-44: Technical Insight: Costpoint 7.0  GC-45: Looking Ahead at Deltek Costpoint Technology  GC-46: Extending Costpoint 7: Content Management  GC-48: Extending Costpoint 7: Extensibility Services  GC-50: Extending Costpoint: Web Services Integration  GC-52: Technical Insight: Costpoint 7.0 Configuration  GC-322: Costpoint 7 - The User Experience29 Copyright © 2012 Deltek, Inc.
    30. 30. Thank You!
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×