This document discusses security considerations for service-oriented architectures (SOA) and on-demand environments. It describes several subsystems that are important for a comprehensive security management architecture (MASS), including access control, identity and credential management, information flow control, security auditing, and solution integrity. Technologies that can be used to implement each subsystem are also outlined, such as directories, firewalls, encryption, and systems management solutions. The document stresses that security requires an integrated approach across all of these areas.
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsSafeNet
Strong authentication and single sign-on for SaaS applications is available with SafeNet
Authentication Manager and SafeWord 2008.
With either platform, the enterprise security team retains complete control over the
configuration, deployment, and administration of the authentication infrastructure, which
remains in the enterprise’s IT domain.
Organizations can deploy either platform in their network’s DMZ, so users can authenticate
directly to cloud-based applications and services, rather than having to go through the corporate VPN. As a result, users have a faster, more seamless experience accessing on-premise and
cloud-based applications, while enterprises enjoy optimized security.
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...IBM Security
On today’s smarter planet, providing secure access to sensitive data, applications and infrastructure is more complex than ever. With users accessing corporate data and applications from outside the traditional network perimeter, traditional access and authentication controls are no longer sufficient. To safeguard mobile, cloud and social interactions while preventing insider threat and identity fraud, you need a powerful access management solution thats designed for today’s multi-perimeter world.
We will explore how you can address your problems with the latest IBM Security Access Manager – an “All-in-one” access management solution that is designed to provide both web and mobile security in a modular package suitable to your needs.
View the full on-demand webcast: https://www.youtube.com/watch?v=-ycUQykZSQA
Introduction to the business challenges of securely managing access to privileged accounts and the technical processes built into Privileged Access Manager to secure access to administrator, service and application-to-application IDs.
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...Precisely
Regulatory compliance and security of critical systems, applications and data are top-of-mind issues for IT organizations in 2018. New capabilities are now available from the Syncsort Assure products that can help your organization achieve and maintain compliance while strengthening IBM i security.
View this webinar on-demand to discover how new innovations from Syncsort can help you meet your auditing and control needs.
3 Steps to Security Intelligence - How to Build a More Secure EnterpriseIBM Security
We are in the midst of upheaval in the world of IT Security. Attackers are highly organized and using increasingly sophisticated methods to gain entry to your most sensitive data. At the same time, Cloud and mobile are redefining the concept of the perimeter. Check out this insightful discussion of how today's CISO is building a more secure enterprise using analytics, risk-based protection, and activity monitoring to protect the most valuable assets of the organization.
For more visit: http://securityintelligence.com
A Single Strong Authentication Platform for Cloud and On-Premise ApplicationsSafeNet
Strong authentication and single sign-on for SaaS applications is available with SafeNet
Authentication Manager and SafeWord 2008.
With either platform, the enterprise security team retains complete control over the
configuration, deployment, and administration of the authentication infrastructure, which
remains in the enterprise’s IT domain.
Organizations can deploy either platform in their network’s DMZ, so users can authenticate
directly to cloud-based applications and services, rather than having to go through the corporate VPN. As a result, users have a faster, more seamless experience accessing on-premise and
cloud-based applications, while enterprises enjoy optimized security.
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...IBM Security
On today’s smarter planet, providing secure access to sensitive data, applications and infrastructure is more complex than ever. With users accessing corporate data and applications from outside the traditional network perimeter, traditional access and authentication controls are no longer sufficient. To safeguard mobile, cloud and social interactions while preventing insider threat and identity fraud, you need a powerful access management solution thats designed for today’s multi-perimeter world.
We will explore how you can address your problems with the latest IBM Security Access Manager – an “All-in-one” access management solution that is designed to provide both web and mobile security in a modular package suitable to your needs.
View the full on-demand webcast: https://www.youtube.com/watch?v=-ycUQykZSQA
Introduction to the business challenges of securely managing access to privileged accounts and the technical processes built into Privileged Access Manager to secure access to administrator, service and application-to-application IDs.
