WSO2, profile picture
Uploaded byWSO2
1,479 views

Patterns and Antipatterns in Enterprise Security

The document discusses various patterns and antipatterns related to identity and access management in enterprise security, with a focus on practical solutions for common problems such as user integration, authentication, and security management. It outlines several strategies, including identity brokers, federated authentication, multi-factor authentication, and secure information exchange methods, detailing their benefits and limitations. Additionally, the document highlights the importance of effective governance and modular design in maintaining secure and scalable identity management systems.

Embed presentation

Downloaded 54 times
Patterns and Antipatterns in Enterprise Security Johann Nallathamby Malithi Edirisinghe 1
For whom? ● Looking to learn about Identity and Access Management Patterns to solve real world business problems. ● Some experience with Identity and Access Management Technologies. E.g. Directories, SAML2, OAuth2 which are some of the most commonly used data standards / protocols for transporting Identity and Access Management data. ● Main focus is on Identity and Access Management Patterns. ○ NOT Network Security ○ NOT OS Security 2
1. Identity Integration / Virtual Directory 3
Problem ● Users to the system can come from multiple sources ● A single user’s attributes can come from multiple sources ● User credentials and attributes can come from separate sources Solution ● Mount multiple user stores for user management and make the number and type of user stores transparent to the application ● Connect the credential stores and identity stores to the system and provide a unified view of the user's’ identity hiding away the complexity in aggregating those data 4
2. Identity Broker 5
Problem Users will work with multiple applications in an enterprise. They will have to use specific credentials for each. ● Disjointed User Experience ● Complicated user and account management ● Security Threats Solution Delegate authentication to a trusted identity provider - Brokered Identity 6
Benefits ● Single Sign On ● Separate user authentication from application code ● Hides user credentials from applications ● Removes administrative overhead from applications ● Improves user experience Limitations ● Authentication can be a single point of failure. ● Introduce a single point where the security of the entire system can be breached 7
3. Identity Federation 8
Problem Users will use applications across enterprise borders and cloud. Solution Multiple trust domains with multiple Identity Providers. Federated authentication based on the trust relationship 9
Benefits ● Single Sign On ● No need of managing accounts in the on premise userstore ● Reduce administration overhead Limitations Security of the system can be compromised if any of the Identity Provider that your Identity Provider trusts are breached. 10
3.1. Identity Federation Variation -1 Inter-Domain Token Exchange 11
Problem A consumer who is living in a trust domain needs to interact with a service that is developed in a federated trust domain Solution Establish a trust relationship between the two Identity Providers residing in each trust domain. IdP-A IdP-B Consumer Service Trust Trust Trust Trust Domain A Trust Domain B 12
Benefits ● Flexible in maintaining trust domains ● Facilitates federated interactions between consumers and services across trust domains ● Same model can be extended to address more complex federation scenarios Limitations Introduces certain level of dependency between the consumer and the Identity Provider in the other trust domain 13
3.2. Identity Federation Variation -2 Intra-Domain Token Exchange 14
Problem A consumer who is living in a trust domain needs to interact with a service that is developed in a federated trust domain, without any dependencies to entities in the other trust domain Solution Consumer presents the token to the service in the other trust domain. Service will validate the token with its Identity Provider. IdP-A IdP-B Consumer Service Trust Trust Trust Trust Domain A Trust Domain B 15
Benefits ● Removes dependencies between consumers and service in different trust domains ● Can handle different token claim representations Limitations ● Adds complexity to the mechanism used to model the trust relationship with the Identity Provider in the other trust domain ● Makes the services to accept messages that are not issued by the Identity Provider that they trusts 16
3.3. Identity Federation Variation -3 Third Party Trust Establisher 17
