The document summarizes an IT architect conference presentation on architecting enterprise security for service-oriented architectures (SOA). The presentation discusses key enterprise security concerns like governance, infrastructure, applications and how SOA brings changes that impact security. It provides examples of security architecture policies and how to implement aspects of security like threat protection, transport layer security, service virtualization, externalizing and centralizing security management, authenticating and authorizing all messages.
Towards Securing Computer Network Environment By Using Kerberos-based Network...FATIN FAZAIN MOHD AFFANDI
This document discusses securing computer networks by implementing a Kerberos-based authentication protocol. It begins with an introduction that outlines the need for secure authentication when transmitting passwords over insecure networks. The document then reviews related work on authentication protocols like PAP, CHAP, and Kerberos. The proposed methodology will analyze Kerberos architecture and involve setting up Kerberos servers to validate user and server authentication. The expected results are that implementing Kerberos will securely authenticate users and prevent unauthorized access to protected resources.
Juniper SSL VPN provides secure remote access to network resources through a web interface without requiring client installation. It uses granular authentication, authorization and auditing to control access for realms, users, roles and specific resources. SSL VPN encrypts connections at the application layer for individual remote access, while IPsec operates at the network layer for site-to-site encryption over insecure networks in either transport or tunnel mode. SSL VPN crypto negotiation allows seamless access to resources without multiple connections.
This document discusses various aspects of web security including:
1. Secure Socket Layer (SSL) and Transport Layer Security (TLS) which provide secure communication over the internet.
2. Secure Electronic Transaction (SET) which is an open encryption standard that protects credit card transactions on the internet.
3. The document outlines different security considerations for the web including vulnerabilities of web servers and the need for mechanisms like SSL, TLS at the transport layer and SET at the application layer.
Многие компании сегодня вынуждены искать замену решению Microsoft Forefront Threat Management Gateway, разработка которого была прекращена. Превосходной альтернативой является решение F5 Secure Web Gateway Services, обеспечивающее контроль и безопасную работу в Интернете.
Legacy security systems are failing because attacks have moved "up the stack" to target applications rather than just networks. While 90% of security investment focuses on network threats, 75% of attacks now target applications. The top 10 web application vulnerabilities remain unaddressed, leaving many sites open to injection attacks, XSS, authentication issues, and more. To better protect applications, a next-generation security platform needs to be scalable, adaptable to change, understand context, involve the security community, and take a unified approach.
This document discusses virtualization, cloud computing, and SDN technologies. It covers some of the key challenges in application provisioning across network layers that can lead to long deployment times. The document presents solutions from F5 that aim to simplify and accelerate application deployments through a high-performance services fabric and integration with technologies like Cisco ACI and VMware NSX to enable automated, policy-based provisioning of load balancing and other application services.
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...Michael Noel
One of the biggest advantage of using SharePoint as a Document Management and collaboration environment is that a robust security and permissions structure is built-in to the application itself. Authenticating and authorizing users is a fairly straightforward task, and administration of security permissions is simplified. Too often, however, security for SharePoint stops there, and organizations don’t pay enough attention to all of the other considerations that are part of a SharePoint Security stack, and more often than not don’t properly build them into a deployment. This includes such diverse categories including Edge, Transport, Infrastructure, Data, and Rights Management Security, all areas that are often neglected but are nonetheless extremely important. This session discusses the entire stack of Security within SharePoint, from best practices around managing permissions and ACLs to comply with Role Based Access Control, to techniques to secure inbound access to externally-facing SharePoint sites. The session is designed to be comprehensive, and includes all major security topics in SharePoint and a discussion of various real-world designs that are built to be secure. • Understand how to use native technologies to secure all layers of a SharePoint environment, including Data, Transport, Infrastructure, Edge, and Rights Management. • Examine tools and technologies that can help secure SharePoint, including AD Rights Management Services, Forefront Unified Access Gateway, SQL Transparent Data Encryption, and more. • Understand a Role-Based Access Control (RBAC) permissions model and how it can be used to gain better control over authorization and access control to SharePoint files and data
В связи с завершением разработки Microsoft Forefront Threat Management Gateway (TMG) множество организаций, использующих или планировавших использовать TMG столкнулись с дилеммой: как и, более важно, что администраторы будут использовать для защиты своих приложений Microsoft, имеющих доступ в Интернет типа Exchange, SharePoint и Lync?
F5 Networks предлагает ответ на эти вопросы. Подробности описываются в данной презентации.
Towards Securing Computer Network Environment By Using Kerberos-based Network...FATIN FAZAIN MOHD AFFANDI
This document discusses securing computer networks by implementing a Kerberos-based authentication protocol. It begins with an introduction that outlines the need for secure authentication when transmitting passwords over insecure networks. The document then reviews related work on authentication protocols like PAP, CHAP, and Kerberos. The proposed methodology will analyze Kerberos architecture and involve setting up Kerberos servers to validate user and server authentication. The expected results are that implementing Kerberos will securely authenticate users and prevent unauthorized access to protected resources.
Juniper SSL VPN provides secure remote access to network resources through a web interface without requiring client installation. It uses granular authentication, authorization and auditing to control access for realms, users, roles and specific resources. SSL VPN encrypts connections at the application layer for individual remote access, while IPsec operates at the network layer for site-to-site encryption over insecure networks in either transport or tunnel mode. SSL VPN crypto negotiation allows seamless access to resources without multiple connections.
This document discusses various aspects of web security including:
1. Secure Socket Layer (SSL) and Transport Layer Security (TLS) which provide secure communication over the internet.
2. Secure Electronic Transaction (SET) which is an open encryption standard that protects credit card transactions on the internet.
3. The document outlines different security considerations for the web including vulnerabilities of web servers and the need for mechanisms like SSL, TLS at the transport layer and SET at the application layer.
Многие компании сегодня вынуждены искать замену решению Microsoft Forefront Threat Management Gateway, разработка которого была прекращена. Превосходной альтернативой является решение F5 Secure Web Gateway Services, обеспечивающее контроль и безопасную работу в Интернете.