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...Precisely
Regulatory compliance and security of critical systems, applications and data are top-of-mind issues for IT organizations in 2018. New capabilities are now available from the Syncsort Assure products that can help your organization achieve and maintain compliance while strengthening IBM i security.
View this webinar on-demand to discover how new innovations from Syncsort can help you meet your auditing and control needs.
3 Steps to Security Intelligence - How to Build a More Secure EnterpriseIBM Security
We are in the midst of upheaval in the world of IT Security. Attackers are highly organized and using increasingly sophisticated methods to gain entry to your most sensitive data. At the same time, Cloud and mobile are redefining the concept of the perimeter. Check out this insightful discussion of how today's CISO is building a more secure enterprise using analytics, risk-based protection, and activity monitoring to protect the most valuable assets of the organization.
For more visit: http://securityintelligence.com
Intervento di Enrico Boverino, Direttore Pubblica Amministrazione & Media - VMWARE a
OPEN DAY - COMPETENZE DIGITALI
Sala Convegni Pad. 152 Regione Puglia Fiera del levante Bari
15 maggio 2015 ore 9.30
Hitachi ID Suite overview of security features and enhancements in 9.0. Also showcasing new mobile UI for web apps.
See more at: http://hitachi-id.com/docs/pres.html
This is the product and services portfolio of IBM Security, which is one pillar of IBM CAMSS strategy. Products in portfolio are still moving during early 2015 due to re-portfolio of IBM. However, it will be categorized in 2 major parts.
1) IBM Security Products : all security software and appliance
2) IBM Security Services : all security services, including Cloud security.
The New Assure Security: Complete IBM i Compliance and SecurityPrecisely
On April 8 Syncsort announced Assure Security, a new product that brings together Syncsort’s best-in-class IBM i security capabilities. Assure Security enables organizations like yours to comply with cybersecurity regulations and strengthen IBM i security through features that assess security vulnerabilities, control access to systems and data, enforce data privacy, and monitor for security incidents and compliance deviations.
View this webcast on-demand to learn all about Assure Security, including:
• How Syncsort’s security brands have come together in Assure Security
• How Assure Security automates security best practices and satisfies regulatory requirements
• How Syncsort can help you control access to IBM i systems and prevent data breaches
Recent security breaches by trusted insiders have propelled Identity and Access Management (IAM) to the top security priority of many organizations. After all, it’s clear security is only as strong as its weakest link – people – and the press is full of articles documenting the damage people can do. So it’s natural for security managers to want to shore up their IAM infrastructure to avoid similar embarrassment. But IAM needs to be approached with an eye towards the full extended environment and by taking associated risks into account. In other words, whether you are starting from scratch or taking on new IAM challenges such as cloud security, there are certain IAM tenets you should follow to build a successful, effective IAM solution.
Don’t join the Hall of Shame by having a security breach at your organization. Attend this webcast to learn five ways a typical IAM solution can fail, so you don’t make the same mistakes.
View the full on-demand webcast: http://securityintelligence.com/events/5-reasons-iam-solution-will-fail/#.VYxJ4_lVhBd
SkypeShield - Securing Skype for BusinessYoav Crombie
The leading Skype for Business security solution treating external access security risks.
SkypeShield offers Two Factor Authentication, Device access control, Account lockout protection, Exchange Web Service protection, MDM binding, VPN, DLP , Ethical Wall and application Firewall.
Intervento di Enrico Boverino, Direttore Pubblica Amministrazione & Media - VMWARE a
OPEN DAY - COMPETENZE DIGITALI
Sala Convegni Pad. 152 Regione Puglia Fiera del levante Bari
15 maggio 2015 ore 9.30
Hitachi ID Suite overview of security features and enhancements in 9.0. Also showcasing new mobile UI for web apps.
