Cloud Security: Yesterday, Today, and Tomorrow

Size: px
Start display at page:

Download "Cloud Security: Yesterday, Today, and Tomorrow"

Transcription

1 Cloud Security: Yesterday, Today, and Tomorrow Presentation by Gunnar Peterson Arctec Group

2 Everything we think of as a computer today is really just a device that connects to the big computer that we are all collec;vely building Arctec Group

3 Cloudanatomy Arctec Group

4 Arctec Group

5 Arctec Group

6 Arctec Group

7 Arctec Group

8 Arctec Group

9

10

11 STRIDE Threat Model Examples Spoofing Tampering Threat Descrip-on Example Assume iden;ty of client, server or request/response Alter contents of request of response Phishing adack to fool user into sending creden;als to fake site Message or data integrity compromised to change parameters or values Repudia;on Dispute legi;mate transac;on Illegi;mately claiming a transac;on was not completed Informa;on Disclosure Unauthorized release of data Unencrypted message sniffed off the network Denial of Service Service not available to authorized users System flooded by requests un;l web server fails Eleva;on of privilege Bypass authoriza;on system ADacker changes group membership

12 Threat Model + Countermeasure Examples Threat Spoofing Tampering Repudia;on Informa;on Disclosure Denial of Service Eleva;on of privilege Security Service Authen;ca;on Digital Signature, Hash Audit Logging Encryp;on Availability Authoriza;on

13 Attack Surface Describes the locations an attacker can launch, propagate and detonate an attack Attack Surface = Data + Method + Channel Example Web Service Attack Surface Data: XML Method: SOAP, URI Channel: HTTP Arctec Group

14 Threat Model + Attack Surface Threat Security Service Data Method Channel Spoofing Tampering Repudiation Authen;ca;on Digital Signature Audit Logging Informa;on Disclosure Denial of Service Eleva;on of privilege Encryp;on Availability Authoriza;on, Input valida;on

15 Threat Model + Attack Surface Threat Security Service Data Method Channel Spoofing Tampering Repudiation Informa;on Disclosure Denial of Service Eleva;on of privilege Authen;ca;on Digital Signature Audit Logging Encryp;on Availability Authoriza;on, Input valida;on SSL

16

17

18 but what kind of security services should we build? Arctec Group

19 What we have is a design problem Arctec Group

20 ..its not just that we need stronger mechanisms Arctec Group

21 Arctec Group

22 they must be USEFUL by people Arctec Group

23 Arctec Group

24 Arctec Group

25 Arctec Group

26 Gateway: defensive structure to limit attack surface & enforce policy PEP/PDP: create, manage, & enforce policy Monitor: records and publishes auditable events STS: Issue, validate, & exchange security tokens

27 Gateway: defensive structure to limit attack surface & enforce policy

28 Partial overview of J2EE support in WAS great functionality also mucho attack surface J2EE 1.4 specifications Java Servlet Specification 2.4 JavaServer Pages Specification 2.0 Enterprise JavaBeans Specification 2.1 Enterprise JavaBeans to CORBA Mapping 1.1 RMI over IIOPJava IDL APIWeb Services for J2EE, Version 1.1SOAP with Attachments API for Java Specification 1.2 Java API for XML Processing Specification 1.2 Java API for XML Registries Specification 1.0 Java API for XML-based RPC Specification 1.1JDBC Specifications, 3.0, 2.1, and Optional Package API (2.0) Java Connector Architecture (JCA) 1.5 Java Message Service Specification 1.1 JavaMail API Specification 1.3 Java Authorization Contract for Containers 1.0 Java Naming and Directory Interface Specification Java Transaction API Specification 1.0.1B Java Transaction Service Specification Arctec Group JavaBeans Activation Framework Specification 1.0.2

29 Monitor: records and publishes auditable events

30 Basic Audit Log Event Model Who? Who was involved? Example: Username, identity provider What? What happened? Example: Event status, object, transactions Where? Where did it take place? Example: System, application or component When? When did it take place? Example: Timestamp + time zone Why? Why did it happen? Example: Reason event happened How? How did it happen? Example: Action taken (see IEEE Security & Privacy Journal How to Application Logging Right, Anton Chuvakin & Gunnar Peterson Arctec Group

31 STS: Issue, validate, & exchange security tokens

32 User STS Responsibilities: Map user to set of verifiable claims Select identity to authenticate Select identity and/or attribute claims to release Enable usability of security protocols Optionally enable multi-factor authn Optionally, provider anonymizers and pseudonymizers Collaborations: The user STS collaborates with Identity Provider for authentication Attribute stores Required security protocols 2 factor, etc. Work in user environment with usability-centric tooling e.g. Mobile device, Azigo, Cardspace, Arctec browser Group plugins, et. Al.