Legacy security systems are failing because attacks have moved "up the stack" to target applications rather than just networks. While 90% of security investment focuses on network threats, 75% of attacks now target applications. The top 10 web application vulnerabilities remain unaddressed, leaving many sites open to injection attacks, XSS, authentication issues, and more. To better protect applications, a next-generation security platform needs to be scalable, adaptable to change, understand context, involve the security community, and take a unified approach.
This document discusses virtualization, cloud computing, and SDN technologies. It covers some of the key challenges in application provisioning across network layers that can lead to long deployment times. The document presents solutions from F5 that aim to simplify and accelerate application deployments through a high-performance services fabric and integration with technologies like Cisco ACI and VMware NSX to enable automated, policy-based provisioning of load balancing and other application services.
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...Michael Noel
One of the biggest advantage of using SharePoint as a Document Management and collaboration environment is that a robust security and permissions structure is built-in to the application itself. Authenticating and authorizing users is a fairly straightforward task, and administration of security permissions is simplified. Too often, however, security for SharePoint stops there, and organizations don’t pay enough attention to all of the other considerations that are part of a SharePoint Security stack, and more often than not don’t properly build them into a deployment. This includes such diverse categories including Edge, Transport, Infrastructure, Data, and Rights Management Security, all areas that are often neglected but are nonetheless extremely important. This session discusses the entire stack of Security within SharePoint, from best practices around managing permissions and ACLs to comply with Role Based Access Control, to techniques to secure inbound access to externally-facing SharePoint sites. The session is designed to be comprehensive, and includes all major security topics in SharePoint and a discussion of various real-world designs that are built to be secure. • Understand how to use native technologies to secure all layers of a SharePoint environment, including Data, Transport, Infrastructure, Edge, and Rights Management. • Examine tools and technologies that can help secure SharePoint, including AD Rights Management Services, Forefront Unified Access Gateway, SQL Transparent Data Encryption, and more. • Understand a Role-Based Access Control (RBAC) permissions model and how it can be used to gain better control over authorization and access control to SharePoint files and data
В связи с завершением разработки Microsoft Forefront Threat Management Gateway (TMG) множество организаций, использующих или планировавших использовать TMG столкнулись с дилеммой: как и, более важно, что администраторы будут использовать для защиты своих приложений Microsoft, имеющих доступ в Интернет типа Exchange, SharePoint и Lync?
F5 Networks предлагает ответ на эти вопросы. Подробности описываются в данной презентации.
F5 has added new solutions that combine its BIG-IP Application Security Manager with Oracle Database Firewall to provide stronger protection against SQL injection attacks. The integrated solution monitors and blocks traffic at the web and database layers, tracking application sessions from client to database. When anomalies are detected by the Application Security Manager, they are logged by both the Application Security Manager and Oracle Database Firewall, providing complete visibility of attacks from source to SQL transaction. This ensures administrators have consistent, correlated application monitoring data and web tier attacks are blocked while undetected attacks reaching the database are blocked by the Database Firewall.
Cisco Trustsec & Security Group TaggingCisco Canada
This presentation covers the protocols and functions that create a trusted network. We will discuss the best practices when deploying this tagging ability using campus switches including migration techniques from non-SGT capable to devices to a fully SGT capable network deployment. For more information please visit our website here: http://www.cisco.com/web/CA/index.html
F5 Offers Advanced Web Security With BIG-IP v10.1DSorensenCPR
With the new v10.1 release of BIG-IP, F5 tackles existing and emerging web security threats, while optimizing web applications to enhance end-user experience. The new release enhances an IT staff’s operational efficiency, reduces security risks and associated litigation costs, while streamlining application delivery.
HK VForum F5 apps centric security nov 4, 2016 - finalJuni Yan
This document discusses the need for a new, application-centric approach to cybersecurity. It notes that traditional network perimeter-based security is inadequate and that most security breaches now involve user identities and applications. It promotes governing application access and protecting applications to secure data across cloud, on-premises and future applications. The document advocates for a flexible security architecture using F5 technologies to assess risks, control access, and protect applications based on defined conditions.
The VIPRION® 2400 is a midrange chassis-based hardware platform. Adding to the successful F5® VIPRION product line, the new Application Delivery Controller (ADC) provides significant price/performance advantages for enterprises. In addition, F5's Virtual Clustered Multiprocessing (vCMP™) technology combines virtualization and multi-tenancy capabilities to help customers consolidate and efficiently manage application delivery services. Building on F5’s previously announced Clustered Multiprocessing (CMP™) technology, vCMP enables multiple instances of BIG-IP® software to run on one device.
Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...APNIC
Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling transport protocols from what's below, by Catherine Pearce.
A presentation given at APRICOT 2016’s APOPS Plenary 1 session on 22 February 2016.
This document summarizes the transport layer and its key protocols TCP and UDP. It describes the transport layer's role in establishing communication sessions and delivering data between applications. TCP provides reliable, ordered delivery using acknowledgments, while UDP is unreliable but lower overhead. The document explains how ports distinguish communications and lists applications commonly using each protocol.
How to deliver industry standard browser security to the native Domino HTTP stack, using company-wide wildcard certificates deployed across all platforms.
The F5 DDoS Protection Reference Architecture (Technical White Paper)F5 Networks
This white paper proposes a multi-tier architecture for protecting against distributed denial of service (DDoS) attacks. It recommends using a cloud-based DDoS protection service to mitigate volumetric attacks, while using on-premises network and application defense tiers to handle asymmetric and computational attacks. The network defense tier uses firewalls and load balancers to protect network layers, while the application defense tier uses web application firewalls and ADCs to inspect application traffic in depth. This hybrid cloud/on-premises architecture is designed to defend against all categories of DDoS attacks.