See more at: http://hitachi-id.com/docs/pres.html
This is the product and services portfolio of IBM Security, which is one pillar of IBM CAMSS strategy. Products in portfolio are still moving during early 2015 due to re-portfolio of IBM. However, it will be categorized in 2 major parts.
1) IBM Security Products : all security software and appliance
2) IBM Security Services : all security services, including Cloud security.
The New Assure Security: Complete IBM i Compliance and SecurityPrecisely
On April 8 Syncsort announced Assure Security, a new product that brings together Syncsort’s best-in-class IBM i security capabilities. Assure Security enables organizations like yours to comply with cybersecurity regulations and strengthen IBM i security through features that assess security vulnerabilities, control access to systems and data, enforce data privacy, and monitor for security incidents and compliance deviations.
View this webcast on-demand to learn all about Assure Security, including:
• How Syncsort’s security brands have come together in Assure Security
• How Assure Security automates security best practices and satisfies regulatory requirements
• How Syncsort can help you control access to IBM i systems and prevent data breaches
Recent security breaches by trusted insiders have propelled Identity and Access Management (IAM) to the top security priority of many organizations. After all, it’s clear security is only as strong as its weakest link – people – and the press is full of articles documenting the damage people can do. So it’s natural for security managers to want to shore up their IAM infrastructure to avoid similar embarrassment. But IAM needs to be approached with an eye towards the full extended environment and by taking associated risks into account. In other words, whether you are starting from scratch or taking on new IAM challenges such as cloud security, there are certain IAM tenets you should follow to build a successful, effective IAM solution.
Don’t join the Hall of Shame by having a security breach at your organization. Attend this webcast to learn five ways a typical IAM solution can fail, so you don’t make the same mistakes.
View the full on-demand webcast: http://securityintelligence.com/events/5-reasons-iam-solution-will-fail/#.VYxJ4_lVhBd
SkypeShield - Securing Skype for BusinessYoav Crombie
The leading Skype for Business security solution treating external access security risks.
SkypeShield offers Two Factor Authentication, Device access control, Account lockout protection, Exchange Web Service protection, MDM binding, VPN, DLP , Ethical Wall and application Firewall.
The cloud offers simplified application development and delivery by providing infrastructure, platform and software services that are ready to use immediately. However, the major inhibitor for businesses has been concerns around security. IBM has simplified the typical method for approaching this problem. Whether you’re looking to employ infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) or software-as-a-service (SaaS), use the framework below when designing your solution. Each platform comes with certain built-in security qualities and lets you use add-ons on top of the platform to secure each workload.
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...Amazon Web Services
This session tells the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture design decisions made by Fortune 500 organizations during actual sensitive workload deployments, as told by the AWS security solution architects and professional service security, risk, and compliance team members who lived them. In this technical walkthrough, we share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture and service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.
This is covered during the tech conference. It covers high-level security. The best practice for deployment for gateway (what was known as last-mile) is covered at the end.
IBM MobileFirst Reference Architecture 1512 v3 2015Sreeni Pamidala
IBM MobileFirst Reference Architecture with Application architecture, deployment/operational models for developing Android/IoS/Web apps and host in the cloud
Contextual Security and Application Control for Virtualized DesktopsIvanti
Daas and VDI continue to provide anwhere, secure access from any device to corporate workspaces. As the user is more mobile than ever before, security, compliance, and licensing requirements demand additional contextual control over virtual applications and desktops. Join this webinar to see how Ivanti and Device Trust can help.
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Codit
Find here the slides of the presentation on Sentinet, given by Massimo Crippa (Codit) on the BTUG Event of 13th of October 2015.
Sentinet has recently introduced the support for the OAuth and OpenID Connect protocols.
In this presentation you will see the supported authentication flows, how to secure a regular BizTalk SOAP and REST service with OAuth 2.0 and how to call an OAuth-protected API from BizTalk with no coding or any changes in the existing application.
Security Essentials For Startups Taking Their First Steps As Cloud Providers.