33 IdP STS Responsibilities: Subject > claim mapping Map requests and responses to token(s) based on policy Route and transform requests and responses based on policy Policy based payload access Collaborations: User stores Directories Multi-factor Arctec Group

34 SP STS Responsibilities: Object/resource > claim mapping Mapping requests and responses to token(s) based on policy Route and transform requests and responses based on policy Policy based payload access Collaborations: Objects under management, e.g. JNDI trees, JDBC connections, databases, Web Service methods, et. Al Arctec Group

35 PEP/PDP: Push and pull authorizations on cloudseparated subjects and objects Dynamically bind to make context-aware authorization decisions, embed access control rules in an object that is occassionally connected such as mobile

36 Gateway: defensive structure to limit attack surface & enforce policy PEP/PDP: create, manage, & enforce policy Cloud Security is not about trust. Its about Verification Visibility Monitor: records and publishes auditable events STS: Issue, validate, & exchange security tokens

37 Thingfrastructure Arctec Group

38 Thingfrastructure Timo Arnall Wireless in the world Arctec Group

39 Thingfrastructure Trends Scale Getting smaller all the time Geolocation drives privacy issues Used to worry about monoculture and cascade fail, now we have complexity due vendorspecific heterogeneity. Thingfrastructure will drive changes down through the Infostructure, Metastructure and Infrastructure Arctec Group

40 Everything we think of as a computer today is really just a device that connects to the big computer that we are all collec;vely building let s collectively build security in Gunnar Peterson Blog: Web: Arctec Group

Introduction to SAML

Introduction to SAML Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments

More information

Security and Privacy in Cloud Computing

Security and Privacy in Cloud Computing Security and Privacy in Cloud Computing Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 2 02/01/2010 Threats, vulnerabilities, and enemies Goal Learn the cloud computing threat model

More information

Client-Server Architecture & J2EE Platform Technologies Overview Ahmed K. Ezzat

Client-Server Architecture & J2EE Platform Technologies Overview Ahmed K. Ezzat Client-Server Architecture & J2EE Platform Technologies Overview Ahmed K. Ezzat Page 1 of 14 Roadmap Client-Server Architecture Introduction Two-tier Architecture Three-tier Architecture The MVC Architecture

More information

How to Implement Enterprise SAML SSO

How to Implement Enterprise SAML SSO How to Implement Enterprise SSO THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY How to Implement Enterprise SSO Introduction Security Assertion Markup Language, or, provides numerous The advantages and

More information

Evaluation of different Open Source Identity management Systems

Evaluation of different Open Source Identity management Systems Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems

More information

Understanding and evaluating risk to information assets in your software projects

Understanding and evaluating risk to information assets in your software projects Understanding and evaluating risk to information assets in your software projects ugh.. what a mouthful Dana Epp Windows Security MVP Who am I? Microsoft Windows Security MVP Information Security Professional

More information

Biometric Single Sign-on using SAML Architecture & Design Strategies

Biometric Single Sign-on using SAML Architecture & Design Strategies Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan Java Technology Architect Sun Microsystems Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand

More information

What Is the Java TM 2 Platform, Enterprise Edition?

What Is the Java TM 2 Platform, Enterprise Edition? Page 1 de 9 What Is the Java TM 2 Platform, Enterprise Edition? This document provides an introduction to the features and benefits of the Java 2 platform, Enterprise Edition. Overview Enterprises today

More information

JavaPolis 2004 Middleware and Web Services Security

JavaPolis 2004 Middleware and Web Services Security JavaPolis 2004 Middleware and Web Services Security Dr. Konstantin Beznosov Assistant Professor University of British Columbia Do you know what these mean? SOAP WSDL IIOP CSI v2 Overall Presentation Goal

More information

Audit Logging. Overall Goals

Audit Logging. Overall Goals Audit Logging Security Training by Arctec Group (www.arctecgroup.net) 1 Overall Goals Building Visibility In Audit Logging Domain Model 2 1 Authentication, Authorization, and Auditing 3 4 2 5 6 3 Auditing

