Date post: | 14-Feb-2017 |
Category: |
Technology |
Upload: | wso2-inc |
View: | 172 times |
Download: | 0 times |
WSO2Iden*tyServer:AddingHardwareSecurityModuleWithoutBreakingtheBankDavidMaples,Solu0onsTeammember,YubicoIsharaKarunarathna,SeniorSo<wareEngineerWSO2RobBlaauboer,Integra0onConsultantYenlo
May17thth2016
Aboutthepresenters
2
DavidMaplesSolu0onsTeamMember,YubicoDavidisaseniormemberoftheSolu0onsteamatYubicowithoverfouryearsofexperiencewithYubicoproducts,includingtheYubiHSM.Heworkswithsmall,mediumandenterprisecustomerstoconsultandbuildopenscalablesecuritysolu0ons.RobBlaauboerSeniorConsultant,YenloRobisaSeniorBusinessConsultantandSolu0onArchitectwithmorethantwentyyearsexperience.Inaddi0ontohisworkheisanac0vebloggerworkingonanumberofar0clesonthe'InternetofThings'andaWSO2'GeOngStartedwith...'seriesinwhichhetalksaboutWSO2componentsandtheirpurposeespeciallyaimedatnontechnicalreaders.IsharaKarunarathnaSeniorSo@wareEngineer,WSO2IsharaisaSeniorSo<wareEngineeratWSO2andakeymemberofWSO2Iden0tyserverteam,contribu0ngtowardstheIden0tyServerandWSO2'splaPormsecurity.Hehaspar0cipatedinseveralcustomerengagementshelpingthemtorealizeenterpriseusecasesandtobuildsolu0onsOntopofWSO2plaPorm.
?
3
• PremierPartnerofWSO2• GlobalOrganiza0on• OfficesintheNetherlands,Germany,
Belgium,UnitedKingdomandUnitedStates
• ExpertsisIntegra0onSolu0ons• Expertsina‘ConnectedBusiness’
• WSO2project&consultancyservices• WSO2supportservices:
• ProductSupport• DevelopmentSupport• Opera0onalSupport
• WSO2Trainingservices
• Enterprise&Solu0onArchitecture
Whoweare Whatwedeliver
Moreinfoaboutusandourpre-build(WSO2)solu0ons:www.yenlo.com
TopicsWebinar
4
WSO2Iden0tyServer:AddingHardwareSecurityModuleWithoutBreakingtheBank
• Introduc0ontoSecurity• YubicoHSM• WSO2Iden0tyServer• Benefits&Technicaldetails• Youhaveques0ons?Wehaveanswers!
TheManyFacesofSecurity
Dependingonthechaino Humanfactor(weakestlink?) ①
o Frontend(encryp0on)②
o Transport(encryp0on)③
o Backend(so<ware,encryp0on,firewalls)④
Securityhasmanyfaces
6
Tosomeextent:Yes,butmoremoneydoesnotnecessarilymeanbegersecurity.
Doesmoneybuysecurity?
6
o Dependsonwhatneedstobesecured(accesstowebsitevs.healthdata)
o Dependsonwhatisoffered(UID&Password,2factorauthen0ca0on)
o Dependsontheusability(forcing‘$yh*7EP9$’passwords)
o Dependsontheacceptanceofrisk(creditcardandsignature)
Securityisasubjec0vetopic
7
Public Domain, https://en.wikipedia.org/w/index.php?curid=2308226
Top Secret
Secret
Confidential
Public Trust
Unclassified
o Damagefromsecuritybreachesisreal,bothmonetaryaswellasfromapublicrela0onsperspec0ve
o Justaskmanyorganiza0onsaswellasindividuals
MonetarydamagesandPRnightmares
8
o Itseemslikeweareplayingleapfrogwiththe‘badguys’o Infactwearemakingitmoreandmoresecurewith
vulnerabili0esbeingaddressedandmoreandbegersecurityonthehorizon
Areweplayingleapfrog?
