Compliance and Governance Through Complex Entitlement Management

1,317 views
1,177 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,317
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Compliance and Governance Through Complex Entitlement Management

  1. 1. Compliance and Governance Through Complex Entitlement Management Geoff Charron, VP ALES Noam Bunder, Lead Architect DataScan Technologies
  2. 2. Agenda Slide Entitlements in the Context of a SOA AquaLogic Enterprise Security (ALES) Overview Implementing Entitlements at DataScan © 2006 BEA Systems, Inc. | 2
  3. 3. Business Drivers Application Security has evolved  Firewalls “keep the bad guys out” at the perimeter  Web server security and Web SSO products provide basic access control at the Web tier Customers Partners  Application security logic still hard-wired and embedded in the application behind the Web tier Industry trends are driving the need to externalize entitlements Employees Contractors from the application  Multiple homegrown and embedded entitlements services  Increasing regulatory pressure and privacy concerns Web App Enterprise Data Servers Servers Apps Stores  Proliferation of applications and increasing disparate development teams  Increasing competitive and time to market pressures © 2006 BEA Systems, Inc. | 3
  4. 4. What are Entitlements? Entitlements Questions Who can transfer funds? How much can they transfer? How often can they transfer? Can they delegate those rights? Entitlements are the set of privileges that govern what an application user can do Entitlements systems manage those privileges, the decision process and record the results © 2006 BEA Systems, Inc. | 4
  5. 5. Key Challenge: Embedded Decisions Legacy App Data- base If (Transfer <TransLimit) and (User can Transfer) then User Directory Allow Access else Deny Access endif • Security is embedded in applications – creates silos • Applications are becoming more complex and may be developed by multiple team (including offshore) • Developers spend time coding security logic • Inconsistent policies and lack of central management • Access decision may not be audited © 2006 BEA Systems, Inc. | 5
  6. 6. Key Challenge: Multiple Security Technologies Main- frames J2EE App Web Web Services Browser App Data- Web base Services Identity/ Policy Web App Identity/ Policy Web SSO User Directory Legacy App User User Provisioning Profile • Multiple User directories, authentication services, Web SSO services, IAM products • How to rapidly and cost effectively deploy new applications that leverage existing infrastructure? © 2006 BEA Systems, Inc. | 6
  7. 7. Agenda Slide Entitlements in the Context of a SOA AquaLogic Enterprise Security (ALES) Overview Implementing Entitlements at DataScan © 2006 BEA Systems, Inc. | 7
  8. 8. BEA AquaLogic in Your IT Enterprise Portal Dashboard Exceptions/Alerts Monitoring Reports User Interaction Interaction Content AquaLogic User Interaction AquaLogic Enterprise Security Collaboration Search Analytics Management Management Business Service Interaction Process AquaLogic BPM Suite Process Process Process Process Modeling & Automation Monitoring Analysis Optimization Simulation Messaging Operational Service AquaLogic Service Bus Service Routing Transformation Service Integration AquaLogic Service Registry Management Registry Shared Data and Business Services Data Access AquaLogic Data Services Platform Data Access Layer Security Services and Fine-Grained Access Control Back End Systems and Data Legacy ERP CRM Custom © 2006 BEA Systems, Inc. | 8
  9. 9. What is AquaLogic Enterprise Security? Browser Client Central PDP PAP •Java API Entitlements Admin Server •Web Service Server •Web Service SSM SSM Distributed PDP •XACML 2.0 App •WLS PIP Server •Tomcat XACML 2.0 Entitlements Policies Policy SSM PEP’s For ALES is an Entitlements system that enables the centralized •WLS •WLP definition of complex application security policy and the •ALDSP runtime enforcement of that policy. •ALSB •Java SDK ALES consists of:  An Administrative Application (PAP)  A Policy Decision Point (PDP) that can be centralized or distributed  A Distributed PDP (SSM) is a Policy Enforcement Point (PEP) The Administration Application is used to centrally manage security configuration and policy © 2006 BEA Systems, Inc. | 9
  10. 10. Connecting Entitlements to the Application public Forward processTransfer(TransferBean transferBean) throws Exception { AuthenticIdentity ai = getAuthenticIdentityFromRequest(req); RuntimeAction ra = new RuntimeAction(ACTION.TRANSFER, "SIMPLE_ACTION"); AppContextElement q3 = new SimpleContextElement("amount",transferBean.getAmount()); AppContextElement collectorElement = SimpleResponseContextCollector.makeContextElement(); AccessResult ar = az.isAccessAllowed(ai,rr,ra,appCtx); if (ar.isAllowed()) { executeTransfer(transferBean); .... } Note that code can easily be encapsulated © 2006 BEA Systems, Inc. | 10
