We see a variety of BI security needs in the analytics field. Learn how to select the best approach for your application and how to implement a solution that meets your requirements.
2. #Logi16
Steve Morecraft
Technical Manager for Europe, Middle East and Africa
Logi Analytics
steve.morecraft@logianalytics.com
Claim to fame: Went to school with Oscar winning actor Colin Firth
ABOUT ME
3. #Logi16
1. Categorize the various security needs we experience in
the field and learn how to select the best approach for
your application
2. Learn how to implement a solution which meets
requirements
3. Hear and see detail from John Fuller of Ironclad
Technology services of two implementations to meet
specific needs
WHAT WE ARE GOING TO LEARN TODAY
5. #Logi16
Authentication – determine the user’s identity
Authorization – assign roles to the user to allow implementation of
rights in the application
Auditing or Accounting – keeping track of what happens when
an application is used
The Core Three A’s of Security
6. #Logi16
In order of simplicity of needs we experience:
• Standalone
• Integrated Authentication and Centralized SSO
• Federated Single Sign-On
• Embedded
Four Broad Authentication Requirement Categories
8. #Logi16
• What is it?
Logi Info Server is to manage its own user credentials
• Why Would I Use It?
– When integration is not required with other systems however the Logi application
needs to include user authentication, authorization and auditing
• Considerations:
– Multiple user names and passwords for different systems
– Source of user credentials, assigned roles and rights typically stored in relational
database or directory service
– Normally prompt user for credentials
– Roles and rights to be adopted by authenticated user to be controlled in Logi Info
Standalone Authentication
10. #Logi16
• What is it?
Logi Info Server to be integrated into an existing infrastructure so user management
and authentication can to be carried out in same way as current systems.
• Why Would I Use It?
– For an internal use case using, for example, Integrated Windows Authentication
and Active Directory group membership for roles
• Considerations:
– All user administration can be carried out using standard networking tools
– Authorization Roles can be defined in infrastructure to be used to implement
rights in Logi application
Integrated Authentication & Centralized SSO
12. #Logi16
• What is it?
– Users can access multiple systems and resources following a single login to
identity provider
• Why Would I Use It?
– Scenario where Single Sign On has been deployed in an Enterprise or to support
a product
– Examples PingOne, Windows Identity Foundation
• Considerations:
– Likely need is for Logi system to be included as a target resource will require
configuration and some customization
– Roles and rights can be defined inside or outside the SSO system
Federated Single Sign-On
14. #Logi16
• What is it?
Info is contained within a web application or portal using user identity and roles
which have been assigned in the hosting application
• Why Would I Use It?
– Create embedded dashboards, reports and analytics into a commercial or
internal web application
– Allows for control over the application experience
• Considerations:
– Re-uses hosting web application’s own user and rights management system
– Requires some work upfront to set it up
– Authorization Roles and rights can be defined in the hosting web application to be
implemented in Logi
Embedded Authentication
15. #Logi16
• Audit Trail
– Mostly for security assurance
– Can provide usage confirmation
• Usage Data
– Can be used to build metrics
– Data can be used for performance tuning
Auditing
17. #Logi16
• Logi Info Security Element allows:
– Authentication sources
– Authorization through separate User Roles and User
Rights
• Logi Info Event Logging Element allows processes to
record:
– Authenticate User, Build Report, RunSP, RunSQL
– Can also run processes to record other user activities
IMPLEMENTATION OF SECURITY
18. #Logi16
STANDALONE SECURITY
Use Logi Standard Security Mode
• Present the user with a login form based on the Logi sample
• Can use server side code behind login form or just collect
credentials
• Authenticate using a data layer such as a stored procedure, web
service, plugin etc
• Resolve roles and rights using data layer queries
• Samples on DevNet
19. #Logi16
INTEGRATED SECURITY AND CENTRALIZED SSO
Configure the web application server to authenticate using
the same settings as other web applications in the
infrastructure
• Configure web application to authenticate users
• For example - Windows Authentication
• Use AuthNT security mode for Logi Info
• Get user’s roles from directory service such as Active Directory
• Resolve user’s rights from roles
20. #Logi16
FEDERATED SINGLE SIGN-ON
Two main alternatives
• Configure the Logi Application to use the SSO system natively
- Use AuthSession Security mode
- Include SSO libraries in project, use SSO functions in custom login
page to extract user name and other important security data to set
session variables
- Or implement by Plugin
• Use embedded security SecureKey from a web application
already SSO enabled
21. #Logi16
Logi SecureKey provides the best approach in the majority
of scenarios especially if the hosting system is on a
different machine or different platform
• Pass parameters securely from hosting server as session
variables
• Can pass user name, roles, and rights directly from application
session
• Integrated fully with embedded reports API
• Fully documented with sample code on DevNet
EMBEDDED SECURITY
24. #Logi16
Quick Facts
• Founded in January 2008
• Consulting/Professional services for Government CFO’s,
CIO’s, Supply Chain Managers, and other Senior
Decision Makers
