Post on 12-Jun-2015
description
transcript
Technical Insight: Costpoint 7 Advanced Security
Dmitri Tyles, Director of Java EE Framework Development, DeltekGC-49
2 Copyright © 2012 Deltek, Inc.
Authentication Authentication use cases Seven user-level authentication options Authentication for web services
Authorization User and user group rights Module and application level security Result set level security Process and report level security Reporting archive security
Agenda
3 Copyright © 2012 Deltek, Inc.
Understanding Authentication and Authorization Methods Available in Deltek Costpoint Web
Key Takeaways
Authentication
5 Copyright © 2012 Deltek, Inc.
Authentication
6 Copyright © 2012 Deltek, Inc.
Supported Security Use Cases In-house users
Members of corporate Active Directory Always logged in to the corporate LAN
Consultants Members of corporate Active Directory May or may not be logged in to the corporate LAN
Remote office users Not registered in a corporate Active Directory Not logged in to a corporate LAN
Authentication
7 Copyright © 2012 Deltek, Inc.
Costpoint Database
Active Directory
Single Sign-On
Single Sign-On or Active Directory
Windows Domain and Active Directory
Windows Domain and Costpoint Database
Certificate Single Sign-On
User-Level Authentication Options
8 Copyright © 2012 Deltek, Inc.
Costpoint Database Technical implementation
User ID and password are stored in a Costpoint database Oracle or SQL Server database user accounts are not used Password is stored in a hashed form (SHA-1) with user ID used as a salt Challenge-response algorithm is used for authentication with server-side
generated nonce User-credentials combined with nonce are passed from the client in an
encrypted form (AES) User perspective
A user must enter user ID and password on the login screen This method can be used for all three security use cases
User-Level Authentication Options
9 Copyright © 2012 Deltek, Inc.
Active Directory Technical implementation
User ID is stored in both Active Directory and Costpoint database Costpoint user ID can be mapped to a different Active Directory user ID Password is stored only in Active Directory
User perspective A user must enter user ID and password on the logon screen Either Costpoint or Active Directory user ID can be used to log on to Costpoint This method can be used either for “in-house users” or “consultants” use cases
Note: Costpoint 7 makes the setup of this option easier and also improves performance for authenticating a user against large and/or multi-domain Active Directory configurations
For more information, please attend GC-52: Technical Insight: Costpoint 7.0 Configuration
User-Level Authentication Options
10 Copyright © 2012 Deltek, Inc.
Single Sign-On Technical implementation
User ID is stored in both Active Directory and Costpoint database Costpoint user ID can be mapped to a different Active Directory user ID Password is stored only in Active Directory
User perspective A user should not enter user ID and password on the logon screen This method can be used only for “in-house users” use case
User-Level Authentication Options
11 Copyright © 2012 Deltek, Inc.
Single Sign-On or Active Directory Technical implementation
User ID is stored in both Active Directory and Costpoint database Costpoint user ID can be mapped to a different Active Directory user ID Password is stored only in Active Directory
User perspective A user is allowed to log on using either Active Directory or Single Sign-On
method Single Sign-On method requires a user to be logged on to the LAN This method is intended for “consultants” use case Users can still log on using Active Directory method while traveling or at a
customer site
User-Level Authentication Options
12 Copyright © 2012 Deltek, Inc.
Windows Domain and Active Directory Technical implementation
User ID is stored in both Active Directory and Costpoint database Costpoint user ID can be mapped to a different Active Directory user ID Password is stored only in Active Directory
User perspective The following two conditions must be met for a successful logon:
A user must enter user ID and password on the logon screen
A user must be logged on to the LAN
This method can be used only for “in-house users” use case
User-Level Authentication Options
13 Copyright © 2012 Deltek, Inc.
Windows Domain and Costpoint Database Technical implementation
User ID and password are stored in a Costpoint database Same rules for password storage and transmission apply as for Costpoint
Database authentication method User perspective
The following two conditions must be met for a successful logon: A user must enter user ID and password on the logon screen
A user must be logged on to the LAN
This method can be used only for “in-house users” use case
User-Level Authentication Options
14 Copyright © 2012 Deltek, Inc.
Certificate Single Sign-On Technical implementation
User ID and certificate ID are stored in a Costpoint database Certificate user ID may be different from Costpoint user ID Upon establishing two-way SSL connection, Costpoint user ID is determined
through certificate user ID User perspective
A user should not enter user ID and password on the logon screen A user must have a certificate installed in the browser This method can be used for all three security use cases
User-Level Authentication Options
15 Copyright © 2012 Deltek, Inc.
Authentication for Web Services Implementation is based on Username Token and SAML profiles from
WS Security specification Each Costpoint user account must be explicitly enabled to be used
with web services Use of SSL with web services
Design-time option in Integration Console We recommend SSL except for testing
Hot fix was released to add support for AD authentication for Web services
Detailed information on this topic can be found in session: GC-50: Extending Costpoint: Web Services Integration
Authentication
16 Copyright © 2012 Deltek, Inc.
Login and Password Control Policies Password complexity (corporate settings)
Minimum length / require number / special character / mixed case Password “black list”: User ID, employee ID, password, etc.