This document summarizes the transport layer and the key protocols TCP and UDP. It explains that the transport layer establishes communication sessions between applications, segments data for transmission, and ensures proper delivery. TCP provides reliable, ordered delivery using acknowledgements, while UDP is simpler but unreliable. Popular applications of each are discussed, showing how TCP and UDP address different network requirements.
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
This presentation is based on the book "Building the Mobile Internet", the central theme being that the lack of a true session layer in the TCP/IP stack causes problems with mobility. The presentation addresses different ways of dealing with that problem on the various layers of the TCP/IP stack.
The document provides a syllabus and study guide for the Performance Management (F5) exam. It outlines the main capabilities assessed, including specialised costing techniques, decision-making techniques, budgeting, standard costing, and performance management systems. The syllabus is assessed through a three-hour exam containing five compulsory questions testing these capabilities. It aims to examine candidates' understanding of managing business performance through quantitative and qualitative information.
Finding a cost-effective solution that allows you to rapidly deliver cloud-based applications securely can be challenging. F5 on AWS offers a variety of solutions and licensing options, so organizations can choose the best fit for their business needs. Join our webinar to learn best practices for controlling access for your cloud-based applications.
Watch the F5 and AWS webinar to learn how to strengthen your security using strong access control and application-layer firewall services.
The document discusses cyber defense for service-oriented architecture (SOA) and representational state transfer (REST) using the Oracle Service Bus Appliance (OSBA). It provides an overview of OSBA, including its easy deployment and configuration, DMZ-class security features, and performance benefits. Examples of OSBA use cases for security, performance, customization, and monitoring of SOA and REST applications are also presented.
The document discusses cyber defense for service-oriented architecture (SOA) and representational state transfer (REST) using the Oracle Service Bus Appliance (OSBA). It provides an overview of OSBA, including its easy deployment and configuration, DMZ-class security features, and performance benefits. Examples of OSBA use cases for security, performance, customization, and monitoring of SOA and REST applications are also presented.
The document discusses cyber defense for service-oriented architecture (SOA) and representational state transfer (REST) using the Oracle Service Bus Appliance (OSBA). It provides an overview of OSBA, including its easy deployment and configuration, DMZ-class security features, and performance benefits. Examples of OSBA use cases for security, performance, customization, and monitoring of SOA and REST applications are also presented.
The document discusses the challenges of migrating systems to service-oriented architectures and cloud infrastructure. It describes how the Forum Sentry product can help with these challenges by automatically converting data between different protocols and standards without requiring code to be written. It also discusses how Forum Sentry provides security capabilities such as acting as a firewall, integrating with identity management systems, and converting between JSON/REST and other protocols to help development teams.
Services Oriented Infrastructure in a Web2.0 WorldLexumo
Tom Maguire discusses applying SOA Web 2.0 technologies, and open standards to the problems faced by IT in an ever changing world.
This session was recorded at EMC World 2007 in Orlando Florida
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
Whether you’re working exclusively on Azure or with multiple cloud environments, there are certain things you should consider when moving assets to the public cloud. As with any cloud deployment, security is a top priority, and moving your workloads to the Azure cloud doesn’t mean you’re not responsible for the security of your operating system, applications, and data.
Building on the security of the Azure infrastructure, this shared security responsibility starts with making sure your environment is secure. In this session, we will discuss step-by-step what you need to do to secure access at the administrative, application and network layers.
F5 has added new solutions that combine its BIG-IP Application Security Manager with Oracle Database Firewall to provide stronger protection against SQL injection attacks. The integrated solution monitors and blocks traffic at the web and database layers, tracking application sessions from client to database. When anomalies are detected by the Application Security Manager, they are logged by both the Application Security Manager and Oracle Database Firewall, providing complete visibility of attacks from source to SQL transaction. This ensures administrators have consistent, correlated application monitoring data and web tier attacks are blocked while undetected attacks reaching the database are blocked by the Database Firewall.
Cisco Trustsec & Security Group TaggingCisco Canada
This presentation covers the protocols and functions that create a trusted network. We will discuss the best practices when deploying this tagging ability using campus switches including migration techniques from non-SGT capable to devices to a fully SGT capable network deployment. For more information please visit our website here: http://www.cisco.com/web/CA/index.html
F5 Offers Advanced Web Security With BIG-IP v10.1DSorensenCPR
With the new v10.1 release of BIG-IP, F5 tackles existing and emerging web security threats, while optimizing web applications to enhance end-user experience. The new release enhances an IT staff’s operational efficiency, reduces security risks and associated litigation costs, while streamlining application delivery.
HK VForum F5 apps centric security nov 4, 2016 - finalJuni Yan
This document discusses the need for a new, application-centric approach to cybersecurity. It notes that traditional network perimeter-based security is inadequate and that most security breaches now involve user identities and applications. It promotes governing application access and protecting applications to secure data across cloud, on-premises and future applications. The document advocates for a flexible security architecture using F5 technologies to assess risks, control access, and protect applications based on defined conditions.
The VIPRION® 2400 is a midrange chassis-based hardware platform. Adding to the successful F5® VIPRION product line, the new Application Delivery Controller (ADC) provides significant price/performance advantages for enterprises. In addition, F5's Virtual Clustered Multiprocessing (vCMP™) technology combines virtualization and multi-tenancy capabilities to help customers consolidate and efficiently manage application delivery services. Building on F5’s previously announced Clustered Multiprocessing (CMP™) technology, vCMP enables multiple instances of BIG-IP® software to run on one device.
Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...APNIC
Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling transport protocols from what's below, by Catherine Pearce.
A presentation given at APRICOT 2016’s APOPS Plenary 1 session on 22 February 2016.
This document summarizes the transport layer and its key protocols TCP and UDP. It describes the transport layer's role in establishing communication sessions and delivering data between applications. TCP provides reliable, ordered delivery using acknowledgments, while UDP is unreliable but lower overhead. The document explains how ports distinguish communications and lists applications commonly using each protocol.
