®

IBM Software Group

Integrated Security Architecture

James Andoniadis
IBM Canada

© 2004 IBM Corporation

 IBM Software Group | Tivoli software

CEO View: Increased Collaboration Brings Rewards

 IBM Software Group | Tivoli software

Layers of security

Perimeter Defense
Keep out unwanted with
●
Firewalls
●
Anti-Virus
Perimeter Defense ●
Intrusion Detection, etc.

Control Layer Control Layer

●
Which users can come in?
●
What can users see and do?
Assurance Layer ●
Are user preferences supported?
●
Can user privacy be protected?

Assurance Layer
●
Can I comply with regulations?
●
Can I deliver audit reports?
●
Am I at risk?
●
Can I respond to security events?
 IBM Software Group | Tivoli software

Pre SOA Security: Enforcement & Decision Points

Access Enforcement Functionality (AEF)
Access Decision Functionality (ADF)
Other
.Net /
Security Data
3 rd Party
Decision Store
Apps
Services
Portal Server
Reverse
Proxy Application Server CICS Security
HTTP Server Decision Data
IMS Services
Business Processes ... ADF Store
AEF Proxy
AEF
J2EE
Apps Data
J2EE
Web Container Store
Servers
AEF AEF

Access Decision Functionality

Audit Infrastructure
 IBM Software Group | Tivoli software

Directory Management View

Network
Operating
Systems

Certificate Network External Internal Application

Customer Status Access SMTP SMTP Directory
Responder Control Gateway Gateway

LOB
Applications
Employee

LDAP Directory Network Delegated User Identity

Meta-Directory
Databases
Proxy Dispatcher Management Management

External External Internal

ePortal Directory Directory Messaging

Transactional
Web Access Web Certifcate
Control Integration Authority

Internal
ePortal, LDAP-
Transactional enabled apps Network
Web
Single Sign On Web Authentication
Presentation & Authorization

Informational
CRM/ ERP Application
Web Access Control
(PeopleSoft)
Presentation

Single Sign On
 IBM Software Group | Tivoli software
Identity and Access Management Portfolio
Apps/Email

NOS
Identity
Stores
ITDI
CRM, Directory
HR Integration UNIX/Linux
Partners
ITDS
Directory ITIM:
Server Provisioning Databases &
Enterprise Directory
•Personal Info Applications
• Policies
•Credentials • Workflow
•Entitlements • Password MF/Midrange
Self-service
• Audit trails
ITAM:
Web Access
Management
SSO,
Authentication, Security Mgmt
TAM for
Ap We
Objects
Authorization ESSO
pli b
Portal ca
Presentation tio
Personalization
ns
ITFIM:
Federated Identity
Web Services Security
 IBM Software Group | Tivoli software

Operational Deployment Pattern - Security Zones

Management (secured)

Access Directory Federated Identity

Policy Server Identity Management,
Employees
Server (ITDS) Mgmt MetaDirectory,
Contractors
(ITAM) (ITFIM) Directory Sync
Customers
Employees
Business Partners

Websphere Content
Portal Management
Web Reverse
Internet Load v (WPS)
Browser Internal Directories: Reverse
Balancer Proxy
- MS AD Proxy
(Webseal) - Enterprise LDAP (Webseal)
- BP DB Table

Collaboration
HTTP/S Services (Lotus)

Web
Browser

Enterprise
External Web
Applications
Internet DMZ
Internet (Uncontrolled)
(Controlled)
Server Production Zone Intranet (Controlled)
protocol domain
(restricted)
firewall firewall

Operational Security Tools:

- Host IDS, Network IDS - Auditing scanners - weak password crackers
- AntiVirus - Vulnerability scanners (host, network, web) - Intrusion prevension
- Tripwire - Audit/logging, event correlation - ...
 IBM Software Group | Tivoli software

Governments as Identity Providers

Users

Users
“TRUST provides
ACCESS” Germany:Identity Provider

USA:Identity Provider

The United States is an “Identity Provider”

because it issues a Passport as proof of Users
identification
USA Vouches for its Citizens China:Identity Provider
 IBM Software Group | Tivoli software

