Data encryption & security. An overview

Similar documents
Identity Management Basics

Coding with Identity Management & Security

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

European General Data Protection Regulation is active in 2018! How to master the challenge of Data Protection and Security?

SQL Server Security. Marek

European General Data Protection Regulation is looming in 2018! How to master the challenge of Data Protection and Security?

Securing ArcGIS Services

Oracle Database 11g: Security Release 2

Warm Up to Identity Protocol Soup

Oracle Database 11g: Security Release 2

INFO-H-415 Project Overview- Security Database and SQL Server

Salesforce1 Mobile Security White Paper. Revised: April 2014

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Liferay Security Features Overview. How Liferay Approaches Security

ArcGIS Server and Portal for ArcGIS An Introduction to Security

MultiTenancy - An Overview For Techies

Security+ SY0-501 Study Guide Table of Contents

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Unified Security Platform. Security Center 5.4 Hardening Guide Version: 1.0. Innovative Solutions

SECURITY DOCUMENT. 550archi

SAML-Based SSO Solution

How to Configure Authentication and Access Control (AAA)

PGP Whole Disk Encryption Training

Rick Redman, Title, KoreLogic Governance, Risk & Compliance G24

Using the MyProxy Online Credential Repository

SAP Single Sign-On 2.0 Overview Presentation

TECHNOLOGY: Security Encrypting Tablespaces

MySQL Enterprise Security

Security in Bomgar Remote Support

Radius, LDAP, Radius used in Authenticating Users

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

maxecurity Product Suite

OPENEDGE APPLICATIONS IN A PCI-DSS ENVIRONMENT PROGRESS. Progress OpenEdge. Michael Jacobs PROGRESS PERSPECTIVE.

Canadian Access Federation: Trust Assertion Document (TAD)

Jérôme Kerviel. Dang Thanh Binh

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

VMware Horizon Workspace Security Features WHITE PAPER

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Operating systems and security - Overview

Operating systems and security - Overview

Recommendations for Device Provisioning Security

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Ekran System v.6.0 Privileged User Accounts and Sessions (PASM)

Single Sign-On Showdown

SAML-Based SSO Solution

Securing ArcGIS Server Services An Introduction

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Securing MQTT. #javaland

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

User Authentication Principles and Methods

Software Vulnerability Assessment & Secure Storage

U.S. E-Authentication Interoperability Lab Engineer

Key Drivers for Data Security

SAP HANA Operation Expert Summit BUILD User Management & Security Overview Andrea Kristen/SAP HANA Product Management May 2014.

Security context. Technology. Solution highlights

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Who s Protecting Your Keys? August 2018

Choosing the level that works for you!

Managing External Identity Sources

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

How Secured2 Uses Beyond Encryption Security to Protect Your Data

Security in the Privileged Remote Access Appliance

WHITE PAPER. Authentication and Encryption Design

A problem well stated is a problem half-solved. -Charles Kettering The other half of the problem is the VPN Connection...

Creating Trust in a Highly Mobile World

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Implementing security from the inside out in a PeopleSoft environment System hardening with reference to the additional concern for insider threat

MU2b Authentication, Authorization and Accounting Questions Set 2

Canadian Access Federation: Trust Assertion Document (TAD)

Poor PAM processes and policies leave the crown jewels susceptible to security breaches Global Survey of IT Security Professionals

Password Standard Version 2.0 October 2006

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Security Specification

Combating Common Web App Authentication Threats

Tableau Server Security in Depth

Version Installation Guide. 1 Bocada Installation Guide

Traverse Intelligent Tracking by PCS. Installation Guide for Traverse.

Lotus Domino Security NSL, Web SSO, Notes ID vault. Collin Murray Program Director, Lotus Domino Product Management

HikCentral V.1.1.x for Windows Hardening Guide

ArcGIS Enterprise Security: Advanced. Gregory Ponto & Jeff Smith

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

Software Security and Exploitation

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

User Guide. Admin Guide. r

Office 365 and Azure Active Directory Identities In-depth

HikCentral V1.3 for Windows Hardening Guide

Advanced Security Measures for Clients and Servers

DELL EMC DATA DOMAIN ENCRYPTION

Canadian Access Federation: Trust Assertion Document (TAD)

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Simple Security for Startups. Mark Bate, AWS Solutions Architect

Integrating Password Management with Enterprise Single Sign-On

Authentication in Cloud Application: Claims-Based Identity Model

SWAMID Identity Assurance Level 2 Profile

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Disk Encryption Buyers Guide

Transcription:

Data encryption & security An overview

Agenda Make sure the data cannot be accessed without permission Physical security Network security Data security Give (some) people (some) access for some time Authentication vs. authorization Tokens, client principals and all that jazz (You should) Lather, Rinse, Repeat 3