How to deliver industry standard browser security to the native Domino HTTP stack, using company-wide wildcard certificates deployed across all platforms.
The F5 DDoS Protection Reference Architecture (Technical White Paper)F5 Networks
This white paper proposes a multi-tier architecture for protecting against distributed denial of service (DDoS) attacks. It recommends using a cloud-based DDoS protection service to mitigate volumetric attacks, while using on-premises network and application defense tiers to handle asymmetric and computational attacks. The network defense tier uses firewalls and load balancers to protect network layers, while the application defense tier uses web application firewalls and ADCs to inspect application traffic in depth. This hybrid cloud/on-premises architecture is designed to defend against all categories of DDoS attacks.
This document summarizes the transport layer and the key protocols TCP and UDP. It explains that the transport layer establishes communication sessions between applications, segments data for transmission, and ensures proper delivery. TCP provides reliable, ordered delivery using acknowledgements, while UDP is simpler but unreliable. Popular applications of each are discussed, showing how TCP and UDP address different network requirements.
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
This presentation is based on the book "Building the Mobile Internet", the central theme being that the lack of a true session layer in the TCP/IP stack causes problems with mobility. The presentation addresses different ways of dealing with that problem on the various layers of the TCP/IP stack.
The document provides a syllabus and study guide for the Performance Management (F5) exam. It outlines the main capabilities assessed, including specialised costing techniques, decision-making techniques, budgeting, standard costing, and performance management systems. The syllabus is assessed through a three-hour exam containing five compulsory questions testing these capabilities. It aims to examine candidates' understanding of managing business performance through quantitative and qualitative information.
Finding a cost-effective solution that allows you to rapidly deliver cloud-based applications securely can be challenging. F5 on AWS offers a variety of solutions and licensing options, so organizations can choose the best fit for their business needs. Join our webinar to learn best practices for controlling access for your cloud-based applications.
Watch the F5 and AWS webinar to learn how to strengthen your security using strong access control and application-layer firewall services.
The document discusses cyber defense for service-oriented architecture (SOA) and representational state transfer (REST) using the Oracle Service Bus Appliance (OSBA). It provides an overview of OSBA, including its easy deployment and configuration, DMZ-class security features, and performance benefits. Examples of OSBA use cases for security, performance, customization, and monitoring of SOA and REST applications are also presented.
The document discusses cyber defense for service-oriented architecture (SOA) and representational state transfer (REST) using the Oracle Service Bus Appliance (OSBA). It provides an overview of OSBA, including its easy deployment and configuration, DMZ-class security features, and performance benefits. Examples of OSBA use cases for security, performance, customization, and monitoring of SOA and REST applications are also presented.
The document discusses cyber defense for service-oriented architecture (SOA) and representational state transfer (REST) using the Oracle Service Bus Appliance (OSBA). It provides an overview of OSBA, including its easy deployment and configuration, DMZ-class security features, and performance benefits. Examples of OSBA use cases for security, performance, customization, and monitoring of SOA and REST applications are also presented.
The document discusses the challenges of migrating systems to service-oriented architectures and cloud infrastructure. It describes how the Forum Sentry product can help with these challenges by automatically converting data between different protocols and standards without requiring code to be written. It also discusses how Forum Sentry provides security capabilities such as acting as a firewall, integrating with identity management systems, and converting between JSON/REST and other protocols to help development teams.
Services Oriented Infrastructure in a Web2.0 WorldLexumo
Tom Maguire discusses applying SOA Web 2.0 technologies, and open standards to the problems faced by IT in an ever changing world.
This session was recorded at EMC World 2007 in Orlando Florida
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
Whether you’re working exclusively on Azure or with multiple cloud environments, there are certain things you should consider when moving assets to the public cloud. As with any cloud deployment, security is a top priority, and moving your workloads to the Azure cloud doesn’t mean you’re not responsible for the security of your operating system, applications, and data.
Building on the security of the Azure infrastructure, this shared security responsibility starts with making sure your environment is secure. In this session, we will discuss step-by-step what you need to do to secure access at the administrative, application and network layers.
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
This Session will focus on Mobile Top 10 2014-M3 : Insufficient Transport Layer protection. We will try to understand Transport Layer, Transport layer security (TLS), insecurities in TLS/SSL, and how this affects the overall security of Mobile Devices as well as what kind of protection can be applied and how this can be identified..
The document discusses security issues related to web services and cloud applications. It covers various attacks like SQL injection over APIs, XSS, authorization bypass, information leaks through JSON fuzzing, CSRF, and virtual sandbox bypasses on mobile interfaces. It also discusses vulnerabilities like side-channel attacks that could allow extracting information from targeted VMs in the cloud. The document emphasizes that web services security is very relevant for cloud applications given technologies like APIs, OAuth, SAML, and SOAP used commonly in both domains.
This document discusses IBM DataPower and how it can be used to securely expose APIs and services. It provides an overview of DataPower's key capabilities including security, protocol support, and an application development model. Specific services that DataPower provides are discussed such as the web service proxy, XML firewall, and web application firewall. The document also covers how DataPower can implement various security features and policies to control access and traffic. Finally, it presents some high-level questions to consider when shaping an API strategy.
Mobile application security and threat modelingShantanu Mitra
From Telegraph to 5G, there is huge evolution and transformation in the network accessibility, application design, security threats and risk assessment - the change is getting reflected everywhere. The presentation describes here how good we can follow the best practices in our developments, how best we can we gain the trust of our clients.
The document provides information on connectors supported by HPE ArcSight for integrating security events from various sources. It lists over 150 specific product connectors spanning network devices, firewalls, antivirus software, databases, applications, cloud services and more. It also outlines the supported operating system platforms for installing ArcSight connectors.
Please join the CASC for a Hangout covering that State of the Web. Topics covered :
The move to 2048-bit certificates
The move to ShA2
TLS 1.2
EV certificates
Revocation checking
Always on SSL
PFS
New gTLDs
Members from Comodo, DigiCert, Entrust, and GoDaddy.