Roles: Identity Provider and Service Provider

“Vouching” party in transaction “Validation” party in transaction

Mutual TRUST
Identity Service
Provider Provider

Service Provider controls access to services

1. Issues Network / Login credentials
Third-party user has access to services for
2. Handles User Administration/ ID Mgmt
the duration of the federation
3. Authenticates User
Only manages user attributes relevant to SP
4. “Vouches” for the user’s identity
 IBM Software Group | Tivoli software

Federated Identity Standards

 IBM Software Group | Tivoli software

Agenda

 Enterprise Security Architecture – MASS Intro

 Identity, Access, and Federated Identity
Management
 SOA Security
 IBM Software Group | Tivoli software

SOA Security Encompass all Aspects of Security

55
consumers SCA Portlet WSRP B2B Other
Service Consumer

SOA Security
44
business
businessprocesses
processes  Identity
process choreography

 Authentication
33
Services
services (Definitions)
atomic and composite
 Authorization
 Confidentiality,
22
Service Integrity
Service Provider

components
 Availability
11
ISV
Packaged
SAP Custom OO  Auditing &
Packaged
Application Application
Custom Application
Outlook
Application Application
Custom Apps
Compliance
Operational
systems Platform Supporting Middleware  Administration and
Policy Management
Unix OS/390 MQ DB2
 IBM Software Group | Tivoli software

Message-based Security : End-to-End Security

Connection Connection
Integrity/Privacy Integrity/Privacy
HTTPS
? HTTPS

SOAP Message

 Message-based security does not rely on secure transport

 message itself is encrypted  message privacy
 message itself is signed  message integrity
 message contains user identity  proof of origin
 IBM Software Group | Tivoli software

Web Service Security Specifications Roadmap

Secure Authorization
Federation
Conversation

Security Privacy
Trust
Policy

WSS – SOAP Security

SOAP Messaging
 IBM Software Group | Tivoli software

SOAP Message Security: Extensions to Header

Envelope Security Element

Header
Security Token
Security Element

Signature
Body
<application data>
Encrypted Data

 SOAP Header allows for extensions

 OASIS standard “WS-Security: SOAP Message Security”
 defines XML for Tokens, Signatures and Encryption
 defines how these elements are included in SOAP Header
 IBM Software Group | Tivoli software

Security Drill Down

1st Layer Message Security 2nd Layer Message Security Nth Layer Message Security
 Signature Validation/  Requestor Identification &  Requestor Identification &
Origin Authentication Authentication & Mapping Authentication & Mapping
Message Level Decryption Element Level Decryption  Message Level Encryption

Transport Layer Security Application Security

SSL/TLS Termination (Authorization with ESB
asserted identifier)
Reverse Proxy
Edge Security XML FW/GW ESB Apps ESB
(Transport ESB SES (incl SES (incl SES (incl
Layer) Trust Client) Trust Client) Trust Client)
SES (incl Trust Client)

Security Decision Services

(Trust Services)

Security Policy
Security Token Service
Key Store, Management
Authorization
 IBM Software Group | Tivoli software

Moving to SOA – Accommodate Web Services

MSFT
.Net/ 3 rd
Security Data
Party
Decision Store
Apps
Services
Portal Server
Reverse
Proxy Application Server CICS Security
HTTP Server Decision Data
IMS Services
Business Processes ... SDS Store
SES Proxy
HTTP SES
J2EE
Apps Data
J2EE
Web Container Store
Servers
SES SES

Gate
SOAP way

SOAP SES
Security Decision Services

Audit Infrastructure
 IBM Software Group | Tivoli software

Moving to SOA – Accommodate Web Services

MSFT
.Net/ 3 rd
Security
Tr Party Data
a Decision
Co nsp Apps Store
Services
nfi ort
Int den Lay Portal Server
eg tia er Reverse
lity
rityHTTP Proxy Application Server CICS Security
Us
Server IMS
Decision Data
er Services
Store
BaSESInte
Business Processes ... SDS
Proxy
HTTP En se ra
forM d I ctio SES
cee &A n J2EE
ms
Co eangs Apps
nfi t e J2EE Data
Int den Laye Servers
Web Container Store
eg tial r
rity ity SES SES

