e-business on demandCompetitive Technical Briefing
Protect Yourself!(Security Counts)
CTS6-06 Security.ppt 2
Friendly FinanceIBM
Have you thought about the impact risky security could have
on your business?
Have You Thought About Security?
CTS6-06 Security.ppt 3
Security Exposures on the Rise
? Companies experience an average of 30 attacks per week1
? 85% pre-attack reconnaissance? 15% attempted or successful exploitation
? 21% of companies worldwide experienced at least one severe event over the previous six months1
? 44% of UK companies2
? Cost to fix security breach for several UK companies: over £500,0002
? Over the past year, 1,200 new 32-bit Windows viruses and worms have been released1
2 Price Waterhouse Coopers, Information Security Breaches Survey2002 (http://www.pwcglobal.com/Extweb/service.nsf/docid/B2ECC9B0E9EFA3D785256C33005247D3)
1 Symantec Internet Security Threat Report, Attack Trends for Q3 and Q4 2002, Report 3, Volume III, February 2003
CTS6-06 Security.ppt 4
Worms Exploit Microsoft Flaws, Disrupt Day-to-Day Life
? AIR CANADA - Systems were hobbled by the Welchia, or Nachi, worm, delaying flights
? MARYLAND MOTOR VEHICLE - The Blaster worm forced the agency to close its doors for a day
? COMMUTER LINE - Maryland trains were canceled after a worm disrupted signals
? J.C. PENNEY - The national retail chain was affected by the Blaster worm
? Countless other.....
? TIME magazine, Sep 1 2003
CTS6-06 Security.ppt 5
A Steady Stream of Microsoft Security Bulletins
Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting AttackImpact: Run code of an attacker's choice
Unchecked Buffer in Windows Shell Could Enable System CompromiseImpact: Run code of an attacker's choice
Buffer Overrun In RPC Interface Could Allow Code ExecutionImpact: Run code of an attacker's choice
Buffer Overrun In HTML Converter Could Allow Code ExecutionImpact: Run code of an attacker's choice
Buffer Overrun in Windows Could Lead to Data CorruptionImpact: Run code of an attacker's choice
All of these came out in less than a month’s time – between July 1 and 16, 2003. Other months aren’t too different!
# 817606 - July 09, 2003
# 823980 - July 16, 2003
# 821557 - July 16, 2003
# 816456 - July 16, 2003
# 823559 - July 09, 2003
CTS6-06 Security.ppt 6
Security Exposures Across Microsoft Products
All of these products had significant security exposures in 2003
An average of one security bulletin every 3.5 working days!
CTS6-06 Security.ppt 7
Microsoft uses Linux to hide from Blaster!!
? The Blaster worm was set to attack Microsoft’s windowsupdate.com site starting Aug 16, 2003
? Microsoft had to change its DNS so that requests for the MS site would no longer resolve to its own network
? Requests were instead handled by Akamai’s caching system, which runs Linux
MS protected its site from the Blaster worm by hiding behind a Linux system.
CTS6-06 Security.ppt 8
? Winner, Information Security Excellence Award
? Commended, SC Magazine 2002 Best Security Management
? Winner, VARBusiness Annual Report Card
? Winner, Mindcraft Extranet Performance Benchmark
? Winner, Gartner Leadership Quadrant
? Winner, 2002 Crossroads A-List Award
? Winner, Frost & Sullivan Market Excellence Award
IBM – Strong Security
CTS6-06 Security.ppt 9
Microsoft Confession
"I'm not proud, we really haven't done everything we could to protect our customers. Our products just aren't engineered for security."
Brian Valentine, Sr. VP, Windows Server,at Microsoft Windows Server .Net developer conference in Seattle, Sept. 5, 2002
CTS6-06 Security.ppt 10
IBM
Proven track record
Foundation architected for strong security
Standards based Directory Server
Microsoft
Poor track record
Poor technology base for security
Difficult, proprietary Directory
IBM is a Better Foundation for Security
CTS6-06 Security.ppt 11
Security 101 – Authentication & Authorization
Request a resource
Challenge – Who are you?