Robin Alden- Comodo
Jeremy Rowley- DigiCert
Bruce Morton- Entrust
Wayne Thayer- Go Daddy
Rick Andrews- Symantec
Introduction to the design principles behind SSL. This was a relatively basic talk since the audience was a networking class with no previous security experience. Talk given to Cal Poly networking class on November 29, 2007.
This document discusses Docker container security. It begins by outlining common container threats like ransomware, DDoS attacks, and privilege escalations. It then describes the need for continuous container security across the development, deployment and runtime phases. This includes techniques like image signing, user access controls, code analysis, image scanning, and host/kernel hardening. The document also discusses inspecting and protecting container network traffic and hosts from attacks. It emphasizes the challenges of monitoring large, complex deployments and automating security at scale across orchestration platforms and network overlays. Several demos are proposed to showcase micro-segmentation of applications and runtime vulnerability scanning using NeuVector.
The document discusses securing data centers from cyber threats. It describes how attacks have evolved from manual to mechanized to sophisticated human-led attacks. It advocates employing segmentation, threat defense and visibility measures like firewalls, IDS/IPS, and NetFlow. The Cisco Cyber Threat Defense solution places these tools at the access, aggregation and core layers, including the ASA firewall, Nexus switches, and StealthWatch for network monitoring and analytics. This provides visibility into network traffic across physical and virtual infrastructure to detect threats and policy violations.
The document discusses Cyberoam next-generation firewalls (NGFW) that offer controls over network layers 2-8 to help enterprises regain security controls lost due to trends like increased mobility, virtualization, and more network users and devices. Cyberoam NGFWs provide features like application inspection and control, website filtering, VPN, bandwidth management, and high performance. They also offer reporting, logging, monitoring, user authentication, and other administrative functions to provide secure and productive connectivity for enterprise networks.
Cyberoam Next-Generation Firewalls (NGFWs) offer complete network security controls through Layer 8 identity-based technology. Their NGFWs regain security controls lost due to trends like increased mobility, virtualization, and more network users and devices. Features include application inspection and control, VPN, bandwidth management, web filtering, intrusion prevention, and antivirus. Cyberoam appliances provide high performance, security, connectivity and productivity with an extensible security architecture for future-ready enterprise security.
The document discusses Cyberoam next-generation firewalls (NGFW) that offer controls over network layers 2-8 to help enterprises regain security controls lost due to trends like increased mobility, virtualization, and more network users and devices. Cyberoam NGFWs provide features like application inspection and control, website filtering, VPN, bandwidth management, and high performance. They also offer reporting, logging, monitoring, user authentication, and other administrative functions to provide secure and productive connectivity for enterprise networks.
Cyberoam Next-Generation Firewalls (NGFWs) offer complete network security controls through Layer 8 identity-based technology. Their NGFWs provide inline application inspection, website filtering, VPN, bandwidth controls, and other features. Cyberoam appliances deliver high performance, security, connectivity, and productivity with an extensible security architecture for future-ready enterprise networks facing challenges from workforce mobilization and growing network usage and devices.
Cyberoam Next-Generation Firewalls (NGFWs) offer complete network security controls through Layer 8 identity-based technology. Their NGFWs provide inline application inspection, website filtering, VPN, bandwidth controls, and other features. Cyberoam appliances deliver high performance, security, connectivity, and productivity with an extensible security architecture for future-ready enterprise networks facing challenges from workforce mobilization and growing network usage and devices.
Similar to 20071015 Architecting Enterprise Security (20)
This document discusses cloud-native applications and serverless computing. It begins with an introduction to cloud-native applications and core technologies like containers, orchestrators, and microservices. Examples are then given of how companies like Fujifilm and ASOS have benefited from serverless architectures on Azure. The document concludes with an overview of Azure serverless services like Functions, Event Grid, Cosmos DB, and Logic Apps and a sample serverless application architecture diagram.
The document discusses the infrastructure and APIs available for Windows Phone development. It outlines the core plumbing, common type system, and standard programming model that make up the infrastructure. It then lists many of the Windows Phone Platform APIs that are available for developers to use, including APIs for tasks, controls, media, and more. It also includes code examples and references to Microsoft documentation and resources for Windows Phone development.
Microsoft provides an AI platform and tools for developers to build, train, and deploy intelligent applications and services. Key elements of Microsoft's AI offerings include:
- A unified AI platform spanning infrastructure, tools, and services to make AI accessible and useful for every developer.
- Powerful tools for AI development including deep learning frameworks, coding and management tools, and AI services for tasks like computer vision, natural language processing, and more.
- Capabilities for training models at scale using GPU accelerated compute on Azure and deploying trained models as web APIs, mobile apps, or other applications.
- A focus on trusted, responsible, and inclusive AI that puts users in control and augments rather than replaces human
Researchers used deep learning techniques like ResNet and data augmentation to improve the accuracy of detecting snow leopards from 63.4% to 90%. They used transfer learning on a ResNet model to extract features from images, then trained a logistic regression classifier on those features to detect snow leopards. They also averaged predictions from multiple images and doubled their training data by flipping images horizontally. This helped improve the model's ability to identify snow leopards in photos.
HMD shipments are forecast to grow rapidly over the next few years, reaching around 76 million units by 2020. Immersive computing technologies like virtual reality, augmented reality and mixed reality are poised for growth as they blend physical and digital worlds and allow for natural language and gesture-based interactions. Developers can create immersive applications for these platforms across entertainment, training, manufacturing and other areas using tools like Unity, Windows Mixed Reality and Azure cognitive services.
This document contains configuration information for endpoints and runtime execution for a process. It specifies starting the process with the startup.cmd file and setting it as ready on process start. It lists several endpoints for HTTP, TCP, and other protocols on various ports for input. It also contains SQL connection strings and registry settings for TCP/IP parameters including keep alive times and data retransmissions.