More information

WebSphere Training Outline

WebSphere Training Outline WEBSPHERE TRAINING WebSphere Training Outline WebSphere Platform Overview o WebSphere Product Categories o WebSphere Development, Presentation, Integration and Deployment Tools o WebSphere Application

More information

NIST s Guide to Secure Web Services

NIST s Guide to Secure Web Services NIST s Guide to Secure Web Services Presented by Gaspar Modelo-Howard and Ratsameetip Wita Secure and Dependable Web Services National Institute of Standards and Technology. Special Publication 800-95:

More information

JVA-122. Secure Java Web Development

JVA-122. Secure Java Web Development JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard

More information

WEB SERVICES SECURITY

WEB SERVICES SECURITY WEB SERVICES SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Biometric Single Sign-on using SAML

Biometric Single Sign-on using SAML Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan CISSP Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand the importance of Single Sign-On

More information

Lecture 29 Application Server. 1. Application servers in general. 2. JBoss

Lecture 29 Application Server. 1. Application servers in general. 2. JBoss Lecture 29 Application Server 1. Application servers in general 2. JBoss What is application server An application server is a software platform on which applications can be installed as services, which

More information

THREAT MODELLING FOR WEB SERVICES BASED WEB APPLICATIONS

THREAT MODELLING FOR WEB SERVICES BASED WEB APPLICATIONS THREAT MODELLING FOR WEB SERVICES BASED WEB APPLICATIONS Lieven Desmet, Bart Jacobs, Frank Piessens, and Wouter Joosen DistriNet Research Group, Katholieke Universiteit Leuven, Celestijnenlaan 200A, 3001

More information

Mobile Application Threat Analysis

Mobile Application Threat Analysis The OWASP Foundation http://www.owasp.org Mobile Application Threat Analysis Ari Kesäniemi Nixu Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under

More information

IDAM in the Cloud. March 11, 2015; Gunnar Peterson

IDAM in the Cloud. March 11, 2015; Gunnar Peterson IDAM in the Cloud March 11, 2015; Gunnar Peterson Session Overview What identity protection can be safely handled in the cloud and what functions still need to be on-premise? How to choose a CSP based

More information

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP White Paper FFIEC Authentication Compliance Using SecureAuth IdP September 2015 Introduction Financial institutions today face an important challenge: They need to comply with guidelines established by

More information

Java 2 Platform, Enterprise Edition (J2EE) Bruno Souza Java Technologist, Sun Microsystems, Inc.

Java 2 Platform, Enterprise Edition (J2EE) Bruno Souza Java Technologist, Sun Microsystems, Inc. Java 2 Platform, Enterprise Edition (J2EE) Bruno Souza Java Technologist, Sun Microsystems, Inc. J1-680, Hapner/Shannon 1 Contents The Java 2 Platform, Enterprise Edition (J2EE) J2EE Environment APM and

More information

TIT E IS A. Social Media. Soziale Netze und IT Sicherheit. Herausforderung? Chance? Alfred Bach Solution Strategist ALPS WE CAN IN BO

TIT E IS A. Social Media. Soziale Netze und IT Sicherheit. Herausforderung? Chance? Alfred Bach Solution Strategist ALPS WE CAN IN BO TIT E Social Media IS A QUES Soziale Netze und IT Sicherheit Herausforderung? Chance? Alfred Bach Solution Strategist ALPS WE CAN ANSW IN BO 1.43B social network users by 2012¹ 305B mobile app downloads

More information

Overview. Threats and Countermeasures

Overview. Threats and Countermeasures Overview Web services are used by an increasing number of companies as they expose products and services to customers and business partners through the Internet and corporate extranets. The security requirements

More information

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines Ameritas Single Sign-On (SSO) and Enterprise SAML Standard Architectural Implementation, Patterns and Usage Guidelines 1 Background and Overview... 3 Scope... 3 Glossary of Terms... 4 Architecture Components...

More information

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform White Paper Delivering Web Services Security: September 2003 Copyright 2003 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries.

More information

JAVA ENTERPRISE IN A NUTSHELL. Jim Farley and William Crawford. O'REILLY 4 Beijing Cambridge Farnham Koln Paris Sebastopol Taipei Tokyo.

