WSO2Iden*tyServer:AddingHardwareSecurityModuleWithoutBreakingtheBankDavidMaples,Solu0onsTeammember,YubicoIsharaKarunarathna,SeniorSo<wareEngineerWSO2RobBlaauboer,Integra0onConsultantYenlo

May17thth2016

Aboutthepresenters

2

DavidMaplesSolu0onsTeamMember,YubicoDavidisaseniormemberoftheSolu0onsteamatYubicowithoverfouryearsofexperiencewithYubicoproducts,includingtheYubiHSM.Heworkswithsmall,mediumandenterprisecustomerstoconsultandbuildopenscalablesecuritysolu0ons.RobBlaauboerSeniorConsultant,YenloRobisaSeniorBusinessConsultantandSolu0onArchitectwithmorethantwentyyearsexperience.Inaddi0ontohisworkheisanac0vebloggerworkingonanumberofar0clesonthe'InternetofThings'andaWSO2'GeOngStartedwith...'seriesinwhichhetalksaboutWSO2componentsandtheirpurposeespeciallyaimedatnontechnicalreaders.IsharaKarunarathnaSeniorSo@wareEngineer,WSO2IsharaisaSeniorSo<wareEngineeratWSO2andakeymemberofWSO2Iden0tyserverteam,contribu0ngtowardstheIden0tyServerandWSO2'splaPormsecurity.Hehaspar0cipatedinseveralcustomerengagementshelpingthemtorealizeenterpriseusecasesandtobuildsolu0onsOntopofWSO2plaPorm.

?

3

•  PremierPartnerofWSO2•  GlobalOrganiza0on•  OfficesintheNetherlands,Germany,

Belgium,UnitedKingdomandUnitedStates

•  ExpertsisIntegra0onSolu0ons•  Expertsina‘ConnectedBusiness’

•  WSO2project&consultancyservices•  WSO2supportservices:

•  ProductSupport•  DevelopmentSupport•  Opera0onalSupport

•  WSO2Trainingservices

•  Enterprise&Solu0onArchitecture

Whoweare Whatwedeliver

Moreinfoaboutusandourpre-build(WSO2)solu0ons:www.yenlo.com

TopicsWebinar

4

WSO2Iden0tyServer:AddingHardwareSecurityModuleWithoutBreakingtheBank

•  Introduc0ontoSecurity•  YubicoHSM•  WSO2Iden0tyServer•  Benefits&Technicaldetails•  Youhaveques0ons?Wehaveanswers!

TheManyFacesofSecurity

Dependingonthechaino  Humanfactor(weakestlink?) ①

o  Frontend(encryp0on)②

o  Transport(encryp0on)③

o  Backend(so<ware,encryp0on,firewalls)④

Securityhasmanyfaces

6

Tosomeextent:Yes,butmoremoneydoesnotnecessarilymeanbegersecurity.

Doesmoneybuysecurity?

6

o  Dependsonwhatneedstobesecured(accesstowebsitevs.healthdata)

o  Dependsonwhatisoffered(UID&Password,2factorauthen0ca0on)

o  Dependsontheusability(forcing‘$yh*7EP9$’passwords)

o  Dependsontheacceptanceofrisk(creditcardandsignature)

Securityisasubjec0vetopic

7

Public Domain, https://en.wikipedia.org/w/index.php?curid=2308226

Top Secret

Secret

Confidential

Public Trust

Unclassified

o  Damagefromsecuritybreachesisreal,bothmonetaryaswellasfromapublicrela0onsperspec0ve

o  Justaskmanyorganiza0onsaswellasindividuals

MonetarydamagesandPRnightmares

8

o  Itseemslikeweareplayingleapfrogwiththe‘badguys’o  Infactwearemakingitmoreandmoresecurewith

vulnerabili0esbeingaddressedandmoreandbegersecurityonthehorizon

Areweplayingleapfrog?