Azure provides cloud computing services including computing, analytics, networking, storage, and more. It offers virtual machines, databases, websites, and other services that can be accessed from anywhere and scaled up as needed. Azure aims to provide enterprise-grade services that are economical, scalable, and hybrid-ready to work with existing on-premises systems. It has data centers across the world and over 600,000 servers to provide its services globally at scale.
The document discusses microservices and provides information on:
- The benefits of microservices including faster time to market, lower deployment costs, and more revenue opportunities.
- What defines a microservice such as being independently deployable and scalable.
- Differences between monolithic and microservice architectures.
- Moving applications to the cloud and refactoring monolithic applications into microservices.
- Tools for building microservices including Azure Service Fabric and serverless/Functions.
- Best practices for developing, deploying, and managing microservices.
Combining Private and Public Clouds into Meaningful HybridsDavid Chou
The document discusses hybrid cloud scenarios that combine public and private clouds. It defines private and public clouds and their differences. Private clouds provide more control while public clouds provide scale. Hybrid clouds blend both models. The document outlines several hybrid cloud deployment patterns and application patterns, including using public clouds for variable capacity and private clouds for predictable workloads. It emphasizes the need for cloud-optimized application design and integration across cloud services when building hybrid applications.
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows AzureDavid Chou
This document discusses building highly scalable Java applications on Windows Azure. It provides an overview of Windows Azure, including its infrastructure and services. It then covers how to deploy and run Java applications on Azure, including using various Java application servers like Tomcat, Jetty, and GlassFish. It also discusses some considerations for architecting applications to scale on Azure.
The document discusses building highly scalable Java applications on Windows Azure. It provides an overview of Windows Azure, including its compute and storage services. It then covers how to deploy and run Java applications on Azure, including using Tomcat, Jetty, GlassFish, and accessing SQL Azure and storage. It discusses current limitations and how the Eclipse tools will support Java development for Azure. Finally, it covers architectural approaches for scaling applications, comparing vertical to horizontal scaling.
Windows Azure AppFabric is a platform that provides middleware services for developing and managing cloud applications at scale. It includes services for messaging, caching, identity management, and integrating applications. It also allows building and managing composite applications composed of distributed application components hosted on Windows Azure. The AppFabric platform aims to simplify cloud development by providing these services and capabilities through a consistent programming model.
Scale as a competitive advantage allows companies to leverage large amounts of data. As data volumes grow exponentially, companies are utilizing cloud computing and distributed architectures to process petabytes of information daily across thousands of servers. This enables new applications, insights, and business models driven by "big data."
This document provides an overview of architecting cloud applications for scale. It discusses key concepts like horizontal scaling, distributed computing, and common cloud architecture patterns. Specific examples are given of how large companies like Facebook, Twitter, and Flickr architect their systems using horizontal scaling, partitioning, caching, and other techniques to handle massive loads in a scalable way.
This document provides an overview of the Windows Phone 7 platform, including:
- The application frameworks that power Windows Phone apps, such as Silverlight and XNA.
- The app model and hosting environment, including sandboxing and isolation of apps.
- The common hardware capabilities across Windows Phones, including touchscreens, cameras, and sensors.
- The tools and services available to developers, such as the emulator, cloud services, and Xbox Live integration.
- The process for deploying and distributing apps through the Windows Phone Marketplace.
Silverlight is a development platform for creating engaging web and mobile applications using .NET. It allows visually rich experiences through technologies like HD video, 3D graphics, and animation. Silverlight supports a wide range of platforms and browsers and provides tools for building business and consumer applications. Some key capabilities include media playback, rich graphics, data binding, and cross-platform deployment. Major companies like Netflix, the NFL, and NBC have used Silverlight to deliver interactive video experiences with features like HD streaming, DVR controls, and multiple simultaneous camera views.
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Dive into the realm of operating systems (OS) with Pravash Chandra Das, a seasoned Digital Forensic Analyst, as your guide. 🚀 This comprehensive presentation illuminates the core concepts, types, and evolution of OS, essential for understanding modern computing landscapes.
Beginning with the foundational definition, Das clarifies the pivotal role of OS as system software orchestrating hardware resources, software applications, and user interactions. Through succinct descriptions, he delineates the diverse types of OS, from single-user, single-task environments like early MS-DOS iterations, to multi-user, multi-tasking systems exemplified by modern Linux distributions.
Crucial components like the kernel and shell are dissected, highlighting their indispensable functions in resource management and user interface interaction. Das elucidates how the kernel acts as the central nervous system, orchestrating process scheduling, memory allocation, and device management. Meanwhile, the shell serves as the gateway for user commands, bridging the gap between human input and machine execution. 💻
The narrative then shifts to a captivating exploration of prominent desktop OSs, Windows, macOS, and Linux. Windows, with its globally ubiquitous presence and user-friendly interface, emerges as a cornerstone in personal computing history. macOS, lauded for its sleek design and seamless integration with Apple's ecosystem, stands as a beacon of stability and creativity. Linux, an open-source marvel, offers unparalleled flexibility and security, revolutionizing the computing landscape. 🖥️
Moving to the realm of mobile devices, Das unravels the dominance of Android and iOS. Android's open-source ethos fosters a vibrant ecosystem of customization and innovation, while iOS boasts a seamless user experience and robust security infrastructure. Meanwhile, discontinued platforms like Symbian and Palm OS evoke nostalgia for their pioneering roles in the smartphone revolution.
The journey concludes with a reflection on the ever-evolving landscape of OS, underscored by the emergence of real-time operating systems (RTOS) and the persistent quest for innovation and efficiency. As technology continues to shape our world, understanding the foundations and evolution of operating systems remains paramount. Join Pravash Chandra Das on this illuminating journey through the heart of computing. 🌟
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
1. IT Architect Regional Conference 2007
Architecting Enterprise Security
David Chou
Architect, Microsoft
david.chou@microsoft.com
http://blogs.msdn.com/dachou
3. Enterprise Security Concerns
Governance
• Policies
• Standards SOA?