Problem Creation of trust between Identity Providers can be complex. Ex: Cannot establish direct trust relationship as some identity information cannot be shared with partner company. Solution Establish the trust relationship with a third party Identity Provider, that act as a bridge between other Identity Providers IdP-A IdP-B Consumer Service Trust Trust Trust Trust Domain A Trust Domain BIdP-C Trust Trust 18
Benefits Isolates the complexities of the federated environment from different trust domains Limitations Introduces a new component that needs to maintained 19
4. Identity Hub 20
Problem ● Increasing no of Service Providers and Identity Providers ● Each Service Provider has to trust Each Identity Provider Not scalable Hard to manage Source : http://blog.facilelogin.com/2014/10/identity-federation-patterns-with-wso2. html Spaghetti 21
Solution One Identity Broker trusted by relying parties and federated parties acting as a hub 22
5. Identity Bridge 23
Problem ● Multiple Identity Federation Protocols SAML, OpenID Connect, WS-Federation etc. ● But federation systems relies on only one protocol Ex: Silo of SAML Federation Silo of OpenID Connect Federation Source : http://blog.facilelogin.com/2014/10/identity-federation-patterns-with-wso2. html Federation Silos 24
Solution ● Bridge between protocols. SAML with OpenID Connect 25
Benefits ● Single Sign On across heterogeneous protocols ● Identity federation between Service Providers and Identity Providers with heterogeneous federation protocols ● Scalability Limitations ● Authentication can be a single point of failure. ● Introduce a single point where the security of the entire system can be breached 26
6. Claim/Role Transformer 27
Problem Service Providers may not be able to understand claims or roles of the subject, in the format issued by Identity Providers and vise versa. Solution Convert incoming claims to the expected format Benefits ● Process claims in a single point reducing the complexity of enforcing brokered trust ● Can be used with legacy systems 28
7. Multi-factor Authentication 29
Problem Digital identity fraud is still on the rise Needs “strong” user authentication Solution Use two or more authentication factors ● Something known to only the user (Knowledge based) password, shared secret, PIN ● Something held only by the user (Possession based) security token, smart card, mobile device ● Something inherent only to the user (Biometric) facial recognition, fingerprint, voice recognition 30
8. Multi-option Authentication 31
Problem Multiple domains essentially isolated due to lack of mutual inbound or outbound trust relationships. Service Providers opt for different login options Solution Multiple login options are presented to the user as per the Service Provider application. 32
9. Adaptive Authentication 33
Problem Needs “strong” user authentication, if and only if there is an actual risk. Solution Provide additional authentication steps, if and only if the risk profile (derived from a matrix of variables) is high. Enhance user experience 34
10. Authorization Patterns 35
36 MAC vs. DAC ● Mandatory Access Control (MAC) ○ Centralized security policy ○ Users do not have the ability to override the policy ● Discretionary Access Control (DAC) ○ Governs the ability of subjects to access objects ○ Allows users the ability to make policy decisions and/or assign security attributes. ○ The traditional Unix system of users, groups, and read-write- execute permissions is an example of DAC.
37 Access Control Patterns ● Access Matrix / Access Control Table / Access Control List ● Role Based Access Control (RBAC) ● Group Based Access Control ● Claim Based Access Control ● Policy Based ● Hierarchical Authorization ○ Hierarchical Tenants ○ Hierarchical Groups/Roles ○ Hierarchical Resources ● Multilevel Access Control
38 Access Control Patterns
11. SSO with Delegated Access Control 41
Problem Consumers need to access back-end APIs on behalf of the logged in user. 42 Solution Should adhere to some access delegation protocol Ex: OAuth Exchange the authentication token to some access token SAML token, JSON Web Token (JWT)
43
44
12. Outbound Provisioning 45
46
47
48
49
13. JIT Provisioning / Shadow Accounts 50
Requirements ● Transient Name IDs ● Persistent Name IDs ● Identity Protection ● Identity Mapping ● Identity Collision 51
14. Trusted Subsystem 52
53 Problem Securing a n-tier application ● Securing only the top most layer ● Expansion in the number and kinds of users ● Heterogeneous devices ● Unlimited connections ● Who should be allowed to access the data? ● Cannot protect from an attack originating from the local area network within the company. ● Who has already accessed the data? Source : http://blog.facilelogin.com/2014/10/identity-federation-patterns-with-w html