JAVA ENTERPRISE IN A NUTSHELL. Jim Farley and William Crawford. O'REILLY 4 Beijing Cambridge Farnham Koln Paris Sebastopol Taipei Tokyo. 2008 AGI-Information Management Consultants May be used for personal purporses only or by libraries associated to dandelon.com network. JAVA ENTERPRISE IN A NUTSHELL Third Edition Jim Farley and William

More information

Swivel Multi-factor Authentication

Swivel Multi-factor Authentication Swivel Multi-factor Authentication White Paper Abstract Swivel is a flexible authentication solution that offers a wide range of authentication models. The use of the Swivel patented one-time code extraction

More information

Using Foundstone CookieDigger to Analyze Web Session Management

Using Foundstone CookieDigger to Analyze Web Session Management Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.

More information

Last Updated: July 2011. STATISTICA Enterprise Server Security

Last Updated: July 2011. STATISTICA Enterprise Server Security Last Updated: July 2011 STATISTICA Enterprise Server Security STATISTICA Enterprise Server Security Page 2 of 10 Table of Contents Executive Summary... 3 Introduction to STATISTICA Enterprise Server...

More information

Creating a Strong Security Infrastructure for Exposing JBoss Services

Creating a Strong Security Infrastructure for Exposing JBoss Services Creating a Strong Security Infrastructure for Exposing JBoss Services JBoss Enterprise SOA Platform Service Clients Service Gateway Enterprise Services Blake Dournaee, Product Management, Intel SOA Products

More information

PINsafe Multifactor Authentication Solution. Technical White Paper

PINsafe Multifactor Authentication Solution. Technical White Paper PINsafe Multifactor Authentication Solution Technical White Paper Abstract PINsafe is a flexible authentication solution that offers a wide range of authentication models. The use of the patented one-time

More information

Microsoft STRIDE (six) threat categories

Microsoft STRIDE (six) threat categories Risk-based Security Testing: Prioritizing Security Testing with Threat Modeling This lecture provides reference material for the book entitled The Art of Software Security Testing by Wysopal et al. 2007

More information

CSA SDP Working Group

CSA SDP Working Group CSA SDP Working Group An Open Source Code Project for a Software Defined Perimeter to Defend Cloud Applications from DDoS CSA Conference - Berlin November 2015 DHS Problem Addressing the Changing Perimeter

More information

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication Page 1 of 8 Introduction As businesses and consumers grow increasingly reliant on the Internet for conducting

More information

Extreme Java G22.3033-006. Session 3 Main Theme Java Core Technologies (Part I) Dr. Jean-Claude Franchitti

Extreme Java G22.3033-006. Session 3 Main Theme Java Core Technologies (Part I) Dr. Jean-Claude Franchitti Extreme Java G22.3033-006 Session 3 Main Theme Java Core Technologies (Part I) Dr. Jean-Claude Franchitti New York University Computer Science Department Courant Institute of Mathematical Sciences Agenda

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

WebLogic Server 7.0 Single Sign-On: An Overview

WebLogic Server 7.0 Single Sign-On: An Overview WebLogic Server 7.0 Single Sign-On: An Overview Today, a growing number of applications are being made available over the Web. These applications are typically comprised of different components, each of

More information

Authentication and Authorization Systems in Cloud Environments

Authentication and Authorization Systems in Cloud Environments Authentication and Authorization Systems in Cloud Environments DAVIT HAKOBYAN Master of Science Thesis Stockholm, Sweden 2012 TRITA-ICT-EX-2012:203 Abstract The emergence of cloud computing paradigm offers

More information

Contents. Client-server and multi-tier architectures. The Java 2 Enterprise Edition (J2EE) platform

Contents. Client-server and multi-tier architectures. The Java 2 Enterprise Edition (J2EE) platform Part III: Component Architectures Natividad Martínez Madrid y Simon Pickin Departamento de Ingeniería Telemática Universidad Carlos III de Madrid {nati, spickin}@it.uc3m.es Introduction Contents Client-server

More information

The Benefits of SSL Content Inspection ABSTRACT

The Benefits of SSL Content Inspection ABSTRACT The Benefits of SSL Content Inspection ABSTRACT SSL encryption is the de-facto encryption technology for delivering secure Web browsing and the benefits it provides is driving the levels of SSL traffic

