e-business on demand competitive technical briefing...1 symantec internet security threat report,...

e-business on demandCompetitive Technical Briefing

Protect Yourself!(Security Counts)

CTS6-06 Security.ppt 2

Friendly FinanceIBM

Have you thought about the impact risky security could have

on your business?

Have You Thought About Security?


Security Exposures on the Rise

? Companies experience an average of 30 attacks per week1

? 85% pre-attack reconnaissance? 15% attempted or successful exploitation

? 21% of companies worldwide experienced at least one severe event over the previous six months1

? 44% of UK companies2

? Cost to fix security breach for several UK companies: over £500,0002

? Over the past year, 1,200 new 32-bit Windows viruses and worms have been released1

2 Price Waterhouse Coopers, Information Security Breaches Survey2002 (http://www.pwcglobal.com/Extweb/service.nsf/docid/B2ECC9B0E9EFA3D785256C33005247D3)

1 Symantec Internet Security Threat Report, Attack Trends for Q3 and Q4 2002, Report 3, Volume III, February 2003


Worms Exploit Microsoft Flaws, Disrupt Day-to-Day Life

? AIR CANADA - Systems were hobbled by the Welchia, or Nachi, worm, delaying flights

? MARYLAND MOTOR VEHICLE - The Blaster worm forced the agency to close its doors for a day

? COMMUTER LINE - Maryland trains were canceled after a worm disrupted signals

? J.C. PENNEY - The national retail chain was affected by the Blaster worm

? Countless other.....

? TIME magazine, Sep 1 2003


A Steady Stream of Microsoft Security Bulletins

Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting AttackImpact: Run code of an attacker's choice

Unchecked Buffer in Windows Shell Could Enable System CompromiseImpact: Run code of an attacker's choice

Buffer Overrun In RPC Interface Could Allow Code ExecutionImpact: Run code of an attacker's choice

Buffer Overrun In HTML Converter Could Allow Code ExecutionImpact: Run code of an attacker's choice

Buffer Overrun in Windows Could Lead to Data CorruptionImpact: Run code of an attacker's choice

All of these came out in less than a month’s time – between July 1 and 16, 2003. Other months aren’t too different!

# 817606 - July 09, 2003

# 823980 - July 16, 2003

# 821557 - July 16, 2003

# 816456 - July 16, 2003

# 823559 - July 09, 2003


Security Exposures Across Microsoft Products

All of these products had significant security exposures in 2003

An average of one security bulletin every 3.5 working days!


Microsoft uses Linux to hide from Blaster!!

? The Blaster worm was set to attack Microsoft’s windowsupdate.com site starting Aug 16, 2003

? Microsoft had to change its DNS so that requests for the MS site would no longer resolve to its own network

? Requests were instead handled by Akamai’s caching system, which runs Linux

MS protected its site from the Blaster worm by hiding behind a Linux system.


? Winner, Information Security Excellence Award

? Commended, SC Magazine 2002 Best Security Management

? Winner, VARBusiness Annual Report Card

? Winner, Mindcraft Extranet Performance Benchmark

? Winner, Gartner Leadership Quadrant

? Winner, 2002 Crossroads A-List Award

? Winner, Frost & Sullivan Market Excellence Award

IBM – Strong Security


Microsoft Confession

"I'm not proud, we really haven't done everything we could to protect our customers. Our products just aren't engineered for security."

Brian Valentine, Sr. VP, Windows Server,at Microsoft Windows Server .Net developer conference in Seattle, Sept. 5, 2002


IBM

Proven track record

Foundation architected for strong security

Standards based Directory Server

Microsoft

Poor track record

Poor technology base for security

Difficult, proprietary Directory

IBM is a Better Foundation for Security


Security 101 – Authentication & Authorization

Request a resource

Challenge – Who are you?

Herman, passwordWebServer

User Directory

Authentication

Check if Herman is who he claims he is

Authorization(Access Control)

What can Herman do?

•Check what Roles are allowed access to this resourceAuthenticated

Herman is indeed Herman, let him through

Check password

•Check if Herman has any of those Roles

Authorized

Herman has necessary Roles, allow operation

Data


Role-Based Access Control

yesyesyesyesSupervisor

yesyesyesTeller

yesyesCustomer

AccountBeansetBalance

AccountBeangetBalance

/finance/accountDELETE

/finance/accountGET

Role

Operation

Define what Roles are needed to access resources

Alice

KateTomJack

Role: Customer

Role: Teller

Role: Supervisor

Assign Roles to users

Herman


Application Provider

Developers create application components

Application Assembler

Declare what Role is required to access each resource.E.g. Supervisors can delete Accounts

Security Administrator

Assign Roles to UsersE.g. AssignSupervisor Role to Kate

use LDAP server as the user directory

Declarative Security


WebSphere - A Consistent Model for Security

?WebSphere provides a single consistent security model? Declarative Roles-based Access Control model of J2EE

- Developers create components, don’t have to worry about coding security into the application

- Application Assemblers define Roles needed to access components

- Qualified Security Administrators grant roles to users

? JSP pages, servlets, EJBs are all protected with the same model


Microsoft – Mixed Security Models

? COM+ role-based access control model is declarative

? .NET role-based access control is specified in source code

? The two models have different class hierarchies and role definitions

? This means that serviced components have a different security model than the pure .NET component

