API-Security Gateway Dirk Krafzig

Similar documents

The increasing popularity of mobile devices is rapidly changing how and where we

NCSU SSO. Case Study

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

nexus Hybrid Access Gateway

Single Sign On. SSO & ID Management for Web and Mobile Applications

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

SAP Single Sign-On 2.0 Overview Presentation

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Building Secure Applications. James Tedrick

Google Identity Services for work

Flexible Identity Federation

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

An Overview of Samsung KNOX Active Directory and Group Policy Features

Directory Integration with Okta. An Architectural Overview. Okta White paper. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

Ensuring the Security of Your Company s Data & Identities. a best practices guide

The Top 5 Federated Single Sign-On Scenarios

Public Key Applications & Usage A Brief Insight

Single Sign-on (SSO) technologies for the Domino Web Server

Secure Your Enterprise with Usher Mobile Identity

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

An Overview of Samsung KNOX Active Directory-based Single Sign-On

Web Applications Access Control Single Sign On

Extranet Access Management Web Access Control for New Business Services

White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services. Table of Contents. 1. Two Factor and CJIS

Entrust IdentityGuard Comprehensive

SECUREAUTH IDP AND OFFICE 365

Agenda. How to configure

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

Vidder PrecisionAccess

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

Architecture Guidelines Application Security

managing SSO with shared credentials

Okta/Dropbox Active Directory Integration Guide

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com

Leverage Active Directory with Kerberos to Eliminate HTTP Password

The Convergence of IT Security and Physical Access Control

Executive Summary P 1. ActivIdentity

Copyright Pivotal Software Inc, of 10

Biometric SSO Authentication Using Java Enterprise System

The Convergence of IT Security and Physical Access Control

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

SAML-Based SSO Solution

Copyright: WhosOnLocation Limited

Increase the Security of Your Box Account With Single Sign-On

Enhancing Web Application Security

Authentication Integration

WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES

How To Manage A Plethora Of Identities In A Cloud System (Saas)

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition

WHITE PAPER Usher Mobile Identity Platform

Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

EasyConnect. Any application - Any device - Anywhere. Faster, Simpler & Safer Networks

STRONGER AUTHENTICATION for CA SiteMinder

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Flexible Identity Federation

A brief on Two-Factor Authentication

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

Active Directory Compatibility with ExtremeZ-IP

Deploying RSA ClearTrust with the FirePass controller

Single Sign-On Implementation Guide

Multi Factor Authentication API

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Authentication: Password Madness

APIs The Next Hacker Target Or a Business and Security Opportunity?

Egnyte Cloud File Server. White Paper

USING FEDERATED AUTHENTICATION WITH M-FILES

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

The Cloud, Mobile and BYOD Security Opportunity with SurePassID

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Someone may be manipulating information in your organization. - and you may never know about it!

Is your mainframe less secure than your file server? Malcolm Trigg Solutions Consultant 24 th February 2016

INUVIKA OPEN VIRTUAL DESKTOP FOUNDATION SERVER

How to Implement Enterprise SAML SSO

Mobile Security. Policies, Standards, Frameworks, Guidelines

Enterprise Access Control Patterns For REST and Web APIs

Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Security Overview Enterprise-Class Secure Mobile File Sharing

How to create a SP and a IDP which are visible across tenant space via Config files in IS

TrustedX - PKI Authentication. Whitepaper

How To Secure Your Data Center From Hackers

API Management: Powered by SOA Software Dedicated Cloud

How To Use Saml 2.0 Single Sign On With Qualysguard

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

How To Use Salesforce Identity Features

Approaches to Enterprise Identity Management: Best of Breed vs. Suites

Transcription:

API-Security Gateway Dirk Krafzig

Intro Digital transformation accelerates application integration needs Dramatically increasing number of integration points Speed Security Industrial robustness Increasing importance of compliance requirements IT-Sicherheitsgesetz ISO 27001 Traditional technologies are insufficient Too slow Insecure Too expensive

One Box Multiple Use Cases Smart ESB Public Interfaces Secure Cloud Access SSO Case Study: Multi-factor SSO Requirements Implementation patterns Authentication factors: SIM, Certificate, Password Best practices

One Box Multiple Use Cases Key Features XML Processing PKI Protocols: WS, REST, Mediation Identity Security Monitoring / Auditing Zero Programming Use Cases Smart ESB Public Interfaces Secure Cloud Access SSO

Smart ESB API gateway reveals it s strengths at runtime. Gateway ESB Mediation ++ ++ Security ++ + Governance ++ + Workflow - + Integration with Dev-Tools - ++ Learning Curve ++ -- Costs ++ - Speed (Project delivery) ++ - Performance ++ -