54 Solution 1 Impersonation and Delegation ● Delegation is the process of allowing another party to act on behalf of an identity. ● This process bestows upon a party the rights and privileges of another party to perform a set of tasks. ● Impersonation can be viewed as the most relaxed form of delegation, such that one identity is assigned the complete set of permissions of the impersonated identity.
55 Solution 2 Trusted Subsystem ● Trusted subsystem model implies that application services are trusted to perform a specific set of application tasks. ● Frequently, downstream services need to make application authorization decisions. ● To do so, the service must know the identity of the end user. ● While the ability to flow the identity of the end user is an inherent property of the delegation model, it is not so for the trusted subsystem model and special efforts must be made to include this feature. Source : https://msdn.microsoft.com/en-us/library/aa905320. aspx#trstsubsysdes_topic6
56 Solution 2 Contd. Trusted Subsystem ● Authenticate and verify the identity of the upstream or downstream service they are communicating with. ● Decide if the identified service is a trusted subsystem for a specific set of application functions, including propagating identity claims. ● Protect the integrity of the data being communicated between trusted subsystem and downstream services. Besides application data and application plumbing data, such as the identity claims of the original user, must also be protected so that no man-in-the-middle can modify the identity information that is in transit.
57 Solution 2 Contd. Trusted Subsystem - Identity Flows ● Trusted subsystem generated identity tokens / Self-issued ○ When downstream services trust the trusted subsystem to assert the original caller's identity, without requiring additional evidence from other parties. ● Third party generated identity tokens / Self-contained ○ When the downstream services trust the trusted subsystem to assert claims regarding the original caller in conjunction with third party evidence that satisfies an additional set of security requirements. ● User self-signed tokens ○ When the trusted subsystem is authorized to perform a set of application functions and when there must be evidence from the original caller that the caller initiated the request. ● Identity/Credential Mapping ○ Special function of the trusted subsystem role, where the goal is to transform an identity to another related identity for the purpose of gaining access to downstream resources that only recognize the transformed identity.
15. Security Gateway 58
59
60
61 Audit Interceptor Requirement ● Log security incidents to trace system abuse: ○ Failed login attempts ○ Unauthorized access attempts to services Solution ● All messages flow through the a gateway of the system. ● Necessary auditing is done by the logging at the gateway.
62 Data Origin Authentication Requirement ● Non-repudiation Solution ● Digital Signature Data Confidentiality Requirement Protect sensitive personal data during transmission from: ● Tampering ● unauthorized access Solution ● Digital Encryption
63 Message Screening Requirement Mitigate damages to the system from messages with malicious content ● SQL injection ● X-Doc attacks Solution ● XML Schema validation. ● Regular expression validation to avoid SQL injections contained in strings. ● An application of Perimeter Security
64 Replay Mitigation/DoS Safety Requirement Prevent denial of service attacks caused by replaying valid messages. Solution ● Apply throttling rules at the entry point. ● Validate message freshness by WS-Security mechanisms (Timestamp/Nonce). ● An application of Perimeter Security.
65 Exception Shielding Requirement Avoid exposing sensitive data through exceptions. ● Legacy application code might throw exceptions containing sensitive information. ● Need to filter those exceptions when system is exposed to external parties. Solution ● Sanitize unsafe exception data by replacing it with non-harmful exception message and give the right level of detail to the user.
66 References [1] https://msdn.microsoft.com/en-us/library/ [2] http://soapatterns.org/ [3] https://medium.facilelogin.com/thirty-solution-patterns-with-the-wso2-identity-server- 16f9fd0c0389#.1f3slrjnt [4] http://wso2.com/library/blog-post/2014/10/blog-post-identity-anti-patterns-federation-silos- and-spaghetti-identity/ [5] http://wso2.com/library/webinars/identity-server/ [6] M. Schumacher, E. Fernandez-Buglioni and D. Hybertson, Security Patterns: Integrating Security and Systems Engineering. 2005.
67 Q & A