This deck is based on the the below paper: https://chapters.cloudsecurityalliance.org/israel/papers/
Rapidly develop secure mobile apps with IBM MobileFirst on Bluemix ContainersAjay Chebbi
Creating standalone apps is fun! Think angry bird. But once you want to connect to a enterprise backend and provide enterprise grade security (think a bank app), the mobile app developer productivity starts dropping. Using IBM MobileFirst Platform Foundation Server you can rapidly develop secure mobile apps. The MFP server can be on prem or on the cloud on Bluemix Docker Containers
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...IBM Security
In an ever-changing landscape consisting of enterprise apps, mobile devices, and SaaS applications, addressing identity and access management challenges has become increasingly complex, expensive, and time-consuming. In this session we'll explore how cloud-based IAM services can be applied to both new and existing challenges to drive lower ownership costs, quicker time-to-value, and increased agility. Attendees will hear the real-life experiences of VantisLife Insurance, a long-term cloud IAM adopter.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
2. IBM Software Group | Tivoli software
CEO View: Increased Collaboration Brings Rewards
3. IBM Software Group | Tivoli software
Layers of security
Perimeter Defense
Keep out unwanted with
• Firewalls
• Anti-Virus
• Intrusion Detection, etc.Perimeter Defense
Control Layer
Assurance Layer
Control Layer
• Which users can come in?
• What can users see and do?
• Are user preferences supported?
• Can user privacy be protected?
Assurance Layer
• Can I comply with regulations?
• Can I deliver audit reports?
• Am I at risk?
• Can I respond to security events?
4. IBM Software Group | Tivoli software
Pre SOA Security: Enforcement & Decision Points
Access Enforcement Functionality (AEF)
Access Decision Functionality (ADF)
5. IBM Software Group | Tivoli software
Directory Management View
Web Access
Control
Network
Access
Control
Customer
Employee
Transactional
Web
Presentation
Informational
Web
Presentation
Certificate
Status
Responder
External
Directory
Transactional
Web
Integration
External
SMTP
Gateway
Internal
SMTP
Gateway
Network
Dispatcher
Delegated User
Management
Internal
ePortal, LDAP-
enabled apps
Single Sign On
Application
Access Control
Network
Authentication
& Authorization
Internal
Directory
LOB
Applications
Databases
Application
Directory
Network
Operating
Systems
Identity
Management
Certifcate
Authority
Web
Single Sign On
Messaging
CRM/ ERP
(PeopleSoft)
Meta-Directory
LDAP Directory
Proxy
External
ePortal
6. IBM Software Group | Tivoli software
Identity and Access Management Portfolio
Apps/Email
UNIX/Linux
NOS
Databases &
Applications
MF/Midrange
Identity
Stores
HRCRM,
Partners
Security Mgmt
Objects
ITIM:
Provisioning
• Policies
• Workflow
• Password
Self-service
• Audit trails
W
eb
Applications
Enterprise Directory
•Personal Info
•Credentials
•Entitlements
ITFIM:
Federated Identity
Web Services Security
Portal
Presentation
Personalization
ITAM:
Web Access
Management
SSO,
Authentication,
Authorization
ITDI
Directory
Integration
ITDS
Directory
Server
TAM for
ESSO
8. IBM Software Group | Tivoli software
Governments as Identity Providers
“TRUST provides
ACCESS”
The United States is an “Identity Provider”
because it issues a Passport as proof of
identification
USA Vouches for its Citizens
Users
Users
Germany:Identity Provider
Users
USA:Identity Provider
China:Identity Provider
9. IBM Software Group | Tivoli software
Roles: Identity Provider and Service Provider
1. Issues Network / Login credentials
2. Handles User Administration/ ID Mgmt
3. Authenticates User
4. “Vouches” for the user’s identity
Service Provider controls access to services
Third-party user has access to services for
the duration of the federation
Only manages user attributes relevant to SP
Identity
Provider
