the lanka gate initiative
TRANSCRIPT
The LANKA GATE Initiative
Security Aspects
Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
Trends in user centric identities
• User in the middle of the identity transaction
• Governed by Seven Laws of Identity
• OpenID/Information Cards
Trends in user centric identities -OpenID
• Decentralized Single Sign On +
• Single profile across different domains +
• Easy profile maintenance +
• Authenticates once at the OpenID Provider +
• Phishing ???
• Different user experience
• Requires HTTPS + user education
Trends in user centric identities –Information Cards
• Phishing resistant authentication+
• Based on WS-* standards +
• Highly cryptographic solution+
• Authenticates only at the Identity Provider +
• Single user profile
• Different user experience
Trends in user centric identities
It’s NOT OpenID vs. Information Cards, but –OpenID with Information Cards
Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
Lanka Gate Architecture
Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
Sri Lanka Country Portal
• Provides access to backend services through portlets [a single eService, several eServices from a specific project or transactional / mashup combination of eServices across several projects]
• Users log in to the country portal and authorized functionality will be available.
• How authentication takes place ???
• How authorization takes place ???
Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
Identity as a Service
• Integrates identity services into application development
• Decouples identity related logic from individual application business logic
• User, identity related data externalized from the applications themselves
• Breaks identity silos
Identity as a Service
User Store
Identity Management Service
Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Securing Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
IdMRealm
Securing Sri Lanka Country Portal -Authentication
User Store
Identity Management
Service
Identity Provider [WSO2 Identity
Solution]
Country Portal
IdMRealm
Securing Sri Lanka Country Portal -Authentication
User Store
Identity Management
Service
Identity Provider [WSO2 Identity
Solution]
Country Portal
HTTPS
WS-Security
HTTPS
HTTPS
White/black listing OPs
Securing Sri Lanka Country Portal -Authentication
Identity Provider [WSO2 Identity
Solution]
Username/password
Self-issued InfoCard
Client certificate
Securing Sri Lanka Country Portal -Authorization
Country Portal
Passport management Portlet
Driving License Management Portlet
EPF/ETF Management Portlet
Securing Sri Lanka Country Portal -Authorization
Country Portal
Passport management Portlet Driving License Management Portlet
EPF/ETF Management Portlet
Request Passport
Track Status
Request Driving License
Track Status
View EPF/ETF
Claim EPF/ETF
Securing Sri Lanka Country Portal -Authorization
Country Portal
Passport management Portlet Driving License Management Portlet
EPF/ETF Management Portlet
Issue Passport
Reject Passport Requests
Request Driving License
Track Status
View EPF/ETF
Claim EPF/ETF
List Pending Requests
Securing Sri Lanka Country Portal -Authorization
Country Portal
Passport management Portlet Driving License Management Portlet
EPF/ETF Management Portlet
Request Passport
Track Status
Issue Driving License
List Pending Requests
View EPF/ETF
Claim EPF/ETF
Securing Sri Lanka Country Portal -Authorization
Country Portal
Passport management Portlet Driving License Management Portlet
EPF/ETF Management Portlet
Request Passport
Track Status
Request Driving License
Track Status
List Pending Claims
Securing Sri Lanka Country Portal -Authorization
• Authorization logic should be handled by the corresponding service(s) – behind the portlet. [or may be by the LIX]
Passport Management Service
getPortlet(user)
EPF/ETF Management Service
Driving License Management Service
getPortlet(user)
getPortlet(user)
Securing Sri Lanka Country Portal –Summary
• User store will be managed centrally through Identity Management Service
• Country Portal will use OpenIDs for authentication with a white-listed OpenID Provider
• Once a user authenticated, his authorized functionality will be decided by evaluating authorization logic at the corresponding backend service.
Securing Sri Lanka Country Portal –Handling Authorization
• Each backend service needs to evaluate user rights.
• Application specific authorization handling/ standard based authorization handling.
• Standard based authorization with XACML
Securing Sri Lanka Country Portal –Authorization with XACML
• Defining policies
• “Passport service administrators can list all the pending passport requests”
Policy Administration Point/PAP
[WSO2 Identity Solution]
Policy Store[WSO2 Registry]
Define
Securing Sri Lanka Country Portal –Authorization with XACML
• Evaluating policies
Policy Decision Point/PDP
[WSO2 Identity Solution]
Policy Store[WSO2 Registry]
Request
Policy Retrieval Point/PRP
[WSO2 Identity Solution]
Policy Information Point/PIP
[WSO2 Identity Solution]
Identity Management
Service
WS-Security
Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Securing Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
Securing Backend Services
Passport Management
Service
EPF/ETF Management
Service
Driving License Management
Service
Lanka Interoperability Exchange
WS-Security
WS-Security
WS-Security
Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Securing Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
Other security aspects
• Auditing
– Every authentication and authorization decision has to generate an audit event
– Identity Management Service / PDP
– Secure logging – audit trails should preserve integrity
– XDAS - OpenXDAS
Contents
• Trends in user centric identities
• Lanka Gate Architecture
• Securing Sri Lanka Country Portal
• Identity as a Service
• Securing Sri Lanka Country Portal
• Securing Backend Services
• Other security aspects
• Thoughts, Suggestions & Discussion
Thoughts, Suggestions & Discussion…..
- Thank You…!