Password aging/control Password life (corporate) Disable inactive users period (corporate) Deactivation date (user) Last login date (user) Force password change (user) Re-using of passwords (company)
Account locking after N unsuccessful attempts Weblogic feature: account is locked for X minutes after N unsuccessful
attempts within Y minutes (configuration console)
Authentication (cont’d)
Authorization
18 Copyright © 2012 Deltek, Inc.
User and User Group rights A user may belong to more than one user group Though there is one corporate list of users and user groups, a user
may belong to a user group in selected companies or all companies User and user group rights are cumulative
They are combined at run-time to determine effective user rights for a selected company
Authorization
19 Copyright © 2012 Deltek, Inc.
Module and Application Level Security Full, Read-Only, and Deny rights User and user group rights are combined according to two rules:
Deny always takes precedence Full and Read-Only rights are cumulative
User rights do not act as overwrite rights for user group rights Application rights overwrite module rights Module and application rights for users and user groups can be
granted at a company level or for all companies
Authorization
20 Copyright © 2012 Deltek, Inc.
Result Set Level Security Costpoint Web has more granular security model than client/server Access to each result set (screen/table) inside an application can be
controlled separately Result set level rights overwrite module and application rights In the absence of explicit result set level rights, module/application
level rights are used to determine result set rights Select/Insert/Update/Delete rights can be turned on and off for each
result set Result set rights for users and user groups can be granted at a
company level or for all companies
Authorization
21 Copyright © 2012 Deltek, Inc.
Process and Report Level Security Costpoint Web has more granular security model than client/server Access to each process or report inside an application can be
controlled separately In the absence of process or report level rights, result set level rights
are used to determine whether a user can execute a process or report Deny/Execute rights can be turned on or off for each process or report Process or report rights for users and user groups can be granted at a
company level or for all companies
Authorization
22 Copyright © 2012 Deltek, Inc.
Reporting Archive Security Can control who can view or manage archived reports Access rights for archived reports can be managed at the following
levels: Report group: user-defined collection of reports (such as Post Bills and Print
Bills) Single report type: all archived reports for Print Bills Single archived report
Specific instance of an archived report (such as a Print Bills report printed by user Joe on 01/10/2009)
Organizational security and labor suppression are analyzed to determine whether a user can view an archived report
Authorization
23 Copyright © 2012 Deltek, Inc.
Authorization (cont’d)
24 Copyright © 2012 Deltek, Inc.
Application Vulnerability Assessment (AVA) Performed by Cybertrust for Costpoint 5.x, 6.x, and 7.0
No major security issues discovered Uniform application development methodology enforced by a common
metadata driven framework Not necessary to review every single application to assess vulnerabilities of
the product Ongoing relationship with Verizon/Cybertrust
Plan to do AVAs for each major release
Authentication and Authorization
25 Copyright © 2012 Deltek, Inc.
Segregation of Duties Added in 6.0
Clients Define the List of Conflicting Rights Based on Their Policies
Configuration Options Enforce SOD rules by preventing a user from having conflicting
privileges, or Report on SOD violations without limiting user privileges
SOD Analysis Covers Both C/S and Web User Rights
Get More Details and Try It Out at Costpoint Demo Stands
AuthorizationSegregation of Duties (SOD)
Conclusion
27 Copyright © 2012 Deltek, Inc.
Costpoint 7 Offers Seven User-Level Authentication Options
Two Single Sign-On Options Are Supported
Costpoint 7 Offers Fine-Grained Screen Component/Function Authorization Policies
Conclusion
28 Copyright © 2012 Deltek, Inc.
Questions and Answers
29 Copyright © 2012 Deltek, Inc.
See Deltek Costpoint in the Solutions Pavilion
Attend Additional Sessions on Deltek Costpoint for More In-Depth Information
GC-44: Technical Insight: Costpoint 7.0 GC-45: Looking Ahead at Deltek Costpoint Technology GC-46: Extending Costpoint 7: Content Management GC-48: Extending Costpoint 7: Extensibility Services GC-50: Extending Costpoint: Web Services Integration GC-52: Technical Insight: Costpoint 7.0 Configuration GC-322: Costpoint 7 - The User Experience
Learn More
Thank You!