“Vouching” party in transaction “Validation” party in transaction
Service
Provider
Mutual TRUST
11. IBM Software Group | Tivoli software
Agenda
Enterprise Security Architecture – MASS Intro
Identity, Access, and Federated Identity
Management
SOA Security
12. IBM Software Group | Tivoli software
Custom
Application
Packaged
Application
Packaged
Application
Custom
Application
consumers
business processes
process choreography
services
atomic and composite
ServiceConsumerServiceProvider
11
22
33
44
55
OO
ApplicationCustom
ApplicationOutlook
SAP Custom
Application
business processes
process choreography
Services (Definitions)
atomic and composite
Service
components
ServiceConsumerServiceProvider
11
22
33
44
55
OO
ApplicationISV
Custom Apps
Platform
Operational
systems Supporting Middleware
MQ DB2Unix OS/390
SOA Security Encompass all Aspects of Security
SOA Security
Identity
Authentication
Authorization
Confidentiality,
Integrity
Availability
Auditing &
Compliance
Administration and
Policy Management
SCA Portlet WSRP B2B Other
13. IBM Software Group | Tivoli software
Message-based Security : End-to-End Security
Message-based security does not rely on secure transport
message itself is encrypted message privacy
message itself is signed message integrity
message contains user identity proof of origin
HTTPS HTTPS
SOAP Message
Connection
Integrity/Privacy
Connection
Integrity/Privacy
?
14. IBM Software Group | Tivoli software
Web Service Security Specifications Roadmap
WSS – SOAP SecurityWSS – SOAP Security
SecuritySecurity
PolicyPolicy
SecureSecure
ConversationConversation
TrustTrust
FederationFederation
PrivacyPrivacy
AuthorizationAuthorization
SOAP MessagingSOAP Messaging
15. IBM Software Group | Tivoli software
SOAP Message Security: Extensions to Header
SOAP Header allows for extensions
OASIS standard “WS-Security: SOAP Message Security”
defines XML for Tokens, Signatures and Encryption
defines how these elements are included in SOAP Header
Envelope
Body
Header
<application data>
Security Element
Security Token
Signature
Encrypted Data
Security Element
17. IBM Software Group | Tivoli software
SOAP
Moving to SOA – Accommodate Web Services
HTTP
18. IBM Software Group | Tivoli software
SOAP
Moving to SOA – Accommodate Web Services
Transport Layer
Confidentiality
Integrity
Transport Layer
Confidentiality
Integrity
HTTP
User Interaction
Based I&A
Enforcement
Identification &
Authentication
Decisions
Token Based
Authentication
Enforcement
Identity Mapping
Message Layer
Confidentiality
Integrity
19. IBM Software Group | Tivoli software
Moving to SOA, Adding the ESB…
(Mandatory Scary Picture)
Common Auditing &
Reporting Service
Tivoli Federated Identity Manager
Tivoli Access Manager
H/W: DataPower XS40
S/W: WebSphere Web Svs. G/W
S/W: Tivoli Access Manager
Reverse Proxy/Web PI
TivoliDirectoryServer
WebSphere Enterprise
Service Bus
DP XI50
TFIM,TAM
TFIM
TFIM
TFIM
TAMTAM
20. IBM Software Group | Tivoli software
Further Reading
On Demand Operating Environment: Security Considerations in an
Extended Enterprise
http://publib-b.boulder.ibm.com/abstracts/redp3928.html?Open
Web Services Security Standards, Tutorials, Papers
http://www.ibm.com/developerworks/views/webservices/standards.jsp
http://www.ibm.com/developerworks/views/webservices/tutorials.jsp
http://webservices.xml.com/
Websphere Security Fundamentals / WAS 6.0 Security Handbook
http://www.redbooks.ibm.com/redpieces/abstracts/redp3944.html?Open
http://www.redbooks.ibm.com/redpieces/abstracts/sg246316.html?Open
IBM Tivoli Product Home Page
http://www.ibm.com/software/tivoli/solutions/security/
21. IBM Software Group | Tivoli software
Summary
End-to-end Security Integration is complex
Web Services and SOA security are emerging areas
Moving from session level security to message level security
Identity Management incorporates several security services, but other
security services need to be integrated as well
Audit and Event Management, Compliance and Assurance
Etc.