• Procedures
• Auditing
• Personnel
etc.
Infrastructure Applications
• Physical • Access Control
• Perimeter • Data Protection
• Network • Data Encryption
• Hardware • Platform
• Identity Mgmt • Integration
etc. etc.
4. SOA Brings Changes
• Imperative to Connect
• Networks Without Borders
• Mass Volume Real-Time Communications
• Integration Layer Concerns
• Inter-Dependencies Amplified
• Existing Issues Magnified
• New Issues Created
• Changing Nature of the Threat
Environment
5. SOA Brings Questions
Impersonation /
Trust Delegation
System Identities End User Identities
Message-Layer Transport-Layer
Identity Federation Replicated Databases
Centralized Shared Distributed Decision
Infrastructure Enforcement Points
Endpoint (Overlay) Intelligent Network
End-to-End Context Peer-to-Peer Context
6. Information-Centric Security
• Availability
• Confidentiality
• Integrity
• Accountability
• Identity and Access
Management
• Audit
• Governance Trustworthy
• Business Continuity Computing
• Security by Design
7. Availability
• System Reliability • Web Services Security
• Threat Protection Gateway (XML Appliance)
– Message alteration • Enterprise Service Bus
– Data theft • Custom Component
– Falsified messages
– “Man in the middle”
– Principal spoofing
• Schema Poisoning
– Forged claims • XML Parameter Tampering
• Inadvertent XML DoS
– Malformed XML content • WSDL Scanning
• Oversized Payload
– Denial of Service (DoS) • Recursive Payload
• XML Routing Detours
• Vulnerability Mitigation • SQL Injection
• External Entity Attack
• Malicious Code Injection
•Identity Centric Attack
8. Confidentiality
• Data Privacy • Transport-Layer Security
(SSL, TLS, IPSec)
• XML Content Encryption
(W3C XML Enc spec)
• XML Encryption (W3C XML
Enc spec):
• Block encryption (3DES, AES-128,
AES-256)
• Key transport (RSA-v1.5, RSA-OAEP)
• Key wrapping (3DES, AES128, AES-
256)
• WS-Security (Oasis spec
v1.1 Feb 2006; v1.0 Apr
2004)
11. Identity and Access Management
• User Authentication • Transport-Layer Security
• Authorization & Access • Message-Layer Security
Control • XACML (eXtensible Access
• Trust & Federation Control Markup Language)
2.0
• WSI Basic Security Profile
(WSI spec v1.0 March
2006)
• Web Services Security
Appliances
• Enterprise Service Bus
12. Audit
• Tracking • XML Digital Signature
• Monitoring (W3C XML DSig spec)
• Reporting • Digital Certificates (X.509,
PKI, etc.)
• Timestamps (network time
synchronization)
• Service Intermediaries
(Web Services Security
Appliances, Enterprise
Service Bus, etc.)
13. Security Architecture Policies (for example)
• Implement Threat Protection
• Implement Transport-Layer Security
• Implement Service Virtualization
• Externalize & Centralize Security Management
• Authenticate All Messages
• Authorize All Messages
• Audit All Messages
• Sign All Messages
• Encrypt Confidential Content
• Implement Standards-Based Security
14. Implement Threat Protection
• Motivations
– Supports Availability and Risk Aggregation
• Level 1
– Implement centralized protection against Denial of Service (DoS) attacks (floods, buffer
overflows, message replays, message reflections)
– Implement centralized protection (schema validation, WSDL cloaking) against XML-based DoS
(XDoS) attacks (schema poisoning, oversized payload, recursive payload, WSDL scanning,
parameter tampering)
– Implement centralized protection (signature detection, context-sensitive content filtering,
external reference control) against XML content-level attacks (SQL injection, virus/malicious
code injection, identity spoofing, external entity attacks)
– Filter all internal communication destined for ESB via internal Web Services Security Gateway
– Filter all external communication mediated by B2B Gateway via Web Services Firewall
• Level 2
– Implement decentralized/distributed vulnerability containment points at end systems
– Maintain local vulnerability database or access centralized vulnerability management
implementation
• Future Developments
– Anomaly detection (conversational/behavioral analytics)
– XML-vectored intrusion detection and prevention
15. Implement Transport-Layer Security
• Motivations
– Supports Confidentiality between peers (but not between end systems when managed by
intermediaries)
– Supports transport-level Data Integrity with protocol-based message digests (RFC 2104) and
handshake completion hashes
• Level 1
– All communication should be transported over SSLv3
– X.509 (RFC 3280) certificates should be used to establish authentication
– Use only widely adopted (128-bit or longer) cryptographic algorithms:
• For public-key cryptography: RSA, Diffie-Hellman, DSA, Fortezza
• For symmetric ciphers: RC2, RC4, IDEA, DES, 3DES, AES
• For one-way hash functions: SHA-1, SHA-2
– Authenticate only the server to maintain server identity for client-server communication
– Mutual authentication should be implemented for server-server communication
• Level 2
– All communication should be transported over TLS (currently v1.1; RFC 4346)
– Use advanced ciphersuites (Camellia, Kerberos, SEED, Elliptic Curve Cryptography, Pre-Shared Key)
• Future Developments
– IPSec (RFCs 4301-4309)
– OpenPGP-based certificates
– Network Access Control (NAC)
16. Implement Service Virtualization
• Motivations
– Supports Availability (by encapsulation service implementation details such as
location, interface definition, security policies, etc.)
