Security in application integration - PowerPoint PPT Presentation

About This Presentation
Title:

Security in application integration

Description:

Accounting. All operations performed by users are logged. Non-repudiation ... Client software used (fewer vulnerabilities) ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 24
Provided by: karino7
Category:

less

Transcript and Presenter's Notes

Title: Security in application integration


1
Security in application integration
  • Kari Nordström

2
Topics
  • Objectives
  • Application integration
  • Enterprise Application Integration EAI
  • Business-to-Business integration B2Bi
  • Information security
  • Basic concepts ideas
  • Network security
  • Segmented networks
  • Security of application integration systems
  • Results

3
Background and objectives of the thesis
  • Find out the current level of security in the
    application integration systems of a certain
    company
  • Conduct security reviews with a panel of experts
  • Make suggestions on improving the security level
    based on findings
  • Implement improvements if possible
  • Supervisor Docent Timo O. Korhonen

4
Application Integration
  • Integrating various applications enables
    information sharing between applications and
    organisations, not between people
    (System-to-System connections)
  • Internal and external integration
  • EAI B2Bi
  • Traditionally integration has dealt with sharing
    business data and documents
  • B2Bi is usually used for exchanging business
    documents
  • EAI integrates applications to work together,
    data can be gathered from various sources
    (applications) before processing

5
Application integration platforms in the company
6
Enterprise Application Integration (1/2)
  • Integration within a single enterprise
  • A centralised integration solution
  • Error handling, monitoring, cost savings over time

7
Enterprise Application Integration (2/2)
  • Integrating diverse applications requires
    transformations between formats
  • Processing and / or enrichment of data is also
    required in some integrations (defined in the
    workflow)

8
Business-to-business integration
  • Integration between separate enterprises (partner
    integration)
  • Business data, demand / supply planning
  • B2Bi relies on standards, otherwise it would be
    very cumbersome to connect to other companies,
    each using their own data formats and processes
  • Two B2Bi platforms used in the company
  • EDI, Electronic Data Interchange
  • RosettaNet

9
Electronic Data Interchange (1/3)
  • EDI is the granddaddy of all B2Bi systems
  • Designed to automate exchanging business
    documents ? a quicker and cheaper way
  • Dates back all the way to the 1960s, in active
    use since the 1980s
  • Two main standards in use
  • EDIFACT (EDI For Administration, Commerce and
    Transport)
  • ANSI X12

10
VAN-based EDI (2/3)
  • VAN (Value Added Network) operators used to relay
    messages
  • An electronic post office

11
Internet EDI (3/3)
  • EDI-INT has been thought up to eliminate VAN
    costs to companies
  • Standards used
  • AS1 (SMTP)
  • AS2 (HTTP)
  • AS3 (FTP)
  • The basic idea sending EDI messages directly to
    trading partners over the Internet

12
RosettaNet (1/2)
  • XML-based integration standard
  • Developed and maintained by the RosettaNet
    Consortium, a non-profit organisation of more
    than 500 corporations
  • Integrations are based on Partner Interface
    Processes (PIP), which define how data is
    processed and the sequence of transactions
    between trading partners
  • RosettaNet Implementation Framework (RNIF)
    describes the basic architecture (RNIF 1.1 2.0)
  • Document Type Definition (DTD) describes the
    format of messages and data

13
RosettaNet (2/2)
  • RosettaNet aims in integrating the whole supply
    chain, not just passing business documents
  • Marketed as more flexible and easier to implement
    than EDI
  • Using VANs actually makes EDI more simple than
    RosettaNet where companies need to implement all
    connections themselves

14
Information security
  • Traditional way to model information security CIA

15
General security concepts
  • Authentication
  • Making sure the user is who she claims to be
  • Authorisation
  • Giving an authenticated user the right to do
    something
  • Accounting
  • All operations performed by users are logged
  • Non-repudiation
  • If a user performs a task, she cant later deny
    having done so, the system also cant later deny
    the users action
  • Antivirus protection
  • Protecting computers and network elements against
    malicious software
  • Cryptography
  • Scrambling information in a way that only the
    correct recipient can decipher it

16
Network security
  • Host security vs. network security
  • Systems are protected on the network level by
    controlling network traffic
  • More cost-effective than host security
  • Typical misconception network security
    firewalls
  • Firewalls are a central part of network security,
    but there are numerous other things to consider
    (understanding the network architecture is key)

17
A few key security strategies
  • Use multiple, diverse layers of security
  • Give the lowest possible rights to users
  • Deny everything thats not explicitly allowed
  • Use choke points to monitor traffic
  • KISS Keep It Simple, Stupid
  • Make users aware of security issues!
  • The human factor is often the weakest link in
    security

18
Network segmentation
  • A new network architecture in the company that
    divides an internal network into smaller parts
    called cells
  • Naturally also affects AI systems
  • In practice more firewalls

19
Security requirements for application integration
systems
  • An AI system is central and crucial in any
    network that has one
  • Connected to many other systems ? attacker could
    gain access to virtually the whole network if
    e.g. the EAI system is hacked
  • Availability requirements are very high
  • Many other systems are dependant on integration
    systems

20
Results of the security reviews
  • Risk level is high for all three systems
  • Security implementations do not match the current
    requirements
  • Requirements have changed significantly from the
    1990s
  • RosettaNet was found more secure than EAI and EDI
  • Age, standardisation, segmented network
  • EDIs problem is the number of unknown factors
  • VAN operator responsible for most of the
    implementation
  • EAIs biggest problem is the lack of security
    standards

21
EAI security improvements
  • User management (no super-users) ? access control
  • Certain authentication issues have been addressed
  • A component was not authenticating connections
    properly
  • Client software used (fewer vulnerabilities)
  • The migration to new architecture will bring
    major advancements in the security of the system
  • Border security
  • Hosts have been hardened

22
B2Bi security improvements
  • Its hard to fundamentally change security
    implementations in standardised systems
  • User management has been improved vastly in EDI
  • EDI will also be migrated into new architecture
    (RosettaNet has already been migrated)
  • RNIF specifies many security features, such as
    various forms of encryption, digital certificates
    and checksums
  • They just werent always used in the company ?
    new policy

23
Any questions or comments?
  • If not, thank you!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Security in application integration" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!