Herman, passwordWebServer
User Directory
Authentication
Check if Herman is who he claims he is
Authorization(Access Control)
What can Herman do?
•Check what Roles are allowed access to this resourceAuthenticated
Herman is indeed Herman, let him through
Check password
•Check if Herman has any of those Roles
Authorized
Herman has necessary Roles, allow operation
Data
CTS6-06 Security.ppt 12
Role-Based Access Control
yesyesyesyesSupervisor
yesyesyesTeller
yesyesCustomer
AccountBeansetBalance
AccountBeangetBalance
/finance/accountDELETE
/finance/accountGET
Role
Operation
Define what Roles are needed to access resources
Alice
KateTomJack
Role: Customer
Role: Teller
Role: Supervisor
Assign Roles to users
Herman
CTS6-06 Security.ppt 13
Application Provider
Developers create application components
Application Assembler
Declare what Role is required to access each resource.E.g. Supervisors can delete Accounts
Security Administrator
Assign Roles to UsersE.g. AssignSupervisor Role to Kate
use LDAP server as the user directory
Declarative Security
CTS6-06 Security.ppt 14
WebSphere - A Consistent Model for Security
?WebSphere provides a single consistent security model? Declarative Roles-based Access Control model of J2EE
- Developers create components, don’t have to worry about coding security into the application
- Application Assemblers define Roles needed to access components
- Qualified Security Administrators grant roles to users
? JSP pages, servlets, EJBs are all protected with the same model
CTS6-06 Security.ppt 15
Microsoft – Mixed Security Models
? COM+ role-based access control model is declarative
? .NET role-based access control is specified in source code
? The two models have different class hierarchies and role definitions
? This means that serviced components have a different security model than the pure .NET component
? SharePoint does not even use role based securitysite groups/cross-site groups
CTS6-06 Security.ppt 16
Demo: Consistent Security Model
? WebSphere Application Assembly Tool
Application Assembler
? A consistent security model provides tighter security? Spot and resolve conflicts? Fewer mistakes and oversights? Easier to manage effectively
CTS6-06 Security.ppt 17
? Inconsistent models tend to provide looser security? Increased chance of mistakes, oversights, conflicts? Complexity
? Embedding Security into source code is a poor model? In the .NET security model, security attributes are embedded
in source code![PrincipalPermission(SecurityAction.Demand,Role=“Teller”)]public void CreateAccount(){….}
- Inflexible- Hampers reuse of components- No consolidated overview- Cannot easily resolve conflicting Roles
Issues with Microsoft Security Models
CTS6-06 Security.ppt 19
? WebSphere – Declare in deployment descriptor? Business Logic and Security are functionally separate? Easy administration, no need to change source code? Relevant for real-world web services
? .NET – Need to write code to create and pass tokens? Business Logic and Security too tightly tied together
- Example: If you want to use an X.509 certificate instead of a Username token, you need to change source code, rebuild, test, redeploy
? Administration is difficult
Web Services Security – Declarative vsProgrammatic
CTS6-06 Security.ppt 20
Tivoli - Defense in Breadth and Depth
WebServer
ProxyServer
Web Container
EJBContainer
Data System
Access Management
Privacy Management
Account Provisioning
Threat Management
Browsers
InternetInternet
IIOP/CSIHTTP/SHTTP/S
Across dissimilar environments
CTS6-06 Security.ppt 21
IBM
Tivoli Access Manager
Tivoli Privacy Manager
Tivoli Identity Manager
Tivoli Risk Manager
Microsoft
Windows solution only
None
Windows Server 2003
None
IBM Has Better Operational Support for Security
CTS6-06 Security.ppt 22
Defining What Users Can Access
Legacy Servers
Application Servers
Database Servers
Web Servers
Clients Networking Equipment
Tivoli Access Manager
•Validate access rights
Agent AgentAgent
AgentAgent
•Works with local security models
CTS6-06 Security.ppt 23
Defining What Users Can Access
Tivoli Access Manager
? Central control of users' access to resources? Unified Security Policy improves overall security? Single, Consistent Authorization Approach? Secure a wide variety of resource types
- web and application servers, legacy and new applications using MQ, resources defined in UNIX and LINUX operating environments.