More information

Virtual Credit Card Processing System

Virtual Credit Card Processing System The ITB Journal Volume 3 Issue 2 Article 2 2002 Virtual Credit Card Processing System Geraldine Gray Karen Church Tony Ayres Follow this and additional works at: http://arrow.dit.ie/itbj Part of the E-Commerce

More information

Security Best Practices for Microsoft Azure Applications

Security Best Practices for Microsoft Azure Applications Security Best Practices for Microsoft Azure Applications Varun Sharma Principal Security Engineer, Information Security & Risk Management (ISRM), Microsoft IT Service Lines Application Security Infrastructure

More information

Flexible Identity Federation

Flexible Identity Federation Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services

More information

JEE Web Applications Jeff Zhuk

JEE Web Applications Jeff Zhuk JEE Web Applications Jeff Zhuk From the book and beyond Integration-Ready Architecture and Design Cambridge University Press Software Engineering With XML, Java,.NET, Wireless, Speech and Knowledge Technologies

More information

Vidder PrecisionAccess

Vidder PrecisionAccess Vidder PrecisionAccess Security Architecture February 2016 910 E HAMILTON AVENUE. SUITE 410 CAMPBELL, CA 95008 P: 408.418.0440 F: 408.706.5590 WWW.VIDDER.COM Table of Contents I. Overview... 3 II. Components...

More information

Intended status: Informational January 15, 2014 Expires: July 19, 2014

Intended status: Informational January 15, 2014 Expires: July 19, 2014 Network Working Group C. Jennings Internet-Draft S. Nandakumar Intended status: Informational January 15, 2014 Expires: July 19, 2014 Abstract Trustable Cloud Systems - Strategies and Recommendations draft-jennings-perpass-secure-rai-cloud-01

More information

enterprise^ IBM WebSphere Application Server v7.0 Security "publishing Secure your WebSphere applications with Java EE and JAAS security standards

enterprise^ IBM WebSphere Application Server v7.0 Security publishing Secure your WebSphere applications with Java EE and JAAS security standards IBM WebSphere Application Server v7.0 Security Secure your WebSphere applications with Java EE and JAAS security standards Omar Siliceo "publishing enterprise^ birmingham - mumbai Preface 1 Chapter 1:

More information

Designing federated identity management architectures for addressing the recent attacks against online financial transactions.

Designing federated identity management architectures for addressing the recent attacks against online financial transactions. Designing federated identity management architectures for addressing the recent attacks against online financial transactions. Dr. Christos K. Dimitriadis Security Officer INTRALOT S.A. Scope and Agenda

More information

Implementation of an Enterprise-level Groupware System Based on J2EE Platform and WebDAV Protocol

Implementation of an Enterprise-level Groupware System Based on J2EE Platform and WebDAV Protocol Changtao Qu, Thomas Engel, Christoph Meinel: Implementation of an Enterprise-level Groupware System Based on J2EE Platform and WebDAV Protocol in Proceedings of the 4th InternationalEnterprise Distributed

More information

Media Shuttle s Defense-in- Depth Security Strategy

Media Shuttle s Defense-in- Depth Security Strategy Media Shuttle s Defense-in- Depth Security Strategy Introduction When you are in the midst of the creative flow and tedious editorial process of a big project, the security of your files as they pass among

More information

Brainloop Cloud Security

Brainloop Cloud Security Whitepaper Brainloop Cloud Security Guide to secure collaboration in the cloud www.brainloop.com Sharing information over the internet The internet is the ideal platform for sharing data globally and communicating

More information

Geoff McGregor, Indiana University Integra(ng KC with CAS and LDAP 4/25/2012

Geoff McGregor, Indiana University Integra(ng KC with CAS and LDAP 4/25/2012 2012 User Conference April 22-24, 2012 Atlanta, Georgia Together Toward Tomorrow Geoff McGregor, Indiana University Integra(ng KC with CAS and LDAP 4/25/2012 open source administration software for education!

