Enterprise Security Architecture: From Access to AuditBob Rhubart
As presented by Kamal Tbeileh at OTN Architect Day, Redwood Shores, CA, 7/22/09.
Find an OTN Architect Day event near you: http://www.oracle.com/technology/architect/archday.html
Interact with Architect Day presenters and participants on Oracle Mix: https://mix.oracle.com/groups/15511
Interoperability versus Cyber Security/Information Assurance?GovCloud Network
A view on Interoperability vs Cyber Security/Information Assurance by Mr. Jack Zavin Advisor Council Member,
NCOIC Member Executive Representative, & Vice Chair Net Centric Attributes Functional Team
Enterprise Security Architecture: From Access to AuditBob Rhubart
As presented by Kamal Tbeileh at OTN Architect Day, Redwood Shores, CA, 7/22/09.
Find an OTN Architect Day event near you: http://www.oracle.com/technology/architect/archday.html
Interact with Architect Day presenters and participants on Oracle Mix: https://mix.oracle.com/groups/15511
Interoperability versus Cyber Security/Information Assurance?GovCloud Network
A view on Interoperability vs Cyber Security/Information Assurance by Mr. Jack Zavin Advisor Council Member,
NCOIC Member Executive Representative, & Vice Chair Net Centric Attributes Functional Team
Presentation held by Dr. RAMAZAN ALTINOK HEAD OF E-GOVERNMENT ADVISORY GROUP OFFICE OF THE PRIME MINISTER, TURKEY, within the Regional Workshop on Georgia's anti-corruption and public service delivery reforms (22-24 September 2011).
Cloud computing is a paradigm evolution that benefits from virtualisation technologies and introduces “everything-as-a-service” as a technical and business concept supported by pay-per-use pricing models. Whilst the on-demand characteristics of this novel paradigm provide revolutionary advances in technical ability, the changes while incorporating this into an IT infrastructure raise many complex problems and risks with regards to auditing. Auditing is the process of tracing and logging significant events the take place during the system run-time for analysis, and can be seen as a vital tool in validating and securing systems.
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...apidays
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Security Design Patterns that Protect Sensitive Financial Data Shared via APIs
Dinesh Katyal, Product Director at Financial Data Exchange, Ray Voss, VP, Security Architect, JPMorgan Chase Bank, N.A and Co-Chair, Financial Data Exchange Security and Authentication Working, & Shawn Jobe, Director of Software Development at Factual Data
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...David Kearney
Information governance, records and information management, and data disposition policies are ways to help lower costs and mitigate risks for organizations. Policies and procedures to actively manage data are not just an IT "problem," they're a collaborative business initiative that is a must in today's "big data" environment. With electronic discovery rules, government regulations and the Sarbanes-Oxley Act, all organizations must proactively take steps to manage their data with well-governed processes and controls, or be willing to face the risks and costs that come along with keeping everything. Organizations must know what information they have, where it is located, the duration data must be retained and what information would be needed when responding to an event.
There have been numerous instances of severe legal penalties for organizations that did not have an electronic data strategy, tools, processes and controls to locate and understand their own data. In addition, the risks of unmanaged data include skyrocketing infrastructure and personnel costs and an increase in attorney time to manage massive amounts of data when a litigation event occurs.
Information governance is needed much like any business continuity and disaster recovery plans, but with an understanding of data: where data are located, how data are managed, event response, and regular testing of processes and procedures for preparedness.
California Consumer Protection Act (CCPA) is
one such law that empowers the residents of
California, United States to have enhanced
privacy rights & consumer protection. It is the
most comprehensive US state privacy law to
date.
With the new interconnected age comes new risks for cyber attacks and other fraudulent activity. Do you know what you need to keep your end users protected? Digital Insight discusses security and compliance in the interconnected age.
Presentation held by Dr. RAMAZAN ALTINOK HEAD OF E-GOVERNMENT ADVISORY GROUP OFFICE OF THE PRIME MINISTER, TURKEY, within the Regional Workshop on Georgia's anti-corruption and public service delivery reforms (22-24 September 2011).
Cloud computing is a paradigm evolution that benefits from virtualisation technologies and introduces “everything-as-a-service” as a technical and business concept supported by pay-per-use pricing models. Whilst the on-demand characteristics of this novel paradigm provide revolutionary advances in technical ability, the changes while incorporating this into an IT infrastructure raise many complex problems and risks with regards to auditing. Auditing is the process of tracing and logging significant events the take place during the system run-time for analysis, and can be seen as a vital tool in validating and securing systems.