More Related Content

PDF
Dbms Notes Lecture 6 : E R Model, Relationship, Cardinality Ratio
byBIT Durg
 
PPT
Lecture 2a arrays
byVictor Palmar
 
PDF
Security Patterns with the WSO2 ESB
byWSO2
 
PPTX
Security models for security architecture
byVladimir Jirasek
 
PPTX
Security architecture frameworks
byJohn Arnold
 
PDF
Enterprise Security Architecture
byKris Kimmerle
 
PDF
Security Design Patterns
byAung Khant
 
PPT
Web Security Patterns - Jazoon 2010 - Zurich
byjavagroup2006
 
Dbms Notes Lecture 6 : E R Model, Relationship, Cardinality Ratio
byBIT Durg
 
Lecture 2a arrays
byVictor Palmar
 
Security Patterns with the WSO2 ESB
byWSO2
 
Security models for security architecture
byVladimir Jirasek
 
Security architecture frameworks
byJohn Arnold
 
Enterprise Security Architecture
byKris Kimmerle
 
Security Design Patterns
byAung Khant
 
Web Security Patterns - Jazoon 2010 - Zurich
byjavagroup2006
 

Viewers also liked

PPS
Introducing Msd
byAung Khant
 
PDF
How to Secure Your Enterprise Services with WSO2 ESB
byWSO2
 
PPT
Security patterns and model driven architecture
bybdemchak
 
PDF
DWS16 - Smart city forum - Niels De Schutter, Atos
byIDATE DigiWorld
 
PPTX
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
byCA API Management
 
PPTX
Web application security: how to start?
byAntonio Fontes
 
PDF
IoT And Inevitable Decentralization of The Internet
byPaul Brody
 
PDF
Security Patterns with WSO2 ESB
byWSO2
 
PDF
The End of the Fortress: The new Approach to Cybersecurity
byMarc Nader
 
PDF
SABSA: Key features, advantages & benefits summary
bySABSAcourses
 
PPTX
Understand How Machine Learning Defends Against Zero-Day Threats
byRahul Mohandas
 
PPTX
The Zero Trust Model of Information Security
byTripwire
 
PPTX
Modelling Security Architecture
bynarenvivek
 
PPTX
Improving web application security, part ii
byKangkan Goswami
 
PDF
Blockchain_ver0.5_MIT_security_and Privacy_am_final_upload
byAnish Mohammed
 
PDF
Application Security: Last Line of Defense
byNarudom Roongsiriwong, CISSP
 
PPTX
SABSA overview
bySABSAcourses
 
PPTX
Adaptive Enterprise Security Architecture
bySABSAcourses
 
PPTX
SABSA Implementation(Part I)_ver1-0
byMaganathin Veeraragaloo
 
PPTX
От простого к сложному: автоматизируем ручные тест-планы | Сергей Тимченко
byPositive Hack Days
 
Introducing Msd
byAung Khant
 
How to Secure Your Enterprise Services with WSO2 ESB
byWSO2
 
Security patterns and model driven architecture
bybdemchak
 
DWS16 - Smart city forum - Niels De Schutter, Atos
byIDATE DigiWorld
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
byCA API Management
 
Web application security: how to start?
byAntonio Fontes
 
IoT And Inevitable Decentralization of The Internet
byPaul Brody
 
Security Patterns with WSO2 ESB
byWSO2
 
The End of the Fortress: The new Approach to Cybersecurity
byMarc Nader
 
SABSA: Key features, advantages & benefits summary
bySABSAcourses
 
Understand How Machine Learning Defends Against Zero-Day Threats
byRahul Mohandas
 
The Zero Trust Model of Information Security
byTripwire
 
Modelling Security Architecture
bynarenvivek
 
Improving web application security, part ii
byKangkan Goswami
 
Blockchain_ver0.5_MIT_security_and Privacy_am_final_upload
byAnish Mohammed
 
Application Security: Last Line of Defense
byNarudom Roongsiriwong, CISSP
 
SABSA overview
bySABSAcourses
 
Adaptive Enterprise Security Architecture
bySABSAcourses
 
SABSA Implementation(Part I)_ver1-0
byMaganathin Veeraragaloo
 
От простого к сложному: автоматизируем ручные тест-планы | Сергей Тимченко
byPositive Hack Days
 

Similar to Patterns and Antipatterns in Enterprise Security

PDF
Identity Federation Patterns with WSO2 Identity Server​
byWSO2
 
PPTX
unit4.pptx
byApurvSingh65
 
PPTX
Federated and fabulous identity
byAndre N. Klingsheim
 
PDF
A Guide To Single Sign-On for IBM Collaboration Solutions
byGabriella Davis
 
PDF
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
byCloudIDSummit
 
PDF
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World
byCloudIDSummit
 
PDF
A SURVEY ON FEDERATED IDENTITY MANAGEMENT SYSTEMS LIMITATION AND SOLUTIONS
byIJNSA Journal
 
PDF
A Guide to Claims Based Identity and Access Control Patterns Practices 1st Ed...
byriboruhuinil
 