  11. 11. Key ALES Benefits • Change Entitlements without modifying the application Better Business Agility • Implement changing regulatory and corporate policies faster • Finer control over the protection of Enhanced Security and application resources Compliance • Enhanced audit tracking • Remove security logic from the application Increased IT Efficiency • Free developers up to focus on value- added business logic © 2006 BEA Systems, Inc. | 11
  12. 12. 1 DataScan Company Overview 2 Compliance Requirements at DataScan 3 DataScan BEA Implementation 4 Development Operational Lifecycle 5 Best Practices 6 Questions & Answers 12 DataScan Technologies LLC – All Rights Reserved
  13. 13. About DataScan Technologies DataScan Technologies DataScan Technologies is a global Corporate Headquarters leader in wholesale floorplan accounting and risk management systems and services.  Founded in 1989  Located in Alpharetta, Georgia  Over 45 of the most prominent banks and captives  Operating in 15 countries  Currently manages over $45 billion in outstanding collateral 13 DataScan Technologies LLC – All Rights Reserved
  14. 14. Partial Client List  BMW Financial  Comerica Bank  World Omni Financial Corp.  SunTrust Bank  California Federal Bank  National City Bank  Hibernia National Bank  US Bank  GE Capital  Toro Credit Corp  Yale/Hyster  PACCAR  Bank One  Manheim (MAFS)  Citizens Bank  ScotiaBank  JP Morgan Chase Bank  CitiCapital  Key Bank  CIT Group  M & T Bank  Toyota Financial Services  PNC Bank  Hyundai Motor Finance  Wachovia  Mitsubishi Motors Credit  Regions Bank  Banknorth  Provident Bank  BB&T  Zions Bank  Huntington Bank  VW Credit, Inc.  Nissan/Renault-Mexico  New South Federal 14 DataScan Technologies LLC – All Rights Reserved
  15. 15. Wholesale Management System Wholesale Management System (WMS) A wholesale finance and accounting system built specifically for the wholesale floorplan industry. Dealer Access System (DAS) Allows dealerships to have Internet access to key information in the system. Collateral Management System (CMS) An automated floorplan data collection and risk management system utilizing touch screen technology. Nationwide Audit Services (NAS) A turnkey audit inspection service featuring a professional staff utilizing CMS. 15 DataScan Technologies LLC – All Rights Reserved
  16. 16. Risk Management Step 1 Step 5 Step 2 Risk Managers Auditor and Kit Step 4 Step 3 Workflow Engine and E-mail Notification 16 DataScan Technologies LLC – All Rights Reserved
  17. 17. 1 DataScan Company Overview 2 Compliance Requirements at DataScan 3 DataScan BEA Implementation 4 Development Operational Lifecycle 5 Best Practices 6 Questions & Answers 17 DataScan Technologies LLC – All Rights Reserved
  18. 18. Business Drivers  Mission critical application for banking and automotive industry managing over $45 billion in assets • Time to market • Buy vs. Build • Time/resources required for implementation and policy changes << Key • Performance impact • Security compliance  SAS70 Type 2  GLBA/SoX  BITS/CC-MSR  ISO 27001  BRMMI/PriSM 18 DataScan Technologies LLC – All Rights Reserved
  19. 19. Challenges  Require a new Security Platform for replacement of legacy- based ASP financial services system with global existing install base  Legacy system has embedded, customer-specific security logic  High maintenance required for security policy changes  Annual corporate audits (internal, SAS70 Type 2)  Bi-annual customer security open-house  Unscheduled customer ethical hacks  Rapidly evolving financial industry security requirements (BITS, ISO 27001) 19 DataScan Technologies LLC – All Rights Reserved
  20. 20. Compliance Overview  Sarbanes Oxley Regulations • Requires internal controls or rules in place to ensure integrity of financial information • Section 404 – Internal controls  Graham Leech Biley Act (GLBA) • SEC 501 is centered around the admin., physical, and technical safeguards over non-public customer information  BITS • Common Criteria Master Security Requirements • Security for the security system  ISO 27001 • IT Systems Management and Governance  BRMMI/PrISM • Upcoming Business Resiliency Maturity Model • Over 750 practices merging COBIT, BS7799/ISO17799, ITIL, ISF, NIST 800 series, SEI BOK, DRII 20 DataScan Technologies LLC – All Rights Reserved
