reinforcing your enterprise with security architectures

Reinforcing Your Enterprise With Security Architectures

S.UthaiyashankarVP Engineering, WSO2shankar@wso2.com

The Problem…

• Security is a non-functional requirements• Very easy to make security holes• Knowledge on security is less

– Often people feel secure through obscurity• Too much of security will reduce usability• Security Patterns might help to reduce the risk

Image Source: http://cdn.c.photoshelter.com/img-get/I0000WglLK9YvkQM/s/750/750/gmat-matyasi-14.jpg

Security

• Authentication• Authorization• Confidentiality• Integrity• Non-repudiation• Auditing• Availability

Image source: http://coranet.com/images/network-security.png

Authentication• Direct Authentication

– Basic Authentication– Digest Authentication– TLS Mutual Authentication– OAuth : Client Credentials

Service Providers

Authentication

Service ConsumptionImage Source : http://www.densodynamics.com/wp-content/uploads/2016/01/gandalf.jpg

Authentication• Brokered Authentication

– SAML– OAuth : SAML2/JWT grant type – OpenID

Service ProvidersService ProvidersService Providers

Identity Provider

Service Providers

Authentication

Service Consumption

Trust

Image source: http://savepic.ru/6463149.gif

Authentication• Single Sign On• Multi-factor Authentication

Service ProvidersService ProvidersService Providers

Identity Provider

Service Providers

Authentication

Service Consumption

Trust

Image source : https://upload.wikimedia.org/wikipedia/commons/e/ef/CryptoCard_two_factor.jpg

Authentication• Identity Federation Pattern and Token Exchange

Authentication• Identity Federation Pattern and Token Exchange

Authentication• Identity Bus

Authentication• Trusted Subsystem Pattern

Source: https://i-msdn.sec.s-msft.com/dynimg/IC2296.gif

Authentication• Multiple User stores

Image Source: https://malalanayake.files.wordpress.com/2013/01/multiple-user-stores1.png?w=645&h=385

Provisioning

Authorization• Principle of Least Privilege• Role based Access Control• Attribute based Access Control

– Policy based Access Control

Image source : http://cdn.meme.am/instances/500x/48651236.jpg

Authorization• eXtensible Access Control Markup Language (XACML)

Image Source : https://nadeesha678.wordpress.com/2015/09/29/xacml-reference-architecture/

Confidentiality : Encryption• Transport Level• Message Level• Symmetric Encryption• Asymmetric Encryption• Session key based Encryption

Image Source: http://www.thetimes.co.uk/tto/multimedia/archive/00727/cartoon-web_727821c.jpg

Integrity : Digital Signatures• Transport Level• Message Level• Symmetric Signature• Asymmetric Signature• Session key based Signature

Image Source : http://memegenerator.net/instance2/4350097

Non-repudiation: Digital Signatures• Message Level• Asymmetric Signature

Image Source: http://www.demotivation.us/media/demotivators/demotivation.us_DENIAL-What-ever-it-is...-I-DIDNT-DO-IT_133423312332.jpg

Auditing• However secure you are,

people might make mistake• Collect the (audit) logs and

analyze for – Anomaly– Fraud

Source: https://745515a37222097b0902-74ef300a2b2b2d9e236c9459912aaf20.ssl.cf2.rackcdn.com/f33df70e3ffd92d1f68827dd559aa82c.jpeg

Availability• Network Level Measures• Throttling• Heart beat and hot pooling

Image Source: https://www.corero.com/img/blog/thumb/62327%207%20365.jpg

Secure Deployment Pattern

Red Zone (Internet)

Firewall

Yellow Zone (DMZ)

Firewall

Green Zone (Internal)

Services, Database

API Gateway, Integration

Client Application

Secure Deployment Pattern : More restricted

Red Zone (Internet)

Firewall

Yellow Zone (DMZ)

Firewall

Green Zone (Internal)

Services, Database

API Gateway, Integration, Message Broker

Client Application

Thank You