PPT
Identity Federation on JBossAS
byRoger CARHUATOCTO
 
PDF
Security for Future Networks: A Prospective Study of AAIs
byidescitation
 
PDF
A Guide to Claims Based Identity and Access Control Patterns Practices 1st Ed...
bycalangizuki
 
PDF
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
byWSO2
 
PDF
Claims based identity second edition device
bySteve Xu
 
PDF
Architecting a Cloud-Scale Identity Fabric
byArinto Murdopo
 
PDF
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
byXamarin
 
PDF
Practical Federated Identity
byWSO2
 
PDF
Windows Server 2008 R2 Active Directory ADFS Claims Base Identity for Windows...
byTũi Wichets
 
PPT
Identity federation & user centric identity
bywegdam
 
PPT
Web-services
bywebhostingguy
 
PPTX
Identity and User Access Management.pptx
byirfanullahkhan64
 
Identity Federation Patterns with WSO2 Identity Server​
byWSO2
 
unit4.pptx
byApurvSingh65
 
Federated and fabulous identity
byAndre N. Klingsheim
 
A Guide To Single Sign-On for IBM Collaboration Solutions
byGabriella Davis
 
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
byCloudIDSummit
 
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World
byCloudIDSummit
 
A SURVEY ON FEDERATED IDENTITY MANAGEMENT SYSTEMS LIMITATION AND SOLUTIONS
byIJNSA Journal
 
A Guide to Claims Based Identity and Access Control Patterns Practices 1st Ed...
byriboruhuinil
 
Identity Federation on JBossAS
byRoger CARHUATOCTO
 
Security for Future Networks: A Prospective Study of AAIs
byidescitation
 
A Guide to Claims Based Identity and Access Control Patterns Practices 1st Ed...
bycalangizuki
 
WSO2Con USA 2017: Introduction to Security: End-to-End Identity Management
byWSO2
 
Claims based identity second edition device
bySteve Xu
 
Architecting a Cloud-Scale Identity Fabric
byArinto Murdopo
 
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
byXamarin
 
Practical Federated Identity
byWSO2
 
Windows Server 2008 R2 Active Directory ADFS Claims Base Identity for Windows...
byTũi Wichets
 
Identity federation & user centric identity
bywegdam
 
Web-services
bywebhostingguy
 
Identity and User Access Management.pptx
byirfanullahkhan64
 

More from WSO2

PDF
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
byWSO2
 
PDF
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
byWSO2
 
PDF
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
byWSO2
 
PDF
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
byWSO2
 
PDF
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
byWSO2
 
PDF
Platformless Modernization with Choreo.pdf
byWSO2
 
PDF
Application Modernization with Choreo for the BFSI Sector
byWSO2
 
PDF
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
byWSO2
 
PDF
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
byWSO2
 
PPTX
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
byWSO2
 
PPTX
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
byWSO2
 
PPTX
WSO2Con 2025 - Building Secure Customer Experience Apps
byWSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
byWSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
byWSO2
 
PPTX
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
byWSO2
 
PPTX
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
byWSO2
 
PPTX
WSO2Con 2025 - Architecting Cloud-Native Applications
byWSO2
 
PDF
Mastering Intelligent Digital Experiences with Platformless Modernization
byWSO2
 
PDF
Accelerate Enterprise Software Engineering with Platformless
byWSO2
 
PDF
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
byWSO2
 
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
byWSO2
 
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
byWSO2
 
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
byWSO2
 
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
byWSO2
 
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
byWSO2
 
Platformless Modernization with Choreo.pdf
byWSO2
 
Application Modernization with Choreo for the BFSI Sector
byWSO2
 
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
byWSO2
 
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
byWSO2
 
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
byWSO2
 
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
byWSO2
 
WSO2Con 2025 - Building Secure Customer Experience Apps
byWSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
byWSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
byWSO2
 
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
byWSO2
 
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
byWSO2
 
WSO2Con 2025 - Architecting Cloud-Native Applications
byWSO2
 
Mastering Intelligent Digital Experiences with Platformless Modernization
byWSO2
 
Accelerate Enterprise Software Engineering with Platformless
byWSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
byWSO2
 

Recently uploaded

PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
final.pdf
byomarbishtawi04
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PPTX
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Workflow and decision Automation with Flowable
bychakib ch
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
apidays New York 2025 | AI in Application Security
byapidays
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
final.pdf
byomarbishtawi04
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 

Patterns and Antipatterns in Enterprise Security

  • 1.
    Patterns and Antipatternsin Enterprise Security Johann Nallathamby Malithi Edirisinghe 1
  • 2.
    For whom? ● Lookingto learn about Identity and Access Management Patterns to solve real world business problems. ● Some experience with Identity and Access Management Technologies. E.g. Directories, SAML2, OAuth2 which are some of the most commonly used data standards / protocols for transporting Identity and Access Management data. ● Main focus is on Identity and Access Management Patterns. ○ NOT Network Security ○ NOT OS Security 2
  • 3.
    1. Identity Integration/ Virtual Directory 3
  • 4.
    Problem ● Users tothe system can come from multiple sources ● A single user’s attributes can come from multiple sources ● User credentials and attributes can come from separate sources Solution ● Mount multiple user stores for user management and make the number and type of user stores transparent to the application ● Connect the credential stores and identity stores to the system and provide a unified view of the user's’ identity hiding away the complexity in aggregating those data 4
  • 5.
  • 6.
    Problem Users will workwith multiple applications in an enterprise. They will have to use specific credentials for each. ● Disjointed User Experience ● Complicated user and account management ● Security Threats Solution Delegate authentication to a trusted identity provider - Brokered Identity 6
  • 7.
    Benefits ● Single SignOn ● Separate user authentication from application code ● Hides user credentials from applications ● Removes administrative overhead from applications ● Improves user experience Limitations ● Authentication can be a single point of failure. ● Introduce a single point where the security of the entire system can be breached 7
  • 8.
  • 9.
    Problem Users will useapplications across enterprise borders and cloud. Solution Multiple trust domains with multiple Identity Providers. Federated authentication based on the trust relationship 9
  • 10.
    Benefits ● Single SignOn ● No need of managing accounts in the on premise userstore ● Reduce administration overhead Limitations Security of the system can be compromised if any of the Identity Provider that your Identity Provider trusts are breached. 10
  • 11.
    3.1. Identity FederationVariation -1 Inter-Domain Token Exchange 11
  • 12.
    Problem A consumer whois living in a trust domain needs to interact with a service that is developed in a federated trust domain Solution Establish a trust relationship between the two Identity Providers residing in each trust domain. IdP-A IdP-B Consumer Service Trust Trust Trust Trust Domain A Trust Domain B 12
  • 13.
    Benefits ● Flexible inmaintaining trust domains ● Facilitates federated interactions between consumers and services across trust domains ● Same model can be extended to address more complex federation scenarios Limitations Introduces certain level of dependency between the consumer and the Identity Provider in the other trust domain 13
  • 14.
    3.2. Identity FederationVariation -2 Intra-Domain Token Exchange 14
  • 15.
    Problem A consumer whois living in a trust domain needs to interact with a service that is developed in a federated trust domain, without any dependencies to entities in the other trust domain Solution Consumer presents the token to the service in the other trust domain. Service will validate the token with its Identity Provider. IdP-A IdP-B Consumer Service Trust Trust Trust Trust Domain A Trust Domain B 15
  • 16.
    Benefits ● Removes dependenciesbetween consumers and service in different trust domains ● Can handle different token claim representations Limitations ● Adds complexity to the mechanism used to model the trust relationship with the Identity Provider in the other trust domain ● Makes the services to accept messages that are not issued by the Identity Provider that they trusts 16