– Supports Identity and Access Management
– Supports Risk Aggregation
• Level 1
– Server-to-server (point-to-point) direct connections
– Unmanaged or managed by Web Services Management (WSM) solution
• Level 2
– Mediate all internal communication via centralized ESB
– Mediate all external communication via centralized B2B Gateway
implementation
• Future Developments
– Domain-specific ESB integration and federation
– Data and semantics virtualization (transformation into canonical formats)
17. Externalize & Centralize Security Mgmt
• Motivations
– Supports Governance
– Supports Identity and Access Management
– Supports Risk Aggregation
• Level 1
– Maintain local and autonomous security policy decisions (based on identity
and access)
– Maintain local identity store or access shared (centralized) identity store
• Level 2
– Maintain local policy enforcement implementation
– Delegate (externalize) security policy decision to centralized implementation
• Future Developments
– Externalize key and certificate management to centralized implementation
– Externalize audit management to centralized implementation
– Externalize vulnerability identification and mitigation to centralized
implementation
18. Authenticate All Messages
• Motivations
– Supports Identity and Access Management
• Level 1
– System-based (peer-to-peer) trust relationships
– Implement transport-layer security
– Unique certificates or keys should be used to establish each relationship to
maintain sender (requester or consumer) identity
• Level 2
– Identity-based trust relationships (all connections are inherently untrusted)
– Implement message-level security (attach credential tokens and cipher
specifications and/or SAML identity assertions to establish and verify identity)
• Future Developments
– Enterprise single sign-on (based on centrally managed identity assertions)
19. Authorize All Messages
• Motivations
– Supports Identity and Access Management
• Level 1
– Maintain distributed, fine-grained, and customized local request authorization
implementations (security policy decision and enforcement)
– Implement centralized coarse-grained service authorization based on identity
for proxy services deployed on ESB and B2B Gateway
• Level 2
– Implement centralized fine-grained service authorization based on request
content (payload) for proxy services deployed on ESB and B2B Gateway
• Future Developments
– Centralized security policy decision management and distributed enforcement
implementation
– Dynamic security policy interpretation and negotiation
– Resource-layer policy enforcement implementation
20. Audit All Messages
• Motivations
– Supports Accountability
– Supports Audit
• Level 1
– Intermediaries should log all message exchanges (requestor identity, destination, timestamp,
message digest or content/payload, etc.)
– The requester/sender (or consumer) system should log all sent messages (destination,
timestamp, content/payload) and correlate them with received response messages
– The server/receiver (or producer) system should log all received messages (requester identity,
timestamp, content/payload) and correlate them with generated response messages
– Intermediaries should audit encrypted content (by proactive decryption) in all received
messages, if the peer-to-peer security context is established with requester systems
• Level 2
– Intermediaries should log both received and sent messages if message content/format was
altered due to proxy service implementation (i.e., data transformation, credential/identity
mapping, data encryption/decryption, etc.)
– Intermediaries do not have to audit encrypted content in received messages if the end-to-end
security context is established between requester and receiver end systems
• Future Developments
– Externalize audit management to centralized implementation
– Centralized audit log correlation and analytics
21. Sign All Messages
• Motivations
– Supports Accountability
– Supports Integrity
• Level 1
– Internal messages do not have to be digitally signed
– External message exchanges should be digitally signed (implemented by the B2B
Gateway)
• Level 2
– Sender (or consumer) systems should attach digital signatures (including message
digests) to all messages – establishes non-repudiation for the sender systems
– Intermediaries should perform signature verification in all received messages, if the
peer-to-peer security context is established with requester systems
• Level 3
– Receiver (or producer) systems should perform signature verification on received
messages, as end-to-end security contexts can be established with requester
systems
• Future Developments
– XML element-level digital signatures
– Externalized signature verification using centralized management implementation
22. Encrypt Confidential Information
• Motivations
– Supports Confidentiality
• Level 1
– Implement transport-layer security to establish peer-to-peer confidentiality
– Intermediaries are inherently trusted
• Level 2
– Implement standards-based content/payload-level encryption (including fields
and elements)
• Block encryption (3DES, AES-128, AES-256)
• Key transport (RSA-v1.5, RSA-OAEP)
• Key wrapping (3DES, AES-128, AES-256)
– Intermediaries do not decrypt/encrypt content if end-to-end security contexts
are established between sender and receiver systems
• Future Developments
– Externalized key management and verification using centralized key and
certificate management implementation
25. Policy-based & Layered Security Model
• Perimeter Layer
– Practices “security by exclusion” by enforcing boundaries between internet and
intranet
– Examples of technical components include:
• Firewalls, VPNs, Intrusion Detection Systems (IDS), etc.
• Identity and Access Layer
– Practices “security by inclusion” by providing and enforcing identity-related and
other resource-specific controls
– Examples of technical components include:
• Authentication servers (i.e., Microsoft domain controllers, RSA/ACE server, etc.)
• Web access management (i.e., CA eTrust SiteMinder, IBM Tivoli Access Manager, etc.)
• Resource Layer
– Consists of applications, systems, content, and repositories
– Security typically provided natively by resources
• Control Layer
– Exercises configuration, command, control, auditing, and detection obligations
– Manages policy administration, decision, and enforcement operations through
propagation, delegation, inheritance, and federation control mechanisms for
cross-domain coordination
27. What’s Next?
• De-Perimeriterization Continues
• Outsider / Insider Lines Blurring
• LOB Applications Becoming Service Consumers
• Emergence of Logical Security Zone Partitions
• Convergence of Virtualization and Physical Security
• Increasing Endpoint Security Intelligence
• Increasing Data / Content Centralization
• Federation Advancement Continues
• Encryption Going Mainstream
28. In Summary
• Just like enterprise SOA, it’s “how” you do security
• Planning enterprise security requires a comprehensive,
holistic approach
• Focus on organizational and cultural issues
• Security can create tight coupling in enterprise SOA
• Essential part of an SOA infrastructure
• Evolving technology landscape
• Incremental technology delivery; maturity-based
approach (expect mixed and hybrid environments)
• Consumerization and evolving Web to bring more
changes
29. THANK YOU!
• 10/15/07 3:15pm – Harry Pierson, “Moving Beyond
Industrial Software”
• 10/16/07 9:45am – Lynn Langit, “SharePoint Architecture –
Lessons from the Trenches”
• Come by our booth
• Drop a business card
• Win an Xbox 360 (or a Zune)!