Gate
Tr SOAP T
way A ok Ide
an e I
Co spo uth n de nti
nfi SOAPr SESEn e B a A
Security n
Decision
t i Services ty
t n
for tica sed u the ica f Ma
Int den Lay ce tio De nti tion pp
eg tial er me n ing
rity ity cis cat &
nt ion ion
Audit Infrastructure
s
 IBM Software Group | Tivoli software

Moving to SOA, Adding the ESB…

(Mandatory Scary Picture) We
bS
ph
S e er e
r vi E n MSFT
ce t e .Net/ 3rd
DP Bu rpr Security Data
Portal Server XI 5 s ise Party Decision
Apps Store
0 E Services
S
Application Server B
H/W
S /W :D TFSES
:W at a Business Processes IM CICS Security
eb Po IMS
Decision
S/W
HTTP Sp Reversee w TF Services Data
:T he rX IM,
SES ... SDSTF Store
i r e S4 TA
Re voli Proxy
We 0 M Proxy IM
ver Ac Server b S
se c vsESB
Pro ess .G
xy/ M SES /W T
SOAP W
Gatewayeb
an
a g
J2EE
D i r i vo l i
P I er Apps ect
J2EE SData
e ory
Web Container r v
Storeer
Servers Tiv TA
oli M
TSES TASES Fe SES
FIM M de
Tiv r at
oli ed
Co Ac Ide
mm Security Decision c nti
esServices
on s M ty Ma
Au an na
dit ag ge
ing er r
&R
Audit Infrastructure
ep
ort
ing
Se
r vi
ce
 IBM Software Group | Tivoli software

Further Reading

 On Demand Operating Environment: Security Considerations in an

Extended Enterprise
 http://publib-b.boulder.ibm.com/abstracts/redp3928.html?Open
 Web Services Security Standards, Tutorials, Papers
 http://www.ibm.com/developerworks/views/webservices/standards.jsp
 http://www.ibm.com/developerworks/views/webservices/tutorials.jsp
 http://webservices.xml.com/
 Websphere Security Fundamentals / WAS 6.0 Security Handbook
 http://www.redbooks.ibm.com/redpieces/abstracts/redp3944.html?Open
 http://www.redbooks.ibm.com/redpieces/abstracts/sg246316.html?Open
 IBM Tivoli Product Home Page
 http://www.ibm.com/software/tivoli/solutions/security/
 IBM Software Group | Tivoli software

Summary
 End-to-end Security Integration is complex
 Web Services and SOA security are emerging areas
 Moving from session level security to message level security
 Identity Management incorporates several security services, but other
security services need to be integrated as well
 Audit and Event Management, Compliance and Assurance
 Etc.
 Security technology is part – process, policy, people are the others
and often harder to change
 Only Constant is Change, but evolve around the fundamentals
 Establish separation of application and security management
 Use of open standards will help with integration of past and future
technologies
 IBM Software Group | Tivoli software

Questions?
 IBM Software Group | Tivoli software

Security 101 Definitions

 Authentication - Identify who you are
 Userid/password, PKI certificates, Kerberos, Tokens, Biometrics
 Authorization – What you can access
 Access Enforcement Function / Access Decision Function
 Roles, Groups, Entitlements
 Administration – Applying security policy to resource protection
 Directories, administration interfaces, delegation, self-service
 Audit – Logging security success / failures
 Basis of monitoring, accountability/non-repudiation, investigation, forensics
 Assurance – Security integrity and compliance to policy
 Monitoring (Intrusion Detection, AntiVirus, Compliance), Vulnerability Testing
 Asset Protection
 Data Confidentiality, Integrity, Data Privacy
 Availability
 Backup/recovery, disaster recovery, high availability/redundance
 IBM Software Group | Tivoli software

Agenda

 Enterprise Security Architecture – MASS Intro

 Identity, Access, and Federated Identity
Management
 SOA Security
 IBM Software Group | Tivoli software