  • 17.
    3.3. Identity FederationVariation -3 Third Party Trust Establisher 17
  • 18.
    Problem Creation of trustbetween Identity Providers can be complex. Ex: Cannot establish direct trust relationship as some identity information cannot be shared with partner company. Solution Establish the trust relationship with a third party Identity Provider, that act as a bridge between other Identity Providers IdP-A IdP-B Consumer Service Trust Trust Trust Trust Domain A Trust Domain BIdP-C Trust Trust 18
  • 19.
    Benefits Isolates the complexitiesof the federated environment from different trust domains Limitations Introduces a new component that needs to maintained 19
  • 20.
  • 21.
    Problem ● Increasing noof Service Providers and Identity Providers ● Each Service Provider has to trust Each Identity Provider Not scalable Hard to manage Source : http://blog.facilelogin.com/2014/10/identity-federation-patterns-with-wso2. html Spaghetti 21
  • 22.
    Solution One Identity Brokertrusted by relying parties and federated parties acting as a hub 22
  • 23.
  • 24.
    Problem ● Multiple IdentityFederation Protocols SAML, OpenID Connect, WS-Federation etc. ● But federation systems relies on only one protocol Ex: Silo of SAML Federation Silo of OpenID Connect Federation Source : http://blog.facilelogin.com/2014/10/identity-federation-patterns-with-wso2. html Federation Silos 24
  • 25.
    Solution ● Bridge betweenprotocols. SAML with OpenID Connect 25
  • 26.
    Benefits ● Single SignOn across heterogeneous protocols ● Identity federation between Service Providers and Identity Providers with heterogeneous federation protocols ● Scalability Limitations ● Authentication can be a single point of failure. ● Introduce a single point where the security of the entire system can be breached 26
  • 27.
  • 28.
    Problem Service Providers maynot be able to understand claims or roles of the subject, in the format issued by Identity Providers and vise versa. Solution Convert incoming claims to the expected format Benefits ● Process claims in a single point reducing the complexity of enforcing brokered trust ● Can be used with legacy systems 28
  • 29.
  • 30.
    Problem Digital identity fraudis still on the rise Needs “strong” user authentication Solution Use two or more authentication factors ● Something known to only the user (Knowledge based) password, shared secret, PIN ● Something held only by the user (Possession based) security token, smart card, mobile device ● Something inherent only to the user (Biometric) facial recognition, fingerprint, voice recognition 30
  • 31.
  • 32.
    Problem Multiple domains essentiallyisolated due to lack of mutual inbound or outbound trust relationships. Service Providers opt for different login options Solution Multiple login options are presented to the user as per the Service Provider application. 32
  • 33.
  • 34.
    Problem Needs “strong” userauthentication, if and only if there is an actual risk. Solution Provide additional authentication steps, if and only if the risk profile (derived from a matrix of variables) is high. Enhance user experience 34
  • 35.
  • 36.
    36 MAC vs. DAC ●Mandatory Access Control (MAC) ○ Centralized security policy ○ Users do not have the ability to override the policy ● Discretionary Access Control (DAC) ○ Governs the ability of subjects to access objects ○ Allows users the ability to make policy decisions and/or assign security attributes. ○ The traditional Unix system of users, groups, and read-write- execute permissions is an example of DAC.
  • 37.
    37 Access Control Patterns ●Access Matrix / Access Control Table / Access Control List ● Role Based Access Control (RBAC) ● Group Based Access Control ● Claim Based Access Control ● Policy Based ● Hierarchical Authorization ○ Hierarchical Tenants ○ Hierarchical Groups/Roles ○ Hierarchical Resources ● Multilevel Access Control
  • 38.
  • 41.
    11. SSO withDelegated Access Control 41
  • 42.
    Problem Consumers need toaccess back-end APIs on behalf of the logged in user. 42 Solution Should adhere to some access delegation protocol Ex: OAuth Exchange the authentication token to some access token SAML token, JSON Web Token (JWT)
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
    13. JIT Provisioning/ Shadow Accounts 50
  • 51.
    Requirements ● Transient NameIDs ● Persistent Name IDs ● Identity Protection ● Identity Mapping ● Identity Collision 51
  • 52.
  • 53.
    53 Problem Securing a n-tierapplication ● Securing only the top most layer ● Expansion in the number and kinds of users ● Heterogeneous devices ● Unlimited connections ● Who should be allowed to access the data? ● Cannot protect from an attack originating from the local area network within the company. ● Who has already accessed the data? Source : http://blog.facilelogin.com/2014/10/identity-federation-patterns-with-w html