  21. 21. Compliance-Based Design  Prioritize design around “required” BITS topics  Consolidate past ethical hacks and audits  Time boxed delivery, focus on good design  Balance delivery priorities with risk analysis  Security Compliance Road Map • Policies • Processes • Controls • Audits/Monitoring 21 DataScan Technologies LLC – All Rights Reserved
  22. 22. ALES Compliance Mapping  Compliance based requirements and design  Transparent security implementation  Standards support • SAML • XACML 22 DataScan Technologies LLC – All Rights Reserved
  23. 23. 1 DataScan Company Overview 2 Compliance Requirements at DataScan 3 DataScan BEA Implementation 4 Development Operational Lifecycle 5 Best Practices 6 Questions & Answers 23 DataScan Technologies LLC – All Rights Reserved
  24. 24. SOA Based Implementation 24 DataScan Technologies LLC – All Rights Reserved
  25. 25. ALES Implementation  Architecture Overview • Plain Java, Leverage BEA 25 DataScan Technologies LLC – All Rights Reserved
  26. 26. ALES Deployment  Operational Overview 1. Cluster 2. JVM 3. Managed Server 4. Sessions 5. ALES SSM 6. Connection Pools 7. EAR Deployment 8. Security Policy Administration 9. Portal Desktop Administration 26 DataScan Technologies LLC – All Rights Reserved
  27. 27. 1 DataScan Company Overview 2 Compliance Requirements at DataScan 3 DataScan BEA Implementation 4 Development Operational Lifecycle 5 Best Practices 6 Questions & Answers 27 DataScan Technologies LLC – All Rights Reserved
  28. 28. Development Team Composition  BEA Professional Services • Initial Proof of Concept • Assistance with design • Working construction road map  Development Team • Back End and Front End teams • Security team • Continuous builds to QA • Authentication only • Portal based security 28 DataScan Technologies LLC – All Rights Reserved
  29. 29. Operational Lifecycle  Security Development Team • Specialized, with contractors  IT Administration • Security administrators (2-3) • Dedicated with back-up  Documentation and Checklists • Packaged deployment 29 DataScan Technologies LLC – All Rights Reserved
  30. 30. Operational Environments  Distinct Environments • Development, QA Smoke Testing and Functional Testing “Live”, Customer Beta/UAT, Support, Production and Disaster Recovery  Utilizing Virtualization  Growth and Performance • Current production list includes four major financial institutions • Rolling out to all customers over the next two years • Utilizing virtualization  2 x 4-way Dual Core 64 bit RedHat Linux AS 4.0, 32Gb RAM, XEN environments  800+ users daily CPU load not exceeding 3%  Risk Managers, Bank Users, Dealerships 30 DataScan Technologies LLC – All Rights Reserved
  31. 31. 1 DataScan Company Overview 2 Compliance Requirements at DataScan 3 DataScan BEA Implementation 4 Development Operational Lifecycle 5 Best Practices 6 Questions & Answers 31 DataScan Technologies LLC – All Rights Reserved
  32. 32. Why BEA?  BEA Selection Criteria • Track record and solution completeness • Product suitability  Architecture  Road Map • Support  Key Factors • Provides an elegant means to extract Security Logic from the application • Disconnected design provides high performance and resiliency • Provides flexible configuration with minimal maintenance and operational resiliency 32 DataScan Technologies LLC – All Rights Reserved
  33. 33. Kick Off  Step by Step – Key Success Factors • Proposed Project  Project plan called for a three month implementation for pilot target • Gain Sponsorship  Demonstrate value: Prototype and POC  Leverage existing platform • Establish Goals and Value Proposition  Capitalize on performance  Create gurus: Early mastery and battle scars 33 DataScan Technologies LLC – All Rights Reserved
  34. 34. Best Practices  Partner with BEA Professional Services, leverage BEA Support (Hotline, Website) and BEA Educational Services classes  Train IT first! System administration is key  Build a workable environment (workstation/server)  Integrate prototypes into plan  Focus on what works, take risks where they are manageable  Integrate BEA with other departments early (IT, Support, etc.) 34 DataScan Technologies LLC – All Rights Reserved
  35. 35. Looking Forward  Customer and Regulation Driven • SAML Implementation • Refinement of standards and compliance • Full security-visibility throughout architectural stack 35 DataScan Technologies LLC – All Rights Reserved
  36. 36. 1 DataScan Company Overview 2 Compliance Requirements at DataScan 3 DataScan BEA Implementation 4 Development Operational Lifecycle 5 Best Practices 6 Questions & Answers 36 DataScan Technologies LLC – All Rights Reserved
  37. 37. Thank You! Questions?

×