MASS – Processes for a Security Management Architecture

 IBM Software Group | Tivoli software

Access Control Subsystem

Purpose:
 Enforce security policies by gating access to, and execution of, processes and
services within a computing solution via identification, authentication, and
authorization processes, along with security mechanisms that use credentials
and attributes.
Functions:
 Access control monitoring and enforcement: Policy Enforcement Point/Policy
Decision Point/ Policy Administration Point
 Identification and authentication mechanisms, including verification of secrets,
cryptography (encryption and signing), and single-use versus multiple-use
authentication mechanisms
 Authorization mechanisms, to include attributes, privileges, and permissions
 Enforcement mechanisms, including failure handling, bypass prevention,
banners, timing and timeout, event capture, and decision and logging
components
Sample Technologies:
 RACF, platform/application security, web access control
 IBM Software Group | Tivoli software

Identity and Credential Subsystem

Purpose:
 Generate, distribute, and manage the data objects that convey identity and
permissions across networks and among the platforms, the processes, and the
security subsystems within a computing solution.
Functions:
 Single-use versus multiple-use mechanisms, either cryptographic or non-
cryptographic
 Generation and verification of secrets
 Identities and credentials to be used in access control: identification,
authentication, and access control for the purpose of user-subject binding
 Credentials to be used for purposes of identity in legally binding transactions
 Timing and duration of identification and authentication
 Lifecycle of credentials
 Anonymity and pseudonymity mechanisms
Sample Technologies:
 Tokens (PKI, Kerberos, SAML), User registries (LDAP,AD,RACF,…),
Administration consoles, Session management
 IBM Software Group | Tivoli software

Information Flow Control Subsystem

Purpose:
 Enforce security policies by gating the flow of information within a computing
solution, affecting the visibility of information within a computing solution, and
ensuring the integrity of information flowing within a computing solution.
Functions:
 Flow permission or prevention
 Flow monitoring and enforcement
 Transfer services and environments: open or trusted channel, open or trusted
path, media conversions, manual transfer, and import to or export between
domain
 Encryption
 Storage mechanisms: cryptography and hardware security modules
Sample Technologies:
 Firewalls, VPNs, SSL
 IBM Software Group | Tivoli software

Security Audit Subsystem

Purpose:
 Provide proof of compliance to the security policy.
Functions:
 Collection of security audit data, including capture of the appropriate
data, trusted transfer of audit data, and synchronization of
chronologies
 Protection of security audit data, including use of time stamps, signing
events, and storage integrity to prevent loss of data
 Analysis of security audit data, including review, anomaly detection,
violation analysis, and attack analysis using simple heuristics or
complex heuristics
 Alarms for loss thresholds, warning conditions, and critical events
Sample Technologies:
 syslog, application/platform access logs
 IBM Software Group | Tivoli software

Solution Integrity Subsystem

Purpose:
 address the requirement for reliable and correct operation of a computing
solution in support of meeting the legal and technical standard for its processes
Functions:
 Physical protection for data objects, such as cryptographic keys, and physical
components, such as cabling, hardware, and so on
 Continued operations including fault tolerance, failure recovery, and self-testing
 Storage mechanisms: cryptography and hardware security modules
 Accurate time source for time measurement and time stamps
 Alarms and actions when physical or passive attack is detected
Sample Technologies:
 Systems Management solutions - performance, availability, disaster recovery,
storage management
 Operational Security tools: , Host and Network Intrusion Detection Sensors
(Snort), Event Correlation tools, Host security monitoring/enforcement tools
(Tripwire, TAMOS), Host/Network Vulnerability Monitors/Scanners (Neesus),
Anti-Virus software
 IBM Software Group | Tivoli software

On Demand Security Architecture (Logical)

On Demand Solutions
On Demand Infrastructure – Services and Components
Policy Credential Identity Audit & Non-
Management Authorization Assurance
Exchange Federation Repudiation
(authorization, Network
privacy, Security
federation, etc.) Service/End- Mapping Virtual Org Privacy
Solutions

Secure Logging
point Policy Rules Policies Policy

Trust Model
Identity (VPNs,
Management firewalls,
Key Security Policy Expression
intrusion
Management
detection
Bindings Security and Secure Conversation
Intrusion systems)
(transport, protocol, message security)
Defense
Anti-Virus
Secure Networks and Operating Systems
Management

On Demand Security Infrastructure

On Demand Infrastructure – OS, application, network
component logging and security events logging; event
management; archiving; business continuity