Web security infrastructure study
1 / 24

Web Security Infrastructure Study - PowerPoint PPT Presentation

  • Uploaded on

Web Security Infrastructure Study. For a Multinational Life Insurance Company. Topics Current State Concerns Recommendations. Presentation by Kankan Roy. Present Web Security Infrastructure. The security is built on the following components and their replication for hi-availability:

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Web Security Infrastructure Study' - sirvat

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Web security infrastructure study

Web Security Infrastructure Study

For a MultinationalLife Insurance Company


Current State



Presentation by Kankan Roy

Present web security infrastructure

Present Web Security Infrastructure

The security is built on the following components and their replication for hi-availability:

Cisco 11503LB Load balancer

Amber point plug-in (for transparent re-direction)

ISA 2004 for NAT, Firewall, isolation of internal network

XML firewall (XS40), WebService Gateway (XI50)

External Active directory having trust relationship with internal AD granting security principals from external domain to access resources in the internal Windows forest.

Present web related infrastructure
Present Web related Infrastructure

  • IIS 6, Windows 2003

  • ASP.Net

  • Windows and Web Services

  • Datapower used as XML gateway for web services

  • Oracle and Oracle RAC Databases

  • Web Applications with individual Security Deployment

  • Data warehouse and Data mart: SQL Server 2000

  • Services from 3rd Party is provided through Web Redirection to External Web Sites, and they access Data stores and Files via adapter. They have “Foreign Security Principal” trust to access internal Windows Server

Security concerns
Security Concerns

  • Possible indirect Access to Internal Windows resources

  • Possible indirect Access by 3rd Party Partners to internal resources

  • Possible Direct accesses to secured web sites and Data Bases by Authenticated but unauthorized user

  • No Auditing and access logging of End User Access or Information accessed

  • Security is not decoupled from business logic

  • Protected object space is not defined, nor centrally managed

  • Access control is not dynamically enforced

  • It is possible to by-pass authorization since it is implemented in deployment Script and there is no security governance policy.

  • Authentication is implemented, Authorization and Access Control is partially implemented, and Auditing is not at all implemented.

  • There is no governance policy to create or modify objects that need protection

  • Lack of Documentation of Access Control Policy (ACLP) for Objects

  • No explicit SSO implementation

External ad based security implementation
External AD based Security implementation

External AD is used for Authentication and implemented by Security Configuration Layer (Web Applications’ web.config file). Given below is a snippet from a web application site:

Future web security roadmap
Future Web Security Roadmap

  • Web must play Active Vehicle for business Expansion

  • Focus of web Application no longer shall be Policy Centered (Type, Line of Business, or Policy Administration)

  • Future Web shall have User (Type Role and Self-service) Focus where policy operation are intuitive implicit and automated.

  • User Operations shall be serviced by Business Services, Management Services, Administration Services, Request Services

  • Implement shall require security guide lines for Information Access Control to private user information

  • Security Policy must be explicit and de-coupled from Service Code

  • Security Assertion should be made before Service invocation

  • Service level audit and access record should be available to pin point responsibility in the event of security breach

  • Users should be able to manage their own profile, Access, Account, Associates and Policies without customer service assistance. Self Enrollment for new user.

  • Business should be de-coupled from Infrastructure

  • Infrastructure should be inter-operable and distributed, open and accommodative of emerging Technology

  • Centralized Policy Administration System to manage all line of business

  • User Access device can be any – desk top/laptop browser, mobile, hand-held, Voice activated or cellular devices

  • Sarbanese-Oxley Act 2002 - http://www.soxlaw.com/index.htm

Abstract model for role based access control rabc
Abstract Model For Role Based Access Control (RABC)

Current AD based RABC identifies Web Directories as only Target using Web.Config

Protected objects space needing access permission
Protected Objects Space Needing Access Permission

  • Web Sites

  • Web Services

  • Partners Services

  • Providers Services or Web Sites

  • Applications

  • Programs

  • Policies

  • Users

  • Consumers

  • Producers

  • Transactions

  • Statements

  • Queues

  • Infrastructure

  • Hierarchy of Objects based on Ownership relation

  • Private Information encapsulated in Objects

Access control enforcement point
Access Control Enforcement Point

  • Reverse Proxy Single Sign On

  • Federated SSO for 3rd party service providers

  • Single Point Authentication and Authorization system for all User Devices – Mobile, Handheld, Phone, Desktop, Messaging Device

  • B2B Service

  • Messaging Service

  • Proxy Services to Business Service

  • Web Service Security

  • Enterprise Service Bus

  • Gateway ESB

  • Application Invocation

  • Information Security for View generation service

  • Information security for Data Object Access Service

Protected object space is a centrally managed database
Protected Object Space is a Centrally Managed Database

  • Object Definitions

  • Access Control List Policies for Objects

  • Associated Object Policies – Privacy, Auditing, Access Time/Accessor Log etc.

  • Associated Authorization Rule (for External/Internal Rules Engine to Access Manager) that asserts access to protected object

  • Pre or Post Processing/Filtration/transformation Requirement for inbound/outbound Message

Authentication mechanism
Authentication Mechanism

Device Interface for Authentication Mechanism can be any as per the user device interface (Form, Inter-active Voice/Phone, text Message)

Web Security Server uses Access Manager User Registry to Create Access Manager User Credential used for the duration of the session

Authentication and federation
Authentication and Federation management

  • Authorization Manager should be able to authenticate user from any kind of user Communication device and create a Session for a User irrespective of users’ device

  • External Authentication Manager should be able to recognize User Credential when redirected to the external site and should be able to create a session and vice versa

  • External User/application may not be granted Trust to access internal Resources such as DB using any kind of Adapter or web service.

Esb functionalities
ESB Functionalities management

  • Routing

  • Mediation

  • Confidentiality

  • Protocol Transformation

  • Logging, Auditing, Authorization

  • Enforce Access Control

  • Flow Management

  • Throttling – Queue length – number of simultaneous flows

  • Correlation of in-bound flows to out-bound flows

  • Proxy for virtualization and versioning

  • Notification

  • Alert

  • Activity monitoring and Aggregate Reporting via Dashboard

Transitioning present to future concern data synchronization during transition
Transitioning: managementPresent To Future[Concern: Data Synchronization During Transition]

  • Reverse Proxy server should act as Gateway to Old and New implementation transparent to any user.

  • Operation Data Store during Transition must remain in Sync. Active Active Data Sharing/Replication Bridge should be in Place.

  • All DB Access may be channeled through ESB for New so that Data Replications of New to Old can be incorporated easily and securely

High availability zero downtime
High Availability Zero Downtime management

  • Physical Replication of total infrastructure (Active Passive fail over)

  • RAID – replication of Storage

  • Cloud space and Grid Storage – virtual storage – Internet hosted application


  • Web Clusters

  • Replication of Critical databases and Directories/Registers

  • Queue Clusters

  • End Point Virtualization, Versioning and Governance using Registry and repository

QUESTIONS? management