More information

WebSphere Server Administration Course

WebSphere Server Administration Course WebSphere Server Administration Course Chapter 1. Java EE and WebSphere Overview Goals of Enterprise Applications What is Java? What is Java EE? The Java EE Specifications Role of Application Server What

More information

ATTPS Publication: Trustworthy ICT Taxonomy

ATTPS Publication: Trustworthy ICT Taxonomy Publication: worthy ICT Taxonomy Roger Berkley worthy ICT Taxonomy Research Cybersecurity technology is a considerably large subdomain of ICT. Technology experts like Gartner have identified at least 94

More information

Potential Targets - Field Devices

Potential Targets - Field Devices Potential Targets - Field Devices Motorola Field Devices: Remote Terminal Units ACE 3600 Front End Devices ACE IP Gateway ACE Field Interface Unit (ACE FIU) 2 Credential Cracking Repeated attempts to

More information

Exploring ADSS Server Signing Services

Exploring ADSS Server Signing Services ADSS Server is a multi-function server providing digital signature creation and signature verification services, as well as supporting other infrastructure services including Time Stamp Authority (TSA)

More information

IBM WebSphere Server Administration

IBM WebSphere Server Administration IBM WebSphere Server Administration This course teaches the administration and deployment of web applications in the IBM WebSphere Application Server. Duration 24 hours Course Objectives Upon completion

More information

Live Guide System Architecture and Security TECHNICAL ARTICLE

Live Guide System Architecture and Security TECHNICAL ARTICLE Live Guide System Architecture and Security TECHNICAL ARTICLE Contents 1. Introduction... 2 2. Hosting Environment... 2 2.1. Standards - Compliancy... 3 2.2. Business Continuity Management... 3 2.3. Network

More information

New Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation

New Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole

More information

Table of Contents. Introduction. Audience. At Course Completion

Table of Contents. Introduction. Audience. At Course Completion Table of Contents Introduction Audience At Course Completion Prerequisites Certified Professional Exams Student Materials Course Outline Introduction J-410, Deploying Java Web Services introduces the next

More information

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE Legal Marks No portion of this document may be reproduced or copied in any form, or by

More information

Protec'ng Informa'on Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protec/ng Informa/on Assets Greg Senko

Protec'ng Informa'on Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protec/ng Informa/on Assets Greg Senko Protec'ng Informa'on Assets - Week 10 - Identity Management and Access Control In the News Readings MIS5206 Week 10 Identity Management and Access Control Test Taking Tip Quiz In the News Discuss items

More information

Web Services and Service Oriented Architectures. Thomas Soddemann, RZG

Web Services and Service Oriented Architectures. Thomas Soddemann, RZG Web Services and Service Oriented Architectures, RZG Delaman Workshop 2004 Overview The Garching Supercomputing Center - RZG Diving into the world of Web Services Service Oriented Architectures And beyond

More information

IONA Security Platform

IONA Security Platform IONA Security Platform February 22, 2002 Igor Balabine, PhD IONA Security Architect Copyright IONA Technologies 2001 End 2 Anywhere Agenda IONA Security Platform (isp) architecture Integrating with Enterprise

More information

Tenable for CyberArk

Tenable for CyberArk HOW-TO GUIDE Tenable for CyberArk Introduction This document describes how to deploy Tenable SecurityCenter and Nessus for integration with CyberArk Enterprise Password Vault. Please email any comments

More information

Security Testing. How security testing is different Types of security attacks Threat modelling

Security Testing. How security testing is different Types of security attacks Threat modelling Security Testing How security testing is different Types of security attacks Threat modelling Note: focus is on security of applications (not networks, operating systems) Security testing is about making

More information

The increasing popularity of mobile devices is rapidly changing how and where we

The increasing popularity of mobile devices is rapidly changing how and where we Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to

More information

RNM Reply Network Manager

RNM Reply Network Manager RNM Reply Network Manager Introduction The development of the telecommunication market and the stronger competition among operators combined with the introduction of new players (such as Mobile Virtual

More information

Security Evaluation CLX.Sentinel

Security Evaluation CLX.Sentinel Security Evaluation CLX.Sentinel October 15th, 2009 Walter Sprenger walter.sprenger@csnc.ch Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41

More information

A Signing Proxy for Web Services Security. Dr. Ingo Melzer RIC/ED

A Signing Proxy for Web Services Security. Dr. Ingo Melzer RIC/ED A Signing Proxy for Web Services Security Dr. Ingo Melzer RIC/ED What is a Web Service? Infrastructure Web Service I. Melzer -- A Signing Proxy for Web Services Security 2 What is a Web Service? basic

More information

Xerox DocuShare Private Cloud Service. Security White Paper

Xerox DocuShare Private Cloud Service. Security White Paper Xerox DocuShare Private Cloud Service Security White Paper Table of Contents Overview 3 Adherence to Proven Security Practices 3 Highly Secure Data Centers 4 Three-Tier Architecture 4 Security Layers Safeguard

