Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Lanka Gate Initiative

2,618 views

Published on

Published in: Travel
  • Be the first to comment

  • Be the first to like this

The Lanka Gate Initiative

  1. 1. The LANKA GATE Initiative Security Aspects
  2. 2. Contents • Trends in user centric identities • Lanka Gate Architecture • Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion
  3. 3. Trends in user centric identities • User in the middle of the identity transaction • Governed by Seven Laws of Identity • OpenID/Information Cards
  4. 4. Trends in user centric identities - OpenID • Decentralized Single Sign On + • Single profile across different domains + • Easy profile maintenance + • Authenticates once at the OpenID Provider + • Phishing ??? • Different user experience • Requires HTTPS + user education
  5. 5. Trends in user centric identities – Information Cards • Phishing resistant authentication+ • Based on WS-* standards + • Highly cryptographic solution+ • Authenticates only at the Identity Provider + • Single user profile • Different user experience
  6. 6. Trends in user centric identities It’s NOT OpenID vs. Information Cards, but – OpenID with Information Cards
  7. 7. Contents • Trends in user centric identities • Lanka Gate Architecture • Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion
  8. 8. Lanka Gate Architecture
  9. 9. Contents • Trends in user centric identities • Lanka Gate Architecture • Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion
  10. 10. Sri Lanka Country Portal • Provides access to backend services through portlets [a single eService, several eServices from a specific project or transactional / mashup combination of eServices across several projects] • Users log in to the country portal and authorized functionality will be available. • How authentication takes place ??? • How authorization takes place ???
  11. 11. Contents • Trends in user centric identities • Lanka Gate Architecture • Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion
  12. 12. Identity as a Service • Integrates identity services into application development • Decouples identity related logic from individual application business logic • User, identity related data externalized from the applications themselves • Breaks identity silos
  13. 13. Identity as a Service Identity Management Service User Store
  14. 14. Contents • Trends in user centric identities • Lanka Gate Architecture • Securing Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion
  15. 15. Securing Sri Lanka Country Portal - Authentication Identity Provider [WSO2 Identity Solution] Identity Management IdMRealm Service Country Portal User Store
  16. 16. Securing Sri Lanka Country Portal - Authentication Identity Provider WS- [WSO2 Identity Security Solution] Identity HTTPS Management IdMRealm Service HTTPS Country Portal User Store HTTPS White/black listing OPs
  17. 17. Securing Sri Lanka Country Portal - Authentication Username/password Identity Provider Self-issued InfoCard [WSO2 Identity Solution] Client certificate
  18. 18. Securing Sri Lanka Country Portal - Authorization Country Portal Driving License Management Portlet Passport management Portlet EPF/ETF Management Portlet
  19. 19. Securing Sri Lanka Country Portal - Authorization Country Portal Driving License Management Passport management Portlet Portlet Request Driving License Request Passport Track Status Track Status EPF/ETF Management Portlet View EPF/ETF Claim EPF/ETF
  20. 20. Securing Sri Lanka Country Portal - Authorization Country Portal Driving License Management Passport management Portlet Portlet Request Driving License Issue Passport Track Status Reject Passport Requests EPF/ETF Management Portlet List Pending Requests View EPF/ETF Claim EPF/ETF
  21. 21. Securing Sri Lanka Country Portal - Authorization Country Portal Driving License Management Passport management Portlet Portlet Issue Driving License Request Passport List Pending Requests Track Status EPF/ETF Management Portlet View EPF/ETF Claim EPF/ETF
  22. 22. Securing Sri Lanka Country Portal - Authorization Country Portal Driving License Management Passport management Portlet Portlet Request Driving License Request Passport Track Status Track Status EPF/ETF Management Portlet List Pending Claims
  23. 23. Securing Sri Lanka Country Portal - Authorization • Authorization logic should be handled by the corresponding service(s) – behind the portlet. [or may be by the LIX] Driving License Management Service Passport Management Service getPortlet(user) getPortlet(user) EPF/ETF Management Service getPortlet(user)
  24. 24. Securing Sri Lanka Country Portal – Summary • User store will be managed centrally through Identity Management Service • Country Portal will use OpenIDs for authentication with a white-listed OpenID Provider • Once a user authenticated, his authorized functionality will be decided by evaluating authorization logic at the corresponding backend service.
  25. 25. Securing Sri Lanka Country Portal – Handling Authorization • Each backend service needs to evaluate user rights. • Application specific authorization handling/ standard based authorization handling. • Standard based authorization with XACML
  26. 26. Securing Sri Lanka Country Portal – Authorization with XACML • Defining policies • “Passport service administrators can list all the pending passport requests” Policy Administration Point/PAP Define [WSO2 Identity Solution] Policy Store [WSO2 Registry]
  27. 27. Securing Sri Lanka Country Portal – Authorization with XACML WS- Security • Evaluating policies Identity Policy Information Management Point/PIP Service [WSO2 Identity Solution] Policy Decision Policy Retrieval Point/PDP Point/PRP Request [WSO2 Identity [WSO2 Identity Solution] Solution] Policy Store [WSO2 Registry]
  28. 28. Contents • Trends in user centric identities • Lanka Gate Architecture • Securing Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion
  29. 29. Securing Backend Services Lanka Interoperability Exchange WS- WS- WS- Security Security Security EPF/ETF Passport Driving License Management Management Management Service Service Service
  30. 30. Contents • Trends in user centric identities • Lanka Gate Architecture • Securing Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion
  31. 31. Other security aspects • Auditing – Every authentication and authorization decision has to generate an audit event – Identity Management Service / PDP – Secure logging – audit trails should preserve integrity – XDAS - OpenXDAS
  32. 32. Contents • Trends in user centric identities • Lanka Gate Architecture • Securing Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion
  33. 33. Thoughts, Suggestions & Discussion….. - Thank You…!

×