wso2con eu 2016: reinforcing your enterprise with security architectures
TRANSCRIPT
Source:h>ps://www.gov.uk/government/uploads/system/uploads/a>achment_data/file/432413/bis-15-303_informaNon_security_breaches_survey_2015-execuNve-eummary.pdf|ContainspublicsectorinformaNonlicensedundertheOpenGovernmentLicencev3.0
TheProblem?• Securityisanon-funcNonalrequirement
– DevelopersandQAaremostlyconcernedaboutfuncNonalandUXtesNng– Thefirstthingtobethrownoutupondelays
• Knowledgeonsecurityisless– Doesn’tunderstandthecriNcalityofsecurity– Veryeasytomakesecurityholes– O\enpeoplefeelsecurethroughobscurity
• Toomuchofsecuritywillreduceusability– LevelofsecuritydependsonthesensiNvityofthedata– Rightbalanceisimportant
• SecurityPa>ernsmighthelptoreducetherisk
ImageSource:h>p://cdn.c.photoshelter.com/img-get/I0000WglLK9YvkQM/s/750/750/gmat-matyasi-14.jpg
Security• AuthenNcaNon• AuthorizaNon• ConfidenNality• Integrity• Non-repudiaNon• AudiNng• Availability
Imagesource:h>p://coranet.com/images/network-security.png
Authen<ca<on
ServiceProviders
Authen<ca<on
ServiceConsump<on
ImageSource:h>p://www.densodynamics.com/wp-content/uploads/2016/01/gandalf.jpg
• Verifyingthattheuseriswhos/heclaimstobe
• DirectAuthenNcaNon– BasicAuthenNcaNon– DigestAuthenNcaNon– TLSMutualAuthenNcaNon– OAuth:ClientCredenNals
Authen<ca<on• BrokeredAuthenNcaNon
– Lessworkforserviceproviders,moresecurityforidenNty
– SAML,OAuth:SAML2/JWTgranttype,OpenID
ServiceProvidersServiceProvidersServiceProviders
IdenNtyProvider
ServiceProviders
Authen<ca<on
ServiceConsump<on
Trust
Imagesource:h>p://savepic.ru/6463149.gif
Authen<ca<on• SingleSignOn• MulN-factorAuthenNcaNon
– Somethingyouknow– Somethingyouhave– Somethingyouare
Imagesource:h>ps://upload.wikimedia.org/wikipedia/commons/e/ef/CryptoCard_two_factor.jpg
ServiceProvidersServiceProvidersServiceProviders
IdenNtyProvider
ServiceProviders
Authen<ca<on
ServiceConsump<on
Trust
Authen<ca<on• IdenNtyFederaNonPa>ernandTokenExchange
Authen<ca<on• IdenNtyFederaNonPa>ernandTokenExchange
Authen<ca<on• IdenNtyBus
Authen<ca<on• TrustedSubsystemPa>ern
Source:h>ps://i-msdn.sec.s-ms\.com/dynimg/IC2296.gif
Authen<ca<on• MulNpleUserstores
ImageSource:h>ps://malalanayake.files.wordpress.com/2013/01/mulNple-user-stores1.png?w=645&h=385
Authoriza<on• VerifyingwhatanauthenNcated
usercando• PrincipleofLeastPrivilege• RolebasedAccessControl• A>ributebasedAccessControl
– PolicybasedAccessControl
Imagesource:h>p://cdn.meme.am/instances/500x/48651236.jpg
Authoriza<on• eXtensibleAccessControlMarkupLanguage(XACML)
ImageSource:h>ps://nadeesha678.wordpress.com/2015/09/29/xacml-reference-architecture/
• DelegatedAuthorizaNonwithOAuth2.0
Authoriza<on
Confiden<ality:Encryp<on• TransportLevel
– TLS• MessageLevel
– XMLEnc,JWE
• SymmetricEncrypNon• AsymmetricEncrypNon• SessionkeybasedEncrypNon
– uniquekeysfornewmessagesinsamesession
ImageSource:h>p://www.theNmes.co.uk/>o/mulNmedia/archive/00727/cartoon-web_727821c.jpg
Integrity:DigitalSignatures• TransportLevel• MessageLevel• SymmetricSignature• AsymmetricSignature• SessionkeybasedSignature
ImageSource:h>p://memegenerator.net/instance2/4350097
Non-repudia<on:DigitalSignatures• AsymmetricKeys
ImageSource:h>p://www.demoNvaNon.us/media/demoNvators/demoNvaNon.us_DENIAL-What-ever-it-is...-I-DIDNT-DO-IT_133423312332.jpg
Audi<ng• Howeversecureyouare,
peoplemightmakemistake• Collectthe(audit)logsand
analyzefor– Anomaly– Fraud
Source:h>ps://745515a37222097b0902-74ef300a2b2b2d9e236c9459912aaf20.ssl.cf2.rackcdn.com/f33df70e3ffd92d1f68827dd559aa82c.jpeg
Availability• NetworkLevelMeasures• Thro>ling• Optforfailfasttechniques• Heartbeatandhotpooling
ImageSource:h>ps://www.corero.com/img/blog/thumb/62327%207%20365.jpg
SecureDeploymentPaIern
RedZone(Internet)
Firewall
YellowZone(DMZ)
Firewall
GreenZone(Internal)
Services,Database
APIGateway,Integra<on
ClientApplica<on
SecureDeploymentPaIern:Morerestricted
RedZone(Internet)
Firewall
YellowZone(DMZ)
Firewall
GreenZone(Internal)
Services,Database
APIGateway,Integra<on,MessageBroker
ClientApplica<on
ThankYou!
#WSO2ConEU
Shareyourfeedbackforthissessionwso2con.com/app