More information

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ) WHITE PAPER Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ) SEPTEMBER 2004 Overview Password-based authentication is weak and smart cards offer a way to address this weakness,

More information

Digital Signature Web Service Interface

Digital Signature Web Service Interface 1 2 Digital Signature Web Service Interface 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 1 Introduction This document describes an RPC interface for a centralized

More information

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications Learning objectives E-commerce Security Threats and Protection Mechanisms. This lecture covers internet security issues and discusses their impact on an e-commerce. Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html

More information

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia ei09095@fe.up.pt. Pedro Borges ei09063@fe.up.pt

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia ei09095@fe.up.pt. Pedro Borges ei09063@fe.up.pt Computer Systems Security 2013/2014 Single Sign-On Bruno Maia ei09095@fe.up.pt Pedro Borges ei09063@fe.up.pt December 13, 2013 Contents 1 Introduction 2 2 Explanation of SSO systems 2 2.1 OpenID.................................

More information

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 5

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 5 Course Page - Page 1 of 5 WebSphere Application Server 7.0 Administration on Windows BSP-1700 Length: 5 days Price: $ 2,895.00 Course Description This course teaches the basics of the administration and

More information

Oracle WebLogic Foundation of Oracle Fusion Middleware. Lawrence Manickam Toyork Systems Inc www.toyork.com http://ca.linkedin.

Oracle WebLogic Foundation of Oracle Fusion Middleware. Lawrence Manickam Toyork Systems Inc www.toyork.com http://ca.linkedin. Oracle WebLogic Foundation of Oracle Fusion Middleware Lawrence Manickam Toyork Systems Inc www.toyork.com http://ca.linkedin.com/in/lawrence143 History of WebLogic WebLogic Inc started in 1995 was a company

More information

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB Conducted: 29 th March 5 th April 2007 Prepared By: Pankaj Kohli (200607011) Chandan Kumar (200607003) Aamil Farooq (200505001) Network Audit Table of

More information

Live Guide System Architecture and Security TECHNICAL ARTICLE

Live Guide System Architecture and Security TECHNICAL ARTICLE Live Guide System Architecture and Security TECHNICAL ARTICLE Contents 1. Introduction... 2 2. Hosting Environment... 2 2.1. Standards - Compliancy... 3 2.2. Business Continuity Management... 3 2.3. Network

More information

Java Technology and Web Services Security in Action

Java Technology and Web Services Security in Action Java Technology and Web Services Security in Action Marc Chanliau and Vikas Jain Security Product Management Oracle Corporation www.oracle.com TS-8131 2007 JavaOne SM Conference Session TS-8131 Goal Learn

More information

Infocard and Eduroam. Enrique de la Hoz, Diego R. López, Antonio García, Samuel Muñoz

Infocard and Eduroam. Enrique de la Hoz, Diego R. López, Antonio García, Samuel Muñoz Infocard and Eduroam Enrique de la Hoz, Diego R. López, Antonio García, Samuel Muñoz Index Introduction to Infocard Infocard usage usso using Infocard in eduroam Questions Infocard Artifact with a unique

More information

Enterprise Java Security Fundamentals

Enterprise Java Security Fundamentals Pistoia_ch03.fm Page 55 Tuesday, January 6, 2004 1:56 PM CHAPTER3 Enterprise Java Security Fundamentals THE J2EE platform has achieved remarkable success in meeting enterprise needs, resulting in its widespread

More information

Retrofi8ng OAuth 2.0 Security into Exis?ng REST Service [CON1765]

Retrofi8ng OAuth 2.0 Security into Exis?ng REST Service [CON1765] Retrofi8ng OAuth 2.0 Security into Exis?ng REST Service [CON1765] Irena Shaigorodsky Java One, 2014 ishaigorodsky@enservio.com @ishaigorodsky hops://github.com/ishaigor/rest- retro- sample 1 Quick Survey

More information

Information Systems Security

Information Systems Security Information Systems Security Lecture 4: Security Engineering Prof. Dr. Christoph Karg Aalen University of Applied Sciences Department of Computer Science 11.10.2015 Learning Objective Learning Objective

More information

An Introduction to Entrust PKI. Last updated: September 14, 2004

An Introduction to Entrust PKI. Last updated: September 14, 2004 An Introduction to Entrust PKI Last updated: September 14, 2004 2004 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. In

