BellSouth Distributed Object Security Requirements

1
BellSouth Distributed Object Security Requirements

• Sam Lumpkin
• BellSouth Enterprise Security

2
Where We Would Like To Be

• Reduce the Number of Authenticators
• Security services will implement enterprise wide
  authentication techniques that will reduce the
  number of logins through the use of X.509
  certificates.
• Access Control
• Access control mechanisms associated with user
  profiles will be mobile (follow user), will be
  utilized more in the mid-range and desktop
  environments to provide required access, and will
  restrict access that is not required.
• Confidentiality
• Sensitive data will be protected in transit both
  on the Internet and Intranet, and during storage
  especially on mobile computing devices. Data
  integrity services will also be available.
• Security Management
• Security management will be provided through the
  tools in this Security Architecture and through
  the Network and Systems Management standard
  frameworks .

3
Where We Would Like To Be

• X.509 digital certificates for authentication.
• Directory services to provide mobility for user
  and computing profile information, and reduce
  some of the complexity in managing profiles.
• Smart card technology, integrated with directory
  services, to provide portability and improved
  personal accountability to digital certificates.

4
Where We Would Like To Be

• Encryption for persistent data.
• Encryption for sensitive data in transit.
• VPNs to facilitate access via the public
  Internet.

5
Where We Are Today - Access Control

• ACF2 security on mainframes
• Kerboros security on Unix
• Windows security on PCs
• Locally written system for managing user profiles
• 70 badge entry systems
• Locally maintained access control lists for most
  distributed systems.
• Various locally written security mechanisms
• Token authentication for dialup, internet, etc.

6
Where We Are Today - Servers

• Lots-O-Mainframes
• IBM with ACF2
• Unisys with ???
• Unix (with and without) Kerboros
• Sun
• HP
• Other (AIX, Linux, etc.)
• Windows NT (security?)

7
Where We Are Today - Networks

• Switched Packet Network
• Async
• Bisync
• Fiber
• etc.
• Ethernet with filtering routers, switching hubs,
  etc.
• TCP/IP
• OSI
• VTAM

8
Where We Are Today - Desk/Palm-top

• X-Terminals
• Network Terminals/PCs
• Windows NT Workstation
• PDAs
• PalmPilot (wired and wireless)
• Windows CE
• Windows 98 on hardened wireless PCs

9
Challenges We Face

• Integration with the Big N (telecommunications)
  network.
• Numerous large, complex, very critical legacy
  applications.
• A complex regulatory structure.
• Affiliates, with very different architectures and
  infrastructures, who have only recently been
  allowed to work together.

10
Challenges We Face

• Specialized problems
• Telecom switches and adjunct processors.
• Wireless communications, Palm VIIs, RIM pagers,
  etc.
• Mandated external access to our provisioning and
  trouble reporting/tracking systems on parity with
  our own.

11
What Do We Need From You?

• Interoperability
• Scalability
• Specialized solutions for low bandwidth areas
  like wireless.
• Automated, scriptable administration - GUIs are
  nice, but not scalable.
• The solution must be deployable across diverse
  environments.
• Standards without required options