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...apidays
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Security Design Patterns that Protect Sensitive Financial Data Shared via APIs
Dinesh Katyal, Product Director at Financial Data Exchange, Ray Voss, VP, Security Architect, JPMorgan Chase Bank, N.A and Co-Chair, Financial Data Exchange Security and Authentication Working, & Shawn Jobe, Director of Software Development at Factual Data
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...David Kearney
Information governance, records and information management, and data disposition policies are ways to help lower costs and mitigate risks for organizations. Policies and procedures to actively manage data are not just an IT "problem," they're a collaborative business initiative that is a must in today's "big data" environment. With electronic discovery rules, government regulations and the Sarbanes-Oxley Act, all organizations must proactively take steps to manage their data with well-governed processes and controls, or be willing to face the risks and costs that come along with keeping everything. Organizations must know what information they have, where it is located, the duration data must be retained and what information would be needed when responding to an event.
There have been numerous instances of severe legal penalties for organizations that did not have an electronic data strategy, tools, processes and controls to locate and understand their own data. In addition, the risks of unmanaged data include skyrocketing infrastructure and personnel costs and an increase in attorney time to manage massive amounts of data when a litigation event occurs.
Information governance is needed much like any business continuity and disaster recovery plans, but with an understanding of data: where data are located, how data are managed, event response, and regular testing of processes and procedures for preparedness.
California Consumer Protection Act (CCPA) is
one such law that empowers the residents of
California, United States to have enhanced
privacy rights & consumer protection. It is the
most comprehensive US state privacy law to
date.
With the new interconnected age comes new risks for cyber attacks and other fraudulent activity. Do you know what you need to keep your end users protected? Digital Insight discusses security and compliance in the interconnected age.
GDPR Compliance Made Easy with Data VirtualizationDenodo
Companies should be gearing up for May 25, 2018 when the General Data Protection Regulation (GDPR) comes into effect. GPDR will affect how businesses that serve the European Union collect, use and transfer data, forcing them to provide specific reasons and need for the personal data they gather and prove their compliance with the principles established by the regulation.
The regulation is already creating many challenges for companies, including:
• Ensuring secure access to most current data, whether on or off-premise
• Consistent security across all data sources
• Data access audit
• Ability to provide data lineage
This webinar aims to demonstrate how data virtualization has surfaced as a straight-forward solution to many of the challenges and questions brought on by the GDPR. It will also include a case study of how Asurion already achieved the desired level of security with data virtualization.
Watch the webinar in full to learn more about the benefits of using data virtualization to smoothly comply with the GDPR: http://ow.ly/1kzk30bRw3i
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data TeamsCillian Kieran
A presentation at FirstMark's CodeDriven event in AWS Loft in New York on how to think about Data Privacy Compliance if you work in engineering, data or product teams.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Security and interoperability
1. Security and Interoperability
Danny De Cock
January 16th, 2012
Moldova
E-mail: Danny.DeCock@esat.kuleuven.be
Slides: godot.be/slides
2. Secrets of Successful eID
Environments
• 3 High-level actors Citizen/Customer
• Different sectors
– eGovernment Government Business
• Collect and store data once, reuse where possible
– eHealth
• Make patient records available to health care service
providers
– eCommerce & eBusiness
• Provide ability to correctly identify involved parties
– Avoiding online fraud, preparing effective anti-spam measures
3. Secrets of Successful eID
Environments
• Success depends on joined forces of public and
private sector
– Private sector requires return on investment (ROI)
• Number of contacts between a citizen and its eGovernment only
does not justify huge investments
– Public sector prefers eID enablers for use in public and
private sector
• Avoid reinventing the wheel
– Need to exchange of experience with successes and
*failures*
– Risk of lacking focus to create interoperable solutions
• Caveat: Systems focusing on any single sector are inherently
incompatible with *similar* systems
4. Design Decisions – Basic Concepts
• Federated architecture
– Each sector operates autonomously
– Interfaces with other sectors through bus system
• Built around authoritative sources
– Master copy of data is available at exactly one repository
– Master copy = authoritative source
• Maximal reuse of information
– No data replication
– Administrations cannot re-request data already available
• Integrated system for user and access management
– eID for all – Citizens & organizations
– Autonomous management of access & use policies
5. Design Decisions – Benefits
• Guaranteed interoperability enhances security!