• Offices in Virginia Beach, VA (HQ), Tampa, FL, and
Arlington, VA
• 150+ employees in 17 states and overseas
• TS facility clearance, 91% cleared workforce
• Leveraging the Logi Analytics platform over the past 4
years to build applications for Government customers
CORPORATE SNAPSHOT
Core Competencies
Big Data & Business Analytics
Software Development
Supply Chain/Logistics
Information Assurance
Enterprise Resource Planning
(ERP)
Enterprise IT Support
Intelligence Support
26. #Logi16
• User level authentication
- Standard username and password login
• User level authorization on both a screen level and
individual element level
- Roles and rights defined for each user
• User auditability for user input screens
- Track user activity on a transaction level for reporting and
auditability
1. SECURITY REQUIREMENTS
27. #Logi16
• Utilize Logi’s Standard security option
– Use Logi supplied logon page or apply simple HTML code
modifications to customize the logon page
– Write simple database stored procedure to authenticate the user
and determine right/roles based on a user table
1. SECURITY SOLUTION AUTHENTICATION
28. #Logi16
• Use the roles and rights retrieved from the Standard security child
elements coupled with the database stored procedure to easily
control authorization throughout the application
• Use the Security Right ID attribute to control user authorization
- Applicable to entire Logi reports
- Applicable to specific elements on any given report
• Individual records in data table elements can also be restricted by
including the UserRoles~ and UserRights~ tokens within the SQL
queries feeding the reports
1. SECURITY SOLUTION AUTHORIZATION
29. #Logi16
• Use the @Function.UserName~ token coupled with Logi
Processes and database user stored procedures to track
user activity
1. SECURITY SOLUTION AUDITABILITY
30. #Logi16
• User level authentication
- DoD Common Access Card (CAC) login
• User level authorization on both a screen level and
individual element level
- Roles and rights defined for each user
• User auditability for user input screens
- Track user activity on a transaction level for reporting and
auditability
2. SECURITY REQUIREMENTS - SSO
31. #Logi16
• Export functionality and file management and security
for user generated files
– Populate and retain Adobe .pdf and MS Excel templates with
user input data
2. SECURITY REQUIREMENTS - SSO
32. #Logi16
• Authentication
– Build, configure and deploy custom CAC enabled login process
to feed into Logi’s AuthSession security option
• Authorization
– Use the roles and rights retrieved from the AuthSession security
child elements coupled with a database stored procedure to
easily control authorization throughout the application
2. SECURITY SOLUTION SSO
33. #Logi16
• Auditability
– Use the @Function.UserName~ token coupled with Logi
Processes and database user stored procedures to track user
activity
2. SECURITY SOLUTION SSO
34. #Logi16
• File management and Security
– Build file management system with built in Logi elements coupled
with database code
– The custom CAC enabled login process along with the
AuthSession Logi security option secures the entire Logi
application, including user generated files not associated with the
Logi software
2. SECURITY SOLUTION SSO
36. #Logi16
The built in Logi security options are easy to use and
provide a very high level of control
The Standard security option requires very little
configuration and can be used for securing applications
that do not generate new files within the application
IRONCLAD: LESSONS LEARNED
37. #Logi16
Custom built Single Sign On processes securing the
entire application folder can be plugged into Logi
applications using the AuthSession option.
This approach is best used for applications that provide
the functionality for users to generate new files. The
custom security layer secures the entire application while
Logi handles the authentication through its built-in
elements.
IRONCLAD: LESSONS LEARNED
38. Extensible Solution
The Logi Info product provides a
flexible and extensible means to
solving your security needs for your
application
Traditional approach to security
Exchange credentials
Allocate roles to users to prohibit and allow operations in application
Standalone – Logi Info Server is to manage its own user credentials
Typical scenario is situation where integration is not required with other systems however the Logi application needs to include user authentication
Source of user credentials, assigned roles and rights typically stored in relational database
Integrated Security – Logi Info Server is to be integrated into existing infrastructure so user management and authentication to be carried out in same way as current systems
Typically for an internal use case using Windows Authentication and Active Directory group membership for role
All user administration carried out using standard networking tools
Single Sign On – authentication is carried out by identity provider using single set of credentials in order to access multiple applications which is to include Logi Info
Can be centralized or federated using identity and service providers
Likely need is for Logi system to be included as a target resource
What is it?
Logi Info is contained within web application or portal using user identity and roles which have been assigned in the hosting application
Why Would I Use It?
Can be used to create embedded dashboards, reports and analytics into a commercial or internal web application
What to Consider:
Typically for ISV or SaaS provider with existing system
Hosting web application has its own user and rights management system
Rather than rework all business rules much more efficient to create trust relationship between hosting system and Logi to reuse identity and roles as a trusted subsystem