Key Issues in Extranet Security Sumner Blount Senior Manager

1
Key Issues in Extranet SecuritySumner
BlountSenior Manager
2
Key Issues in Extranets

• Security - how to limit access to sensitive
  information to properly authorized people.
• Authentication who are you?
• Authorization what are you allowed to do?
• Directories - how to track and manage users,
  whether they are employees, partners, or
  customers.

3
Key Issue Extranet SecurityWhy is it so
critical?

• Your family jewels are heavily exposed! Your
  business information and processes could be your
  competitive advantage
• Partner relationships are dynamic - today your
  partner. Tomorrow your competitor
• Your partner companies are multi-faceted - one
  division might be a partner, another a
  competitor.
• Each partner must see a personalized view of
  corporate resources

4
Extranet Authentication Requirements
Biometric techniques (iris,prints,face,..)
Highest Value
Tokens (e.g. X509v3 smart cards)
High Value Transactions
Deployment Cost and User Adoption
Software Tokens (e.g. X509v3 Certificates)
Sensitive Access
Username/Passwords (LDAP, RADIUS)
Basic Authenticated Access
of Apps and Users

• Variety of methods is required
• Combinations and fallback methods are required.
• Authentication method based on sensitivity of
  resource

5
Extranet Access Control Requirements

• Provide Higher-level abstraction than ACLs
• Easier to deal with Rules and Policies
• Centralized management of all user privileges
  across all servers
• Developers are re-inventing the access control
  wheel in every application (sessions, SSO,
  app-specific privileges)
• Must allow integration of access control with
  business logic, for dynamic rule enforcement.
• Provide permissions on sub-page objects
• Allows easy personalization of content

6
Why Cant Existing Technologies provide this?

• Web Servers
• Lack of centralized access control
• No sub-page level access control
• Directories
• Provides an object information namespace, and
  baseline authentication services
• SSO, personalization need to be custom-built
• Application Servers
• Cannot manage access across very large user
  populations
• Access control is different across App. Server
  platforms
• PKI
• Provides strong authentication, encryption, and
  signatures
• Does not provide general-purpose authorization
  model

7
The Challenge Securely Managing e-Business
Web Sites Applications
e-Business Web Site
Intranet
E-Commerce Applications
Supply Chain Management
Channel Management
Customer Services
401 K HR Asset Management Sales
Forecast Competitive Analysis
Negotiation Reverse Auction Decision
Optimization Catalog Mgmt Contract Mgmt
Inventory Pricing Sales Forecasting Pipeline
Reporting Quoting
Virtual StoreFront Product Catalogs Auctions Confi
gurators Pricing
Ask the Expert KnowledgeBase Order Accessories
Product Updates Schedule Service
Security Island
Security Island
Security Island
Security Island
Security Island
8
The Solution Centralize Privilege Management
e-Business Web Site
Customer Services
Intranet
E-Commerce Applications
Supply Chain Management
Channel Management
401 K HR Asset Management Sales
Forecast Competitive Analysis
Negotiation Reverse Auction Decision
Optimization Catalog Mgmt Contract Mgmt
Inventory Pricing Sales Forecasting Pipeline
Reporting Quoting
Ask the Expert KnowledgeBase Order Accessories
Product Updates Schedule Service
Virtual StoreFront Product Catalogs Auctions Confi
gurators Pricing
9
Economies of Scale

• Shared Services Benefits
• Rapidly re-build and/or enhance web sites
• Reduces costs
• Reduces complexity
• Ensures scalability

Application Specific Security
Time Cost
Security as a Shared Service
Number of Applications or Business Functions
10
Critical Issue Directories

• A directory is a repository of information about
  objects (primarily users, but also resources,
  devices, applications) and their attributes.
• Key directory issues
• Information storage what information should be
  in the directory?
• Application-specific vs centralized, global
  directories
• Integration with security infrastructure

11
Directory IssuesInformation Storage

• Directories are good at
• Storing relatively static information (names,
  locations)
• Fast Read operations
• Databases are good at
• Handling dynamic, or large amounts of data
• Data with high write/read ratios

12
Current Directory Situation

• On average, a corporate user name appears in 16
  different places, each of which must be
  administered - PC Week,
• The average Fortune 1000 company has 181
  directories, and 42 synchronize their
  directories manually - Forrester,

Other Apps
HR
Email
Partners
Name Org Title Salary
Name Company Security
Name etc,etc.
Name Email
13
Directories Whats the Payback?The cost of
doing nothing
Dir-1
Dir-2
..... Dir-n
Config Admin Training Maintenance












Total
Lots of s
14
ROI The Cost of Redundant Directory
Administration

• An example of directory administrative costs

• Assumptions
• Directories 6
• Users 25,000
• Turnover 20
• Edit time 15 min

Source The Burton Group
15
Eliminating the Directory Proliferation Problem

• Implement centralized (not application-specific)
  directories
• Make sure that your security solution integrates
  natively with your existing directories (no
  embedded databases)
• Make sure it can support different types of
  directories (for different types of users)

16
Key Takeaways

• Good Web Security requires
• Strong authentication
• Centralized, policy-based management of all user
  access
• Granular access control
• Native directory integration
• Scalable architecture