Security technology is part – process, policy, people are the others
and often harder to change
Only Constant is Change, but evolve around the fundamentals
Establish separation of application and security management
Use of open standards will help with integration of past and future
technologies
23. IBM Software Group | Tivoli software
Security 101 Definitions
Authentication - Identify who you are
Userid/password, PKI certificates, Kerberos, Tokens, Biometrics
Authorization – What you can access
Access Enforcement Function / Access Decision Function
Roles, Groups, Entitlements
Administration – Applying security policy to resource protection
Directories, administration interfaces, delegation, self-service
Audit – Logging security success / failures
Basis of monitoring, accountability/non-repudiation, investigation, forensics
Assurance – Security integrity and compliance to policy
Monitoring (Intrusion Detection, AntiVirus, Compliance), Vulnerability Testing
Asset Protection
Data Confidentiality, Integrity, Data Privacy
Availability
Backup/recovery, disaster recovery, high availability/redundance
24. IBM Software Group | Tivoli software
Agenda
Enterprise Security Architecture – MASS Intro
Identity, Access, and Federated Identity
Management
SOA Security
25. IBM Software Group | Tivoli software
MASS – Processes for a Security Management Architecture
26. IBM Software Group | Tivoli software
Access Control Subsystem
Purpose:
Enforce security policies by gating access to, and execution of, processes and
services within a computing solution via identification, authentication, and
authorization processes, along with security mechanisms that use credentials
and attributes.
Functions:
Access control monitoring and enforcement: Policy Enforcement Point/Policy
Decision Point/ Policy Administration Point
Identification and authentication mechanisms, including verification of secrets,
cryptography (encryption and signing), and single-use versus multiple-use
authentication mechanisms
Authorization mechanisms, to include attributes, privileges, and permissions
Enforcement mechanisms, including failure handling, bypass prevention,
banners, timing and timeout, event capture, and decision and logging
components
Sample Technologies:
RACF, platform/application security, web access control
27. IBM Software Group | Tivoli software
Identity and Credential Subsystem
Purpose:
Generate, distribute, and manage the data objects that convey identity and
permissions across networks and among the platforms, the processes, and the
security subsystems within a computing solution.
Functions:
Single-use versus multiple-use mechanisms, either cryptographic or non-
cryptographic
Generation and verification of secrets
Identities and credentials to be used in access control: identification,
authentication, and access control for the purpose of user-subject binding
Credentials to be used for purposes of identity in legally binding transactions
Timing and duration of identification and authentication
Lifecycle of credentials
Anonymity and pseudonymity mechanisms
Sample Technologies:
Tokens (PKI, Kerberos, SAML), User registries (LDAP,AD,RACF,…),
Administration consoles, Session management
28. IBM Software Group | Tivoli software
Information Flow Control Subsystem
Purpose:
Enforce security policies by gating the flow of information within a computing
solution, affecting the visibility of information within a computing solution, and
ensuring the integrity of information flowing within a computing solution.
Functions:
Flow permission or prevention
Flow monitoring and enforcement
Transfer services and environments: open or trusted channel, open or trusted
path, media conversions, manual transfer, and import to or export between
domain
Encryption
Storage mechanisms: cryptography and hardware security modules
Sample Technologies:
Firewalls, VPNs, SSL
29. IBM Software Group | Tivoli software
Security Audit Subsystem
Purpose:
Provide proof of compliance to the security policy.