  • 54.
    54 Solution 1 Impersonation andDelegation ● Delegation is the process of allowing another party to act on behalf of an identity. ● This process bestows upon a party the rights and privileges of another party to perform a set of tasks. ● Impersonation can be viewed as the most relaxed form of delegation, such that one identity is assigned the complete set of permissions of the impersonated identity.
  • 55.
    55 Solution 2 Trusted Subsystem ●Trusted subsystem model implies that application services are trusted to perform a specific set of application tasks. ● Frequently, downstream services need to make application authorization decisions. ● To do so, the service must know the identity of the end user. ● While the ability to flow the identity of the end user is an inherent property of the delegation model, it is not so for the trusted subsystem model and special efforts must be made to include this feature. Source : https://msdn.microsoft.com/en-us/library/aa905320. aspx#trstsubsysdes_topic6
  • 56.
    56 Solution 2 Contd. TrustedSubsystem ● Authenticate and verify the identity of the upstream or downstream service they are communicating with. ● Decide if the identified service is a trusted subsystem for a specific set of application functions, including propagating identity claims. ● Protect the integrity of the data being communicated between trusted subsystem and downstream services. Besides application data and application plumbing data, such as the identity claims of the original user, must also be protected so that no man-in-the-middle can modify the identity information that is in transit.
  • 57.
    57 Solution 2 Contd. TrustedSubsystem - Identity Flows ● Trusted subsystem generated identity tokens / Self-issued ○ When downstream services trust the trusted subsystem to assert the original caller's identity, without requiring additional evidence from other parties. ● Third party generated identity tokens / Self-contained ○ When the downstream services trust the trusted subsystem to assert claims regarding the original caller in conjunction with third party evidence that satisfies an additional set of security requirements. ● User self-signed tokens ○ When the trusted subsystem is authorized to perform a set of application functions and when there must be evidence from the original caller that the caller initiated the request. ● Identity/Credential Mapping ○ Special function of the trusted subsystem role, where the goal is to transform an identity to another related identity for the purpose of gaining access to downstream resources that only recognize the transformed identity.
  • 58.
  • 59.
  • 60.
  • 61.
    61 Audit Interceptor Requirement ● Logsecurity incidents to trace system abuse: ○ Failed login attempts ○ Unauthorized access attempts to services Solution ● All messages flow through the a gateway of the system. ● Necessary auditing is done by the logging at the gateway.
  • 62.
    62 Data Origin Authentication Requirement ●Non-repudiation Solution ● Digital Signature Data Confidentiality Requirement Protect sensitive personal data during transmission from: ● Tampering ● unauthorized access Solution ● Digital Encryption
  • 63.
    63 Message Screening Requirement Mitigate damagesto the system from messages with malicious content ● SQL injection ● X-Doc attacks Solution ● XML Schema validation. ● Regular expression validation to avoid SQL injections contained in strings. ● An application of Perimeter Security
  • 64.
    64 Replay Mitigation/DoS Safety Requirement Preventdenial of service attacks caused by replaying valid messages. Solution ● Apply throttling rules at the entry point. ● Validate message freshness by WS-Security mechanisms (Timestamp/Nonce). ● An application of Perimeter Security.
  • 65.
    65 Exception Shielding Requirement Avoid exposingsensitive data through exceptions. ● Legacy application code might throw exceptions containing sensitive information. ● Need to filter those exceptions when system is exposed to external parties. Solution ● Sanitize unsafe exception data by replacing it with non-harmful exception message and give the right level of detail to the user.
  • 66.
    66 References [1] https://msdn.microsoft.com/en-us/library/ [2] http://soapatterns.org/ [3]https://medium.facilelogin.com/thirty-solution-patterns-with-the-wso2-identity-server- 16f9fd0c0389#.1f3slrjnt [4] http://wso2.com/library/blog-post/2014/10/blog-post-identity-anti-patterns-federation-silos- and-spaghetti-identity/ [5] http://wso2.com/library/webinars/identity-server/ [6] M. Schumacher, E. Fernandez-Buglioni and D. Hybertson, Security Patterns: Integrating Security and Systems Engineering. 2005.
  • 67.