9

o  WSO2isanopensourceproduct,sourcesarepubliclyavailableo  WSO2usesmanyApacheprojectsinternally(Axis,Synapse

etc.)o  WSO2isanopensystemthatcanbeextendedbymeansof

customdevelopedmodules,mediatorsandsoonaswellasthroughconnectorstothirdpartysystems

o  WSO2productsdonotrequireanyaddi0onalhardwaretorun

Cansomethingthatisthisopen,besecure?Is‘secureopensource’anoxymoron?

HowsecureareWSO2products?

9

WhydoweneedanHSM?Doesn’tWSO2dothetrick?Yes,formanyorganiza0onsWSO2offersamplesecurity.ButHardwareSecurityModuleoffer:o  Begerrandomgenera0ono  Calcula0onsdoneinhardwareratherthanso<wareo  KeysstoredmoresecurelyUsecases:o  Governmento  Banking/insuranceo  Healthcareo  Anyorganiza0onthatvaluessecurity

YubicoHSM

COREFEATURES

o  WorkswithanystandardUSBport,acrossmul0pleopera0ngsystemsincludingLinuxandMicroso<Windows.

o  Offersencryp0onwithaMessageAuthen0ca0onCode(MAC),HMAC-SHA1hashing,AESencryp0on/decryp0on,andcryptographicTrueRandomNumberGenera0on.

o  Providesaphysicallyisolatedenvironmentforcryptographicprocessing.

o  Hasnomovingpartsandrequiresnoaddi0onalmaintenanceonceinstalled.

o  Capableofsuppor0nganycounter-basedOTPprotocolincludingYubiOTP(Yubico’sOTPimplementa0on)andOATH-HOTPauthen0ca0on.

13

WSO2Iden0tyServer

o  WSO2Iden0tyserverisaleadingIAMproducto  Workswithoutaddi0onalhardwareo  OpenSourceo  Highlyperformanto  Usedbyallkindsoforganiza0ons(fromSMEtolargecorporate)

o  Currentversion5.1.0o  ExtendablewithIS-connectorsandwelldefinedextensionpoints.

WSO2Iden0tyServer

21

UsermanagementinIden0tyserver

28

User Store Manager

JDBC LDAP AD Custom

User Store

HSMforIden0tyserver

o  Crea0ngacustomuserstoremanagerhgps://docs.wso2.com/display/IS510/Wri0ng+a+Custom+User+Store+Manager

28

HSMforIden0tyserver

o  Crea0ngacustomuserstoremanager

protected String preparePassword(String password, String saltValue) throws UserStoreException { int keyHandle = 12337; // The key to use in the YubiHSM (0x3031) // Instance of YubiHSM YubiHSM hsm = new YubiHSM(); // Generate HmacSHA1 for password String newPassword = hsm.generateHMACSHA1(password, keyHandle, true, false).get("hash"); return newPassword; }

28

WSO2ISRoadmap

Candidatefeature:o  Integra0onwithHSMmodulesbymeansofanIS-connector

28

Whatarethebenefits?

Benefitsareclear

o  Improvedsecurityo  Physicalbasedgenera0onofrandomnumberso  TPM-likeiden0tyassurance,not0edtoaservero  Secure,isolatedcryptographicprocessoro  ExtendingthedeployabilityofISinhigh-security

environmentso  Andofcourse,withoutbreakingthebank!

30

Withoutbreakingthebank

#ofHSMs

Connec0onType One0mecost

Recurringcost

Total

VendorX 2 USB $8.900 $4.000 $12.900

VendorY 2 PCI-E $18.000 $4.000 $22.000

VendorZ 2 NetworkAgachedAppliance

$32.400 $2.200 $34.600

Yubico 2 USB $1000 - $1000

Youhaveques0ons?Wehaveanswers!

Contact&Download

34

Downloadthispresenta0on:hgps://www.yenlo.com/en/free-advice/webinarsOrContactus:hgps://www.yenlo.com/en/contact

35

THANK YOU FOR

YOUR ATTENTION