Functions:
Collection of security audit data, including capture of the appropriate
data, trusted transfer of audit data, and synchronization of
chronologies
Protection of security audit data, including use of time stamps, signing
events, and storage integrity to prevent loss of data
Analysis of security audit data, including review, anomaly detection,
violation analysis, and attack analysis using simple heuristics or
complex heuristics
Alarms for loss thresholds, warning conditions, and critical events
Sample Technologies:
syslog, application/platform access logs
30. IBM Software Group | Tivoli software
Solution Integrity Subsystem
Purpose:
address the requirement for reliable and correct operation of a computing
solution in support of meeting the legal and technical standard for its processes
Functions:
Physical protection for data objects, such as cryptographic keys, and physical
components, such as cabling, hardware, and so on
Continued operations including fault tolerance, failure recovery, and self-testing
Storage mechanisms: cryptography and hardware security modules
Accurate time source for time measurement and time stamps
Alarms and actions when physical or passive attack is detected
Sample Technologies:
Systems Management solutions - performance, availability, disaster recovery,
storage management
Operational Security tools: , Host and Network Intrusion Detection Sensors
(Snort), Event Correlation tools, Host security monitoring/enforcement tools
(Tripwire, TAMOS), Host/Network Vulnerability Monitors/Scanners (Neesus),
Anti-Virus software
31. IBM Software Group | Tivoli software
On Demand SolutionsOn Demand Solutions
On Demand Infrastructure – Services and Components
Network
Security
Solutions
(VPNs,
firewalls,
intrusion
detection
systems)
On Demand Infrastructure – OS, application, network
component logging and security events logging; event
management; archiving; business continuity
Policy
Management
(authorization,
privacy,
federation, etc.)
Identity
Management
Key
Management
Intrusion
Defense
Anti-Virus
Management
Audit & Non-
Repudiation
AssuranceAuthorizationIdentity
Federation
Credential
Exchange
Secure Networks and Operating Systems
SecureLogging
TrustModel
Bindings Security and Secure Conversation
(transport, protocol, message security)
Security Policy Expression
Privacy
Policy
Virtual Org
Policies
Mapping
Rules
Service/End-
point Policy
On Demand Security InfrastructureOn Demand Security Infrastructure
On Demand Security Architecture (Logical)
Editor's Notes
With current enterprise practices:
High cost to operating the Control Layer
Poor security from ineffective control layer
High systems development costs
The Security Enforcement Service (SES) is the “services” view of the commonly used “Policy Enforcement Point”/”Access Enforcement Functionality” (PEP, AEF) defined by ISO. This service is responsible for enforcing the decisions made by the SDS and thus allowing/disallowing access to resources based on these decisions.
The Security Decision Service (SDS) is the “services” view of the commonly used “Policy Decision Point”/”Access Decision Functionality” (PDP, ADF) defined by ISO. This service is responsible for making the access control decisions based on information provided by the SES. Typically these decisions are of the form “can user X access resource Y in manner Z”, which translates to examples such as “Can Joe Read File A?”. These decisions may be richer than described, including information such sa time of day, requestor’s IP address, or even the contents of the request (“Transfer $10,000 from an account with a balance of $200 INTO an account with a balance of $50).
Reality:
IDC estimates that the average enterprise has 150+ directories
Every application uses a directory, all are disparate, but have dependancies
A SINGLE Enterprise LDAP directory is not a reality:
Each application has its own varying degrees of proprietary/openess – externalization of attribues, sharing, etc.
Dependancies among directories: employee/partner/customer information, passwords
Authoritative sources – user profile is made up from various sources – HR, email, business apps
Multiple organizations manage
Varying levels of security requirements
Desired Environment:
A balanced federated directory model, managed under a common set of processes, tools and organizational governance
Consolidate where possible, understand what directories and uses of directories, manage at appropriate level
Need an example that describes the “multiple Identity Issues”
Imagine a world where every country issues Passports for every person visiting that country. That would be chaotic. Countries would end up administering passports for non-authoritative users.