? SharePoint does not even use role based securitysite groups/cross-site groups


Demo: Consistent Security Model

? WebSphere Application Assembly Tool

Application Assembler

? A consistent security model provides tighter security? Spot and resolve conflicts? Fewer mistakes and oversights? Easier to manage effectively


? Inconsistent models tend to provide looser security? Increased chance of mistakes, oversights, conflicts? Complexity

? Embedding Security into source code is a poor model? In the .NET security model, security attributes are embedded

in source code![PrincipalPermission(SecurityAction.Demand,Role=“Teller”)]public void CreateAccount(){….}

- Inflexible- Hampers reuse of components- No consolidated overview- Cannot easily resolve conflicting Roles

Issues with Microsoft Security Models


? WebSphere – Declare in deployment descriptor? Business Logic and Security are functionally separate? Easy administration, no need to change source code? Relevant for real-world web services

? .NET – Need to write code to create and pass tokens? Business Logic and Security too tightly tied together

- Example: If you want to use an X.509 certificate instead of a Username token, you need to change source code, rebuild, test, redeploy

? Administration is difficult

Web Services Security – Declarative vsProgrammatic


Tivoli - Defense in Breadth and Depth

WebServer

ProxyServer

Web Container

EJBContainer

Data System

Access Management

Privacy Management

Account Provisioning

Threat Management

Browsers

InternetInternet

IIOP/CSIHTTP/SHTTP/S

Across dissimilar environments


IBM

Tivoli Access Manager

Tivoli Privacy Manager

Tivoli Identity Manager

Tivoli Risk Manager

Microsoft

Windows solution only

None

Windows Server 2003

None

IBM Has Better Operational Support for Security


Defining What Users Can Access

Legacy Servers

Application Servers

Database Servers

Web Servers

Clients Networking Equipment


•Validate access rights

Agent AgentAgent

AgentAgent

•Works with local security models


Defining What Users Can Access


? Central control of users' access to resources? Unified Security Policy improves overall security? Single, Consistent Authorization Approach? Secure a wide variety of resource types

- web and application servers, legacy and new applications using MQ, resources defined in UNIX and LINUX operating environments.

? Coarse or finer grained Authorization? Web-based Management Console

? Single Sign-On? Users sign-on once to get access to all resources? Cross-Domain


Centralized administration of securityConsistent interfaces.

?WebSphere Application Server?Tivoli Access Manager

DEMO: Tivoli Access Management Demo


Protect Personal Information

Legacy Servers

Application Servers

Database Servers

Web Servers



Control access to data based on Privacy Policies

Agent AgentAgent

AgentAgent


Protect Personal Information

Tivoli Privacy Manager for e-business

? Organizations can use Tivoli Privacy Manager for e-business to perform five primary tasks:? Define privacy policy and create Platform for Privacy Preferences (P3P)

format? Deploy the privacy policy across applications and resources? Record end users’ consent to the privacy policy? Monitor and enforce access to private data, in keeping with the policy? Create audit trail reports

? P3P policy is of the form:? ALLOW USERS to USE PII_TYPES for PURPOSES [if CONDITIONS] [if

CONSENT]

? Example P3P policy for Friendly Finance is:? Allow Mortgage_Officer to read customer_financial_info for

mortgage_evaluation [if customer_applied_for_mortgage] and [if customer opt-in]


Define and Centrally Manage User Accounts

Legacy Servers

Application Servers

Database Servers

Web Servers



Create / revoke user accounts

Agent AgentAgent

AgentAgent


Define and Centrally Manage User Accounts


? Define, Revoke, and Manage user accounts in one place, systematically? Systematic management improves overall security

? Automatic "Provisioning" of new users? Create all the accounts a user will need

- Databases- Operating Systems- ERP systems- Other (LDAP, Access Manager,...)

? Enforce policies governing account creation? Create audit trails? Provide web-based user self-service


Reject Attacks: Threat Management

Legacy Servers

Application Servers

Database Servers

Monitor Execute

Analyze Plan

Knowledge

Element

Sensors Effectors

Web Servers


Tivoli Risk Manager

Security events/ responses

Agent AgentAgent

AgentAgent


Reject Attacks: Threat ManagementTivoli Risk Manager

? Manage security events and incidents from a variety of devices, applications, and servers across a heterogeneous environment ? Centralize security event management? Protect against outside security threats

- Detect Virus Attacks and Hacker Intrusions- Manage the risks and costs of protecting your business.

? Automatically respond to incidents? Deny/close connections from/to an IP address on the Firewall? Cancel enabled rules on the Firewall? Kill user process on a server? Fix or upgrade software to prevent or stop threats? More tasks can easily be created or existing ones customized...


IBM

Proven track record

Strong Security Foundation




Tivoli Risk Manager

Microsoft

Poor track record

Poor technology base for security

Windows solution only

None

Windows Server 2003

None

A Summary of IBM Strengths

e-business on demand competitive technical briefing...1 symantec internet security threat report,...

Documents