Why Security? The need to provide security for data continues to increase Affects many market segments Finance Retail Healthcare and more Governments have enacted legislation to enforce compliance of data Protecting intellectual property (i.e. your application code) Mobile computing greatly increases security risks Laptops with sensitive data Mobile devices (phones and tablets) with passwords stored on them 4

Broadly speaking Security is 90% process and 10% technology Technology alone never made data secure Securing the data starts with the application & framework developers (secure the weakest link first) Never write data security into application code unless you have been explicitly trained to do so Choose proven (i.e. undergone formal security reviews and run-time stress) security products and frameworks for your application's critical security processes like authentication(authn), authorisation (AuthZ), auditing 5

ABL Apply defense in depth Physical Security Operating System Network AppServer Activate Procedure Service Interface Business Logic AVM Doors, locks, guards Login, ACL, SELinux Firewalls, SSH/TLS PASOE/ Spring ; SESSION:EXPORT Class/procedure names Procedure, method names Roles Multi-tenancy CAN-* Connection roles 6

First, lock the doors Physical Security Limit access to your building Discourage tailgating Second level security on your Server Room Process Security Security Policies Monitoring tools Secure installations (protect code and db) User Security Lock, timeout/lock unattended machines Control expired user accounts and files System Security Don t forget O/S security! 7

Network Security HTTPS For web communication SSL / TLS For web communication from client to AppServer Performance latency? Using HTTPS/SSL will cause performance degradation Only encrypt information that is sensitive Use different AppServers w/ssl for sensitive data More and more sites are SSL-only; more admins recommend it https://letsencrypt.org/ https://www.eff.org/https-everywhere 9

Network Security HTTPS SSL SSL Browser / mobile client SSL OpenEdge / OpenClient (APSV and/or AIA) 10

Transparent Data Encryption Option for Enterprise Database: At-Rest Data Encryption Data secure on-disk, backup, and binary dump Data is unencrypted In-Memory = (up to) normal speed Secure Key Store and Key Management Change keys on-line Policies control use of utilities Industry standard encryptions AES, DES, triple DES, etc. Encrypt on the fly As data changes or as online process No application changes for TDE We always try to improve our performance and get things to run faster. We tested a fully encrypted database and there was only a 4% decrease in performance versus an unencrypted database. We tested that with alternative data pools, we actually gained back almost 2% of that initial performance degradation. We believe with additional fine tuning the performance will continue to improve. FiServ 11

Securing your data: OpenEdge Database Encryptable Objects Type I Database Storage Area Entire area encrypted Type II Database Storage Area Object-level encryption Tables Indexes LOBs Table Index Index Index LOB Table LOB Table LOB Index LOB Table LOB Table Index 12

Database Key Store Independent and secure entity Not part of the database One for each encrypted database Managed by the DB Administrator (a separate and distinct role) Stores DB master key (DMK) Each TDE-enabled database has one unique DMK- required to connect to the DB (via a passphrase) Only one database is accessible if the DMK is compromised Each DB object has one or more unique virtual data encryption keys Generated by the key store service based on the DMK- no DBA action required If key is cracked, intruder only has access to that one database object Ability to change keys online 13

How Does It Work? Database Storage Engine Shared Memory Buffer Pool (plain text block) Key Store & Encrypted Data Database Files Key Store Database Master Key (DMK) DMK Admin/User Passphrase Manual/Automatic Authentication on DB start Encryption Policy Area Policy Area Encryption Policies - What (object) & how (cipher) 14

How Does It Work? Database Storage Engine Key Store Encrypted Data Shared Memory Buffer Pool (plain text block) Decrypt & Database Files Key Store Database Master Key (DMK) DMK Admin/User Passphrase Manual/Automatic Authentication on DB start Encryption Policy Area Policy Area Read I/O Encryption Policies - What (object) & how (cipher) 15

How Does It Work? Database Storage Engine Key Store Write I/O Encrypted Data Shared Memory Buffer Pool (plain text block) Decrypt & Encrypt Database Files Key Store Database Master Key (DMK) DMK Admin/User Passphrase Manual/Automatic Authentication on DB start Encryption Policy Area Policy Area Read I/O Encryption Policies - What (object) & how (cipher) 16

Now it's secured, how to we get access? Standard claims- and role-based authentication and authorization Controlling and verifying who accesses your data Authentication Controlling what they can do with your data Authorisation Reviewing what they did with your data Auditing Maintaining information about your users Administration 17