? Coarse or finer grained Authorization? Web-based Management Console
? Single Sign-On? Users sign-on once to get access to all resources? Cross-Domain
CTS6-06 Security.ppt 24
Centralized administration of securityConsistent interfaces.
?WebSphere Application Server?Tivoli Access Manager
DEMO: Tivoli Access Management Demo
CTS6-06 Security.ppt 25
Protect Personal Information
Legacy Servers
Application Servers
Database Servers
Web Servers
Clients Networking Equipment
Tivoli Privacy Manager
Control access to data based on Privacy Policies
Agent AgentAgent
AgentAgent
CTS6-06 Security.ppt 26
Protect Personal Information
Tivoli Privacy Manager for e-business
? Organizations can use Tivoli Privacy Manager for e-business to perform five primary tasks:? Define privacy policy and create Platform for Privacy Preferences (P3P)
format? Deploy the privacy policy across applications and resources? Record end users’ consent to the privacy policy? Monitor and enforce access to private data, in keeping with the policy? Create audit trail reports
? P3P policy is of the form:? ALLOW USERS to USE PII_TYPES for PURPOSES [if CONDITIONS] [if
CONSENT]
? Example P3P policy for Friendly Finance is:? Allow Mortgage_Officer to read customer_financial_info for
mortgage_evaluation [if customer_applied_for_mortgage] and [if customer opt-in]
CTS6-06 Security.ppt 27
Define and Centrally Manage User Accounts
Legacy Servers
Application Servers
Database Servers
Web Servers
Clients Networking Equipment
Tivoli Identity Manager
Create / revoke user accounts
Agent AgentAgent
AgentAgent
CTS6-06 Security.ppt 28
Define and Centrally Manage User Accounts
Tivoli Identity Manager
? Define, Revoke, and Manage user accounts in one place, systematically? Systematic management improves overall security
? Automatic "Provisioning" of new users? Create all the accounts a user will need
- Databases- Operating Systems- ERP systems- Other (LDAP, Access Manager,...)
? Enforce policies governing account creation? Create audit trails? Provide web-based user self-service
CTS6-06 Security.ppt 29
Reject Attacks: Threat Management
Legacy Servers
Application Servers
Database Servers
Monitor Execute
Analyze Plan
Knowledge
Element
Sensors Effectors
Web Servers
Clients Networking Equipment
Tivoli Risk Manager
Security events/ responses
Agent AgentAgent
AgentAgent
CTS6-06 Security.ppt 30
Reject Attacks: Threat ManagementTivoli Risk Manager
? Manage security events and incidents from a variety of devices, applications, and servers across a heterogeneous environment ? Centralize security event management? Protect against outside security threats
- Detect Virus Attacks and Hacker Intrusions- Manage the risks and costs of protecting your business.
? Automatically respond to incidents? Deny/close connections from/to an IP address on the Firewall? Cancel enabled rules on the Firewall? Kill user process on a server? Fix or upgrade software to prevent or stop threats? More tasks can easily be created or existing ones customized...
CTS6-06 Security.ppt 31
IBM
Proven track record
Strong Security Foundation
Tivoli Access Manager
Tivoli Privacy Manager
Tivoli Identity Manager
Tivoli Risk Manager
Microsoft
Poor track record
Poor technology base for security
Windows solution only
None
Windows Server 2003
None
A Summary of IBM Strengths