More information

Secure web transactions system

Secure web transactions system Secure web transactions system TRUSTED WEB SECURITY MODEL Recently, as the generally accepted model in Internet application development, three-tier or multi-tier applications are used. Moreover, new trends

More information

Secure the Web: OpenSSO

Secure the Web: OpenSSO Secure the Web: OpenSSO Sang Shin, Technology Architect Sun Microsystems, Inc. javapassion.com Pat Patterson, Principal Engineer Sun Microsystems, Inc. blogs.sun.com/superpat 1 Agenda Need for identity-based

More information

The Enterprise Service Bus

The Enterprise Service Bus 1 ESBs: Essential Infrastructure for a Successful SOA March 2005 2 at a glance Customers include world s largest firms! 80% of Global Telecom! 70% of Financial Services in Global 100! Blue Chip System

More information

XML Signatures in an Enterprise Service Bus Environment

XML Signatures in an Enterprise Service Bus Environment XML Signatures in an Enterprise Bus Environment Eckehard Hermann Research & Development XML Integration Uhlandstraße 12 64297 Darmstadt, Germany Eckehard.Hermann@softwareag.com Dieter Kessler Research

More information

Title Page. Hosted Payment Page Guide ACI Commerce Gateway

Title Page. Hosted Payment Page Guide ACI Commerce Gateway Title Page Hosted Payment Page Guide ACI Commerce Gateway Copyright Information 2008 by All rights reserved. All information contained in this documentation, as well as the software described in it, is

More information

MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE QUEUE

MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE QUEUE MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE QUEUE OWASP AppSec USA 2011 Conference (@appsecusa / hashtag: #appsecusa) Srini Penchikala (@srinip) 09.23.11 GOALS AND SCOPE Goals: Messaging security

More information

Information Security Group Active-client based identity management

Information Security Group Active-client based identity management Active-client based identity management Chris Mitchell Royal Holloway, University of London www.chrismitchell.net 1 Acknowledgements This is joint work with Haitham Al-Sinani, also of Royal Holloway. 2

More information

Redbooks Paper. WebSphere Application Server V5 Architecture. Carla Sadtler

Redbooks Paper. WebSphere Application Server V5 Architecture. Carla Sadtler Redbooks Paper Carla Sadtler WebSphere Application Server V5 Architecture WebSphere Application Server is IBM 's implementation of the J2EE (Java 2 Enterprise Edition) platform, conforming to V1.3 of the

More information

Glossary of Key Terms

Glossary of Key Terms and s Branch Glossary of Key Terms The terms and definitions listed in this glossary are used throughout the s Package to define key terms in the context of. Access Control Access The processes by which

More information

Security Goals Services

Security Goals Services 1 2 Lecture #8 2008 Freedom from danger, risk, etc.; safety. Something that secures or makes safe; protection; defense. Precautions taken to guard against crime, attack, sabotage, espionage, etc. An assurance;

More information

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282 Web Service Security Anthony Papageorgiou IBM Development March 13, 2012 Session: 10282 Agenda Web Service Support Overview Security Basics and Terminology Pipeline Security Overview Identity Encryption

More information

GlassFish Security. open source community experience distilled. security measures. Secure your GlassFish installation, Web applications,

GlassFish Security. open source community experience distilled. security measures. Secure your GlassFish installation, Web applications, GlassFish Security Secure your GlassFish installation, Web applications, EJB applications, application client module, and Web Services using Java EE and GlassFish security measures Masoud Kalali PUBLISHING

More information

Announcements. Comments on project proposals will go out by email in next couple of days...

Announcements. Comments on project proposals will go out by email in next couple of days... Announcements Comments on project proposals will go out by email in next couple of days... 3-Tier Using TP Monitor client application TP monitor interface (API, presentation, authentication) transaction

More information

Application Design and Development

Application Design and Development C H A P T E R9 Application Design and Development Practice Exercises 9.1 What is the main reason why servlets give better performance than programs that use the common gateway interface (CGI), even though

More information

RSA SecurID Ready Implementation Guide

RSA SecurID Ready Implementation Guide RSA SecurID Ready Implementation Guide Partner Information Last Modified: December 18, 2006 Product Information Partner Name Microsoft Web Site http://www.microsoft.com/isaserver Product Name Internet

More information