9
o WSO2isanopensourceproduct,sourcesarepubliclyavailableo WSO2usesmanyApacheprojectsinternally(Axis,Synapse
etc.)o WSO2isanopensystemthatcanbeextendedbymeansof
customdevelopedmodules,mediatorsandsoonaswellasthroughconnectorstothirdpartysystems
o WSO2productsdonotrequireanyaddi0onalhardwaretorun
Cansomethingthatisthisopen,besecure?Is‘secureopensource’anoxymoron?
HowsecureareWSO2products?
9
WhydoweneedanHSM?Doesn’tWSO2dothetrick?Yes,formanyorganiza0onsWSO2offersamplesecurity.ButHardwareSecurityModuleoffer:o Begerrandomgenera0ono Calcula0onsdoneinhardwareratherthanso<wareo KeysstoredmoresecurelyUsecases:o Governmento Banking/insuranceo Healthcareo Anyorganiza0onthatvaluessecurity
YubicoHSM
COREFEATURES
o WorkswithanystandardUSBport,acrossmul0pleopera0ngsystemsincludingLinuxandMicroso<Windows.
o Offersencryp0onwithaMessageAuthen0ca0onCode(MAC),HMAC-SHA1hashing,AESencryp0on/decryp0on,andcryptographicTrueRandomNumberGenera0on.
o Providesaphysicallyisolatedenvironmentforcryptographicprocessing.
o Hasnomovingpartsandrequiresnoaddi0onalmaintenanceonceinstalled.
o Capableofsuppor0nganycounter-basedOTPprotocolincludingYubiOTP(Yubico’sOTPimplementa0on)andOATH-HOTPauthen0ca0on.
13
WSO2Iden0tyServer
o WSO2Iden0tyserverisaleadingIAMproducto Workswithoutaddi0onalhardwareo OpenSourceo Highlyperformanto Usedbyallkindsoforganiza0ons(fromSMEtolargecorporate)
o Currentversion5.1.0o ExtendablewithIS-connectorsandwelldefinedextensionpoints.
WSO2Iden0tyServer
21
UsermanagementinIden0tyserver
28
User Store Manager
JDBC LDAP AD Custom
User Store
HSMforIden0tyserver
o Crea0ngacustomuserstoremanagerhgps://docs.wso2.com/display/IS510/Wri0ng+a+Custom+User+Store+Manager
28
HSMforIden0tyserver
o Crea0ngacustomuserstoremanager
protected String preparePassword(String password, String saltValue) throws UserStoreException { int keyHandle = 12337; // The key to use in the YubiHSM (0x3031) // Instance of YubiHSM YubiHSM hsm = new YubiHSM(); // Generate HmacSHA1 for password String newPassword = hsm.generateHMACSHA1(password, keyHandle, true, false).get("hash"); return newPassword; }
28
WSO2ISRoadmap
Candidatefeature:o Integra0onwithHSMmodulesbymeansofanIS-connector
28
Whatarethebenefits?
Benefitsareclear
o Improvedsecurityo Physicalbasedgenera0onofrandomnumberso TPM-likeiden0tyassurance,not0edtoaservero Secure,isolatedcryptographicprocessoro ExtendingthedeployabilityofISinhigh-security
environmentso Andofcourse,withoutbreakingthebank!
30
Withoutbreakingthebank
#ofHSMs
Connec0onType One0mecost
Recurringcost
Total
VendorX 2 USB $8.900 $4.000 $12.900
VendorY 2 PCI-E $18.000 $4.000 $22.000
VendorZ 2 NetworkAgachedAppliance
$32.400 $2.200 $34.600
Yubico 2 USB $1000 - $1000
Youhaveques0ons?Wehaveanswers!
Contact&Download
34
Downloadthispresenta0on:hgps://www.yenlo.com/en/free-advice/webinarsOrContactus:hgps://www.yenlo.com/en/contact
35
THANK YOU FOR
YOUR ATTENTION