– Modularity respects each organization’s sovereignty
• Prevents vender-lock-in
– Exchanging information using standard and open protocols
and data formats
• Guaranteed flexibility
– Modularity allows updating and following
• Security standards
• Good/best practices
6. Identification & Authentication
• Unique identification of
– Citizens
– Professionals
– Companies and other Service Providers (public and
private sector)
• eID for all: Authentication & Identification
tokens
– Federal token
– eID card – Belgian citizens & foreigners
– Other tokens – companies, organizations,
individuals
8. eID Card Content
PKI Citizen Identity Data
ID ADDRESS
Authentication
Signature
RRN RRN
Root CA SIGNATURE SIGNATURE
CA
140x200 Pixels
RRN
8 BPP
3.224 Bytes
RRN = National Register
9. eID Card = 4 Functions
• Non-electronic
1. Visible Identification of a person
• Electronic Enabler of
eServices
2. Digital identification
• Data capture
3. Prove your identity
• Authentication signature eFunctionality
4. Digitally sign information
• Non-repudiation signature
10. Levels of Assurance (LoA) of
Authentication
• Federated identity management model
– E.g., Shibboleth, Liberty Alliance, CardSpace…
LoA 4+ Setting access policies
(qualified plus biometric)
LoA 4 Sensitive medical records (e.g. HIV),
(qualified cert with smart card EAL4+) Consultant notes containing opinions.
Ability to Break the Glass. Bank to bank
transfers
LoA 3 Patient confidential records (non-
(2-factor authentication, non-qualified sensitive)
cert, EAL4 smart card)
LoA 2 Some Internet banking applications
(one time password) System administration
LoA 1 Retrieve degree certificate. Completing
(uid/password, Verisign Class 1 cert) public service employment application
LoA 0 Public data
(no authentication)
13. How to Choose a Security Level?
• Responsibility of the service provider under
supervision of the Privacy Commission
• Based on risk assessment and depending on
– Type of processing: communication, consultation,
alteration,…
– Scope of the service: does the processing only concern the
user or also concern other persons ?
– Degree of sensitivity of the data processed
– Possible impact of the processing
• In addition to right security level
– Use of an electronic & time-stamped signature might be
needed
14. Interoperable & Secure by Design
• Mandates & authorization credentials based on open
standards, e.g.,
– XACML
– SAML
• Revocation services setup by mandate manager and
certification authority
– OCSP
– CRL
• Certificates, Signatures and timestamps, e.g.,
– X.509
– XADES-*
• Communication protocols
– SSL/TLS
15. XAXML – Allow/Deny Service Requests…
Joe Policy Enforcement Point Service Provider
6
1 Execute OK
Service Y Execute Service Y
Check Policy Compliance 2 5 Permit / Deny Service Request
Authorization Domain
3
4
Retrieve Relevant Retrieve Policy
Policies Validation Information
Policy Decision Point Policy
Information
Policy Access Point Point
16. Generic Policy Enforcement Model
XACML-based
Action on
application
DENIED Policy Action on
application
User Enforcement PERMITTED
(PEP) Application
Action on
application
Decision Decision
Request Reply
Information
Policy Request/Reply
Retrieval Policy Decision
(PDP)
Information
Request/Reply
Policy
Management
Policy Administration Policy Information Policy Information
(PAP) (PIP) (PIP)
Manager
Policy
Repository
Authentic Source Authentic Source
Slide inspired by Frank Robben
17. Re-using Architecture
Be-Health Social sector Non social FPS
USER USER
(CBSS) USER (FedICT)
APPLICATIONS APPLICATIONS APPLICATIONS
Authen - Authorization Authen - Authorization Authen - Authorization
tication PEP WebApp tication PEP WebApp tication PEP WebApp
Role Role Role
Mapper
XYZ Mapper
XYZ Mapper
XYZ
Role Role Role
Mapper Mapper Mapper
DB DB DB
PDP Role PDP Role PDP Role
PAP
PAP PAP Role Provider
Role Provider
‘’Kephas’’
Role Provider
‘’Kephas’’ Provider DB ‘’Kephas’’
Provider DB Provider DB
PIP PIP PIP PIP PIP PIP PIP PIP PIP
Attribute Attribute Attribute
Attribute Attribute Attribute Attribute Attribute Attribute
Provider Provider Provider
Provider Provider Provider Provider Provider Provider
Management Management DB DB DB Management
DB DB DB DB
RIZIV UMAF Bailiffs XYZ XYZ
Mandates XYZ VAS Mandates XYZ VAS VAS
Slide inspired by Frank Robben
18. Conclusion
• eGovernment Services are accessible
– Via open standards
– With strong authentication & access management
• Federated system permits use of common
basic services securely
– Without losing any autonomy!
• System allows permanent evolution
– Continuously changing user & organization
requirements