The Lanka Gate Initiative

2,566 views

Published on

Published in: Travel
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,566
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
39
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Lanka Gate Initiative

  1. 1. The LANKA GATE Initiative Security Aspects
  2. 2. Contents • Trends in user centric identities • Lanka Gate Architecture • Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion
  3. 3. Trends in user centric identities • User in the middle of the identity transaction • Governed by Seven Laws of Identity • OpenID/Information Cards
  4. 4. Trends in user centric identities - OpenID • Decentralized Single Sign On + • Single profile across different domains + • Easy profile maintenance + • Authenticates once at the OpenID Provider + • Phishing ??? • Different user experience • Requires HTTPS + user education
  5. 5. Trends in user centric identities – Information Cards • Phishing resistant authentication+ • Based on WS-* standards + • Highly cryptographic solution+ • Authenticates only at the Identity Provider + • Single user profile • Different user experience
  6. 6. Trends in user centric identities It’s NOT OpenID vs. Information Cards, but – OpenID with Information Cards
  7. 7. Contents • Trends in user centric identities • Lanka Gate Architecture • Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion
  8. 8. Lanka Gate Architecture
  9. 9. Contents • Trends in user centric identities • Lanka Gate Architecture • Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion
  10. 10. Sri Lanka Country Portal • Provides access to backend services through portlets [a single eService, several eServices from a specific project or transactional / mashup combination of eServices across several projects] • Users log in to the country portal and authorized functionality will be available. • How authentication takes place ??? • How authorization takes place ???
  11. 11. Contents • Trends in user centric identities • Lanka Gate Architecture • Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion
  12. 12. Identity as a Service • Integrates identity services into application development • Decouples identity related logic from individual application business logic • User, identity related data externalized from the applications themselves • Breaks identity silos
  13. 13. Identity as a Service Identity Management Service User Store
  14. 14. Contents • Trends in user centric identities • Lanka Gate Architecture • Securing Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion
  15. 15. Securing Sri Lanka Country Portal - Authentication Identity Provider [WSO2 Identity Solution] Identity Management IdMRealm Service Country Portal User Store
  16. 16. Securing Sri Lanka Country Portal - Authentication Identity Provider WS- [WSO2 Identity Security Solution] Identity HTTPS Management IdMRealm Service HTTPS Country Portal User Store HTTPS White/black listing OPs
  17. 17. Securing Sri Lanka Country Portal - Authentication Username/password Identity Provider Self-issued InfoCard [WSO2 Identity Solution] Client certificate
  18. 18. Securing Sri Lanka Country Portal - Authorization Country Portal Driving License Management Portlet Passport management Portlet EPF/ETF Management Portlet
  19. 19. Securing Sri Lanka Country Portal - Authorization Country Portal Driving License Management Passport management Portlet Portlet Request Driving License Request Passport Track Status Track Status EPF/ETF Management Portlet View EPF/ETF Claim EPF/ETF
  20. 20. Securing Sri Lanka Country Portal - Authorization Country Portal Driving License Management Passport management Portlet Portlet Request Driving License Issue Passport Track Status Reject Passport Requests EPF/ETF Management Portlet List Pending Requests View EPF/ETF Claim EPF/ETF
  21. 21. Securing Sri Lanka Country Portal - Authorization Country Portal Driving License Management Passport management Portlet Portlet Issue Driving License Request Passport List Pending Requests Track Status EPF/ETF Management Portlet View EPF/ETF Claim EPF/ETF
  22. 22. Securing Sri Lanka Country Portal - Authorization Country Portal Driving License Management Passport management Portlet Portlet Request Driving License Request Passport Track Status Track Status EPF/ETF Management Portlet List Pending Claims
  23. 23. Securing Sri Lanka Country Portal - Authorization • Authorization logic should be handled by the corresponding service(s) – behind the portlet. [or may be by the LIX] Driving License Management Service Passport Management Service getPortlet(user) getPortlet(user) EPF/ETF Management Service getPortlet(user)
  24. 24. Securing Sri Lanka Country Portal – Summary • User store will be managed centrally through Identity Management Service • Country Portal will use OpenIDs for authentication with a white-listed OpenID Provider • Once a user authenticated, his authorized functionality will be decided by evaluating authorization logic at the corresponding backend service.
  25. 25. Securing Sri Lanka Country Portal – Handling Authorization • Each backend service needs to evaluate user rights. • Application specific authorization handling/ standard based authorization handling. • Standard based authorization with XACML
  26. 26. Securing Sri Lanka Country Portal – Authorization with XACML • Defining policies • “Passport service administrators can list all the pending passport requests” Policy Administration Point/PAP Define [WSO2 Identity Solution] Policy Store [WSO2 Registry]
  27. 27. Securing Sri Lanka Country Portal – Authorization with XACML WS- Security • Evaluating policies Identity Policy Information Management Point/PIP Service [WSO2 Identity Solution] Policy Decision Policy Retrieval Point/PDP Point/PRP Request [WSO2 Identity [WSO2 Identity Solution] Solution] Policy Store [WSO2 Registry]
  28. 28. Contents • Trends in user centric identities • Lanka Gate Architecture • Securing Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion
  29. 29. Securing Backend Services Lanka Interoperability Exchange WS- WS- WS- Security Security Security EPF/ETF Passport Driving License Management Management Management Service Service Service
  30. 30. Contents • Trends in user centric identities • Lanka Gate Architecture • Securing Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion
  31. 31. Other security aspects • Auditing – Every authentication and authorization decision has to generate an audit event – Identity Management Service / PDP – Secure logging – audit trails should preserve integrity – XDAS - OpenXDAS
  32. 32. Contents • Trends in user centric identities • Lanka Gate Architecture • Securing Sri Lanka Country Portal • Identity as a Service • Securing Sri Lanka Country Portal • Securing Backend Services • Other security aspects • Thoughts, Suggestions & Discussion
  33. 33. Thoughts, Suggestions & Discussion….. - Thank You…!

×