Within a federation, organizations play one or both of two roles: identity provider and/or
service provider.
Identity Provider:
The identity provider (IdP) is the authoritative site responsible
for authenticating an end user and asserting an identity for that user in a trusted
fashion to trusted partners. The identity provider is responsible for account creation, provisioning, password
management, and general account management and also acts as a collection
point or client to trusted identity providers.
.
Service Provider:
Those partners who offer services but do not act as
identity providers are known as service providers. The service provider (SP)
relies on the IdP to assert information about a user, leaving the SP to manage
only those user attributes that are relevant to the SP.
Looking back at our earlier example of IBM and Hewitt:
IBM would be the identity provider, they are asserting the identity of an IBM employee to Hewitt
Hewitt would be the service provider. There service is the savings plan/401k management
Managing the SOA Security includes:
Identity Services
Authentication Services
Consistent authorization across the infrastructure components (policy managed based on a single decision point implementing authorization across layers)
Auditing & Compliance to security policy
Trust/Map identities between various security sub-systems
Confidentiality, Integrity and Availability
Administration and Policy Management
The lock on the SOAP Message is meant to imply that the SOAP message is inherently secure in and of itself. The SOAP message can be transported in any way and its security is not affected. The SOAP message could be sent as an e-mail attachment, carried on a floppy-disk, etc, and the properties of privacy, integrity, proof of origin are not affected.
In contrast, the security of a message that relies on transport security is exposed when that transport security has “gaps” – as would occur when multiple SSL hops are required to move the message from the origin to the ultimate receiver.
The gaps in the transport security may or may not be an issue – depending on the trust assigned to the nodes that provide the transport compared to the trust required for the message.
The full title of the SOAP message security specification is “Web Services Security: SOAP Message Security 1.0”, and it can be found at
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf
This standard defines a set of SOAP extensions that provide the ability to:
send security tokens as part of a message,
include an XML Digital Signature as part of a message,
encrypt all or part of the message using XML Encryption
These elements can be used to achieve “message-based security” for a SOAP message. That is, the message in and of itself is tamper-proof and confidental.
The origin of the message is provided by the Token Element.
Any change to the message will cause the signature validation to fail so content integrity is provided.
An observer of the message cannot read it if it is encrypted, providing message privacy.
The Oasis page for Web Service Security in general is
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
NOTES:
TRANSPORT LAYER/EDGE SECURITY
This is an “optional” component. There will be pressure to use XML FW/GW as the transport layer edge termination (among other things, they do have slick acceleration capabilities). However, many customers will already have an edge termination component and won’t willingly give it up
XML FW/GW (aka DataPower)
While this can do message layer functionality, it typically won’t be able to handle any element level decryption (not allowed to, as opposed to not capable of).
The component will typically “authenticate” based on the certificate that is included with the request and used as part of signature validation. This may well not represent the actual requestor (think sales clerk placing order versus outbound SOAP gateway at sales clerk’s company)
ESB
Additional tokens for identification and authentication can be handled within ESB (need as part of routing a message, user is gold/silver, for example, in addition to security type decisions, silver not authorized to request upgrades online)
APPLICATION
Receives requestor’s identity from ESB (eg asserted over TAI in a WAS environment) and uses this for local, application based authorization decisions
Note that XML FW/GW, ESB will communicate with security services using WS-Trust, in the guise of token functionality (token validation mainly, but also the ability to extract an identity and map it appropriately for use by component)
Application may use WS-Trust but this is a lot less likely (cause it means that App is getting a web services request and knows how to deal with it) but will often, through things like JACC providers, access third-party/external security services.
Security services can provide all sorts of functionality. This is a “grab bag” box, to indicate that we typically want a consolidated provider/container for security policy, token functionality, key management, authorization, etc.
MASS – Method for Architecting Secure Solutions
Based on Common Criteria requirements, terminology, a methodology for enumeration of security services applied to a given system architecture