Implementation details Token-based Issues by OE based on claims made by user and/or client ABL CLIENT-PRINCIPAL Pluggable PAM-based architecture OpenEdge runtime since ~10.0A Spring-based since ~11.2 (Mobile/REST) Centered around domains A group of users with a common set of Roles and responsibilities Level of security Data access privileges 18

What is a Security Token? A transportable block of data that can be used as proof of user identity by any systems or applications that have a trust relationship with the originator of the security token Exists for same reason passports do: so that a gatekeeper doesn t have to ask you for everything every time you want to pass Enables Single Sign On (SSO) Authenticate once and allow access many times across (ABL) processes Secure, time sensitive and data-integrity protected 19

Authentication flows between client, STS and AppServer Client PAS/OE Security Token Service (Spring Security) LoginUser() LogoutUser() ValidateUser() Domain Services (ABL) security-policy:set-client( ) CustomerSvc:ReadAllCustomers( ) Single Point Auth ValidateUser() ValidatePassword() GetAttributes() 20

Authentication flows between client, STS and AppServer Client GET /customers PAS/OE Security Token Service (Spring Security) LoginUser() LogoutUser() ValidateUser() Domain Services (ABL) security-policy:set-client( ) CustomerSvc:ReadAllCustomers( ) Single Point Auth ValidateUser() ValidatePassword() GetAttributes() 21

Authentication flows between client, STS and AppServer Client GET /customers Authorization: mary/letmein PAS/OE Security Token Service (Spring Security) LoginUser() LogoutUser() ValidateUser() Domain Services (ABL) security-policy:set-client( ) CustomerSvc:ReadAllCustomers( ) Single Point Auth ValidateUser() ValidatePassword() GetAttributes() 22

Authentication flows between client, STS and AppServer Client GET /customers Authorization: mary/letmein PAS/OE Security Token Service LoginUser() LogoutUser() ValidateUser() Domain Services security-policy:set-client( ) CustomerSvc:ReadAllCustomers( ) Single Point Auth ValidateUser() ValidatePassword() GetAttributes() 23

Authentication flows between client, STS and AppServer Client GET /customers Authorization: mary/letmein PAS/OE Security Token Service LoginUser() LogoutUser() ValidateUser() Domain Services (ABL) security-policy:set-client( ) CustomerSvc:ReadAllCustomers( ) Single Point Auth ValidateUser() ValidatePassword() GetAttributes() 24

Authentication flows between client, STS and AppServer Client GET /customers Authorization: mary/letmein PAS/OE Security Token Service LoginUser() LogoutUser() ValidateUser() Domain Services security-policy:set-client( ) CustomerSvc:ReadAllCustomers( ) Single Point Auth ValidateUser() ValidatePassword() GetAttributes() 25

Flow of CLIENT-PRINCIPAL through an application Domain Services security-policy:set-client( ) CustomerSvc:ReadAllCustomers( ) STS passes credentials into AVM using CURRENT-REQUEST-INFO CLIENT-PRINCIPAL available in activation event procedure Credentials can be asserted on session or per-database SECURITY-POLICY:SET-CLIENT(<client-principal>) SET-DB-CLIENT(<client-principal>, <database>) Token is validated against an existing domain Domain name & access code must match for successful authentication 26

Application Authentication Some 3 rd party authentication recommendations LDAP Active Directories Kerberos Multi-Factor Authentication Require complex passwords! ABL Client-Principal Current and future OpenEdge products rely on Client-Principal (multi-tenancy, auditing) A cryptographically sealed security token Container for authenticated credentials user, password, domain info, etc. Once sealed the client-principal is read-only Can be used by all ABL application components ABL Session, DB connection 27

A getting-started list if you want to secure OE data pathways: Never use Client-Server database connections - always run through an appserver on the same server as db Always use a strong source of user logins (LDAP, AD, OS,... ) Always configure DBA, Security Admin Always configure SQL & ABL privileges Use OE Domains and disable the default Use TDE Enable Auditing HTTPS / TLS (this may sting a little) Block ABL from known non-secure things like OS-COMMAND, OUTPUT-THROUGH,... Never run any OE binary as a privileged account Don't allow OEM remote jobs Reconfigure OEM's authentication to something real Never allow PDSOE access to your production environment Put application developers on own sub-net and don't let them out 28

Summary Identity management is a process that helps protect your business data Strength in depth OpenEdge provides components of identity management CLIENT-PRINCIPAL Multi-tenancy, Domains & Authentication Systems Run with least privilege Use Domains and Roles to keep privileges tight Reset to lower privileges when done Configuration > Code Code is the weakest link Think of security as a continuous improvement project Keep informed of the latest security tools and threats Progress will continue to give you tools to help secure your Application and valuable data 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback