Title: Key Issues in Extranet Security Sumner Blount Senior Manager
1Key Issues in Extranet SecuritySumner
BlountSenior Manager
2Key Issues in Extranets
- Security - how to limit access to sensitive
information to properly authorized people. - Authentication who are you?
- Authorization what are you allowed to do?
- Directories - how to track and manage users,
whether they are employees, partners, or
customers.
3Key Issue Extranet SecurityWhy is it so
critical?
- Your family jewels are heavily exposed! Your
business information and processes could be your
competitive advantage - Partner relationships are dynamic - today your
partner. Tomorrow your competitor - Your partner companies are multi-faceted - one
division might be a partner, another a
competitor. - Each partner must see a personalized view of
corporate resources
4Extranet Authentication Requirements
Biometric techniques (iris,prints,face,..)
Highest Value
Tokens (e.g. X509v3 smart cards)
High Value Transactions
Deployment Cost and User Adoption
Software Tokens (e.g. X509v3 Certificates)
Sensitive Access
Username/Passwords (LDAP, RADIUS)
Basic Authenticated Access
of Apps and Users
- Variety of methods is required
- Combinations and fallback methods are required.
- Authentication method based on sensitivity of
resource
5Extranet Access Control Requirements
- Provide Higher-level abstraction than ACLs
- Easier to deal with Rules and Policies
- Centralized management of all user privileges
across all servers - Developers are re-inventing the access control
wheel in every application (sessions, SSO,
app-specific privileges) - Must allow integration of access control with
business logic, for dynamic rule enforcement. - Provide permissions on sub-page objects
- Allows easy personalization of content
6Why Cant Existing Technologies provide this?
- Web Servers
- Lack of centralized access control
- No sub-page level access control
- Directories
- Provides an object information namespace, and
baseline authentication services - SSO, personalization need to be custom-built
- Application Servers
- Cannot manage access across very large user
populations - Access control is different across App. Server
platforms - PKI
- Provides strong authentication, encryption, and
signatures - Does not provide general-purpose authorization
model
7The Challenge Securely Managing e-Business
Web Sites Applications
e-Business Web Site
Intranet
E-Commerce Applications
Supply Chain Management
Channel Management
Customer Services
401 K HR Asset Management Sales
Forecast Competitive Analysis
Negotiation Reverse Auction Decision
Optimization Catalog Mgmt Contract Mgmt
Inventory Pricing Sales Forecasting Pipeline
Reporting Quoting
Virtual StoreFront Product Catalogs Auctions Confi
gurators Pricing
Ask the Expert KnowledgeBase Order Accessories
Product Updates Schedule Service
Security Island
Security Island
Security Island
Security Island
Security Island
8The Solution Centralize Privilege Management
e-Business Web Site
Customer Services
Intranet
E-Commerce Applications
Supply Chain Management
Channel Management
401 K HR Asset Management Sales
Forecast Competitive Analysis
Negotiation Reverse Auction Decision
Optimization Catalog Mgmt Contract Mgmt
Inventory Pricing Sales Forecasting Pipeline
Reporting Quoting
Ask the Expert KnowledgeBase Order Accessories
Product Updates Schedule Service
Virtual StoreFront Product Catalogs Auctions Confi
gurators Pricing
9Economies of Scale
- Shared Services Benefits
- Rapidly re-build and/or enhance web sites
- Reduces costs
- Reduces complexity
- Ensures scalability
Application Specific Security
Time Cost
Security as a Shared Service
Number of Applications or Business Functions
10Critical Issue Directories
- A directory is a repository of information about
objects (primarily users, but also resources,
devices, applications) and their attributes. - Key directory issues
- Information storage what information should be
in the directory? - Application-specific vs centralized, global
directories - Integration with security infrastructure
11Directory IssuesInformation Storage
- Directories are good at
- Storing relatively static information (names,
locations) - Fast Read operations
- Databases are good at
- Handling dynamic, or large amounts of data
- Data with high write/read ratios
12Current Directory Situation
- On average, a corporate user name appears in 16
different places, each of which must be
administered - PC Week, - The average Fortune 1000 company has 181
directories, and 42 synchronize their
directories manually - Forrester,
Other Apps
HR
Email
Partners
Name Org Title Salary
Name Company Security
Name etc,etc.
Name Email
13Directories Whats the Payback?The cost of
doing nothing
Dir-1
Dir-2
..... Dir-n
Config Admin Training Maintenance
Total
Lots of s
14ROI The Cost of Redundant Directory
Administration
- An example of directory administrative costs
- Assumptions
- Directories 6
- Users 25,000
- Turnover 20
- Edit time 15 min
Source The Burton Group
15Eliminating the Directory Proliferation Problem
- Implement centralized (not application-specific)
directories - Make sure that your security solution integrates
natively with your existing directories (no
embedded databases) - Make sure it can support different types of
directories (for different types of users)
16Key Takeaways
- Good Web Security requires
- Strong authentication
- Centralized, policy-based management of all user
access - Granular access control
- Native directory integration
- Scalable architecture