Public Interfaces Requirements Highly visible Strategic impact E.g. part of digital strategy Multiple clients Huge number of individual users Access through internet Features Technology bridging Encapsulating internal systems and integrate with client s technology Security Support multiple security mechanisms Protect against multiple attack vectors Versioning Governance Scalability Robustness

Secure Cloud Access Requirements Usage of external services E.g. billing engine, geo data Usage of systems of business partners Analytics integration Features Protect against misuse Authentication Authorization Privacy Control potentially incurring costs Automated rules Governance Single point of control Logging

SSO Requirements Login of different users Convenient Secure Multiple user stores Avoid changes to legacy systems Access through internet Features Standard protocols such as SAML and OAuth Security Support multiple security mechanisms Login workflows Security integration Support multi-factor Governance Single point of control Logging

One Box Multiple Use Cases Smart ESB Public Interfaces Secure Cloud Access SSO Case Study: Multi-factor SSO Requirements Implementation patterns Authentication factors: SIM, Certificate, Password Best practices

Case Study: Multi-Factor SSO Internet and Intranet users shall use SalesForce Intranet users Internet users Based on Identity in Active Directory Business role assigned (RBAC) Official desktop PC Seamless access Kerberos identity Based on Identity in Active Directory Business role assigned (RBAC) Smartphone, tablet, official desktop PC, any other PC 2 factors SSL SIM card + Windows PW Certificate + Windows PW Certificate + SIM card

Single Sign-on User experience Seamless access to applications No book-keeping of log-in credentials Security Avoid post-it mentality Centralized mechanisms can be secured more efficiently Costs Costs of account administration per user Maintenance of ID stores Wikipedia Single sign-on is a property of access control of multiple related but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.

Multi-Factor Authentication Protect user against identity theft Apply multiple authentication factors Secret e.g. password Possession e.g. company hardware Token e.g. RSA token Biometric factor e.g. fingerprint Wikipedia Multi-factor authentication is a method of computer access control which a user can pass by successfully presenting several separate authentication stages. Addressing increasingly important requirements BYOD Access through Internet Usage by non-employees

Multi-Factor SSO 1) Open URL Start Service-Provider-initiated SAML protocol

Multi-Factor SSO 2) Redirect

Multi-Factor SSO 3) Retrieve Kerberos (SPNEGO) 1 If valid Kerberos ticket is available than proceed with Intranet workflow

Multi-Factor SSO Scenario: Intranet / Kerberos available 4.1) Retrieve roles LDAP 4.2) Redirect 4.3) Authorization

Multi-Factor SSO Scenario: Internet 5.3) Login 5.1) Redirect 5.2) Redirect 2 If no valid Kerberos ticket is available than proceed with Internet workflow

Multi-Factor SSO Scenario: Internet 5.4) Redirect 5.7) Redirect 5.6) Validate PIN 5.5) Retrieve PIN Pin: 1234

Multi-Factor SSO Scenario: Internet LDAP 5.8) Retrieve roles 5.9) Redirect 5.10) Authorization

Multi-Factor SSO Scenario: Internet (enhanced) 6.2) Check certificate 6.1) Retrieve certificate 3 Alternative, more convenient scenario if personalized certificate is available

Multi-Factor SSO Scenario: Internet (enhanced) 6.3) Redirect 6.4) Redirect

Multi-Factor SSO Scenario: Internet (enhanced) LDAP 6.5) Retrieve roles 6.6) Redirect 6.7) Authorization

Success Factors Easily define authentication workflows No programming! Keep up with changing requirements Fine-tune user experience Case study: requirements changed literally one day before going-live

Success Factors Bridge technology gaps Support any kind of encryption technology according to needs of involved systems Easily map one technology to another Case study: server for SIM authentication had particular requirements for SAML format

Success Factors Build-in PKI Support PKI life cycle For example quickly generate / sign keys for testing purposes Case study: Warnings for expiration of certificates were extremely helpful

Success Factors Monitoring Web console Monitor events as they occur Log file SNMP integration Case study: extremely useful for debugging

Success Factors Zero programming Allow working with data centre staff No learning curve for team Case study: just a few days of consulting needed to select appropriate approach and deliver best practice configuration ( and of cause to deliver the documentation ;-)

Success Factors Prepare for ever changing personal User friendly GUI Task-oriented, on-the-spot documentation Quick guides for fast familiarization with the job Allow deputy of the deputy to do basic tasks Check sanity od API gateway Start / stop Access log Identify security breaches Push into mainstream of data centre tasks (firewall and router configuration)

Thank you!