Upload
noam-bunder
View
1.090
Download
2
Embed Size (px)
Citation preview
Compliance and Governance Through Complex Entitlement Management
Geoff Charron, VP ALES
Noam Bunder, Lead ArchitectDataScan Technologies
© 2006 BEA Systems, Inc. | 2
Agenda Slide
Entitlements in the Context of a SOA
AquaLogic Enterprise Security (ALES) Overview
Implementing Entitlements at DataScan
© 2006 BEA Systems, Inc. | 3
Business Drivers
Application Security has evolved Firewalls “keep the bad guys out” at the
perimeter
Web server security and Web SSO products provide basic access control at the Web tier
Application security logic still hard-wired and embedded in the application behind the Web tier
Industry trends are driving the need to externalize entitlements from the application Multiple homegrown and embedded
entitlements services
Increasing regulatory pressure and privacy concerns
Proliferation of applications and increasing disparate development teams
Increasing competitive and time to market pressures
Customers Partners
Employees Contractors
Web
Servers
App
Servers
Enterprise
Apps
Data
Stores
© 2006 BEA Systems, Inc. | 4
What are Entitlements?
Entitlements Questions
Who can transfer funds?
How much can they transfer?
How often can they transfer?
Can they delegate those rights?
Entitlements are the set of privileges that govern what an application user can do
Entitlements systems manage those privileges, the decision process and record the results
© 2006 BEA Systems, Inc. | 5
Key Challenge: Embedded Decisions
• Security is embedded in applications – creates silos
• Applications are becoming more complex and may be developed
by multiple team (including offshore)
• Developers spend time coding security logic
• Inconsistent policies and lack of central management
• Access decision may not be audited
If (Transfer <TransLimit)
and (User can Transfer) then
Allow Access
else
Deny Access
endif
Data-
base
User Directory
Legacy
App
© 2006 BEA Systems, Inc. | 6
Key Challenge: Multiple Security Technologies
Identity/
Policy
Legacy
App
User Directory
WebApp
User Provisioning
Web SSO
Main-
frames
Browser
J2EE App
Data-
base
WebServicesWeb
App
WebServices
Identity/
Policy
User
Profile
• Multiple User directories, authentication services, Web SSO services,
IAM products
• How to rapidly and cost effectively deploy new applications that leverage
existing infrastructure?
© 2006 BEA Systems, Inc. | 7
Agenda Slide
Entitlements in the Context of a SOA
AquaLogic Enterprise Security (ALES) Overview
Implementing Entitlements at DataScan
© 2006 BEA Systems, Inc. | 8
Process
Modeling &
Simulation
Process
Automation
Process
Monitoring
Process
Analysis
Process
Optimization
Data Access Layer
Interaction
ManagementCollaboration Search
Content
ManagementAnalytics
Legacy ERP CRM Custom
Service
IntegrationRouting Transformation
Operational
Service
Management
Service
Registry
PortalReportsMonitoringExceptions/Alerts
Dashboard
AquaLogic User Interaction
AquaLogic BPM Suite
AquaLogic Service Bus
AquaLogic Service Registry
AquaLogic Data Services Platform
Aq
uaL
og
ic E
nte
rpris
e S
ecu
rity
Business Service
Interaction
Data Access
User Interaction
Shared Data and Business
Services
Messaging
Back End Systems and Data
Security Services and Fine-Grained Access
Control
BEA AquaLogic in Your IT Enterprise
© 2006 BEA Systems, Inc. | 9
What is AquaLogic Enterprise Security?
Policies
Client
ALES is an Entitlements system that enables the centralized
definition of complex application security policy and the
runtime enforcement of that policy.
ALES consists of: An Administrative Application (PAP)
A Policy Decision Point (PDP) that can be centralized or distributed
A Distributed PDP (SSM) is a Policy Enforcement Point (PEP)
The Administration Application is used to centrally manage
security configuration and policy
App Server
SSM
Entitlements Server
Admin Server•Java API
•Web Service
SSMSSM
•WLS
•WLP
•ALDSP
•ALSB
•Java SDK
•Web Service
•XACML 2.0
•WLS
•Tomcat
Central PDP PAP
XACML 2.0
PolicyEntitlements
Distributed PDP
PEP’s For
PIP
Browser
© 2006 BEA Systems, Inc. | 10
Connecting Entitlements to the Application
public Forward processTransfer(TransferBean transferBean) throws Exception
{
AuthenticIdentity ai = getAuthenticIdentityFromRequest(req);
RuntimeAction ra = new RuntimeAction(ACTION.TRANSFER, "SIMPLE_ACTION");
AppContextElement q3 = new SimpleContextElement("amount",transferBean.getAmount());
AppContextElement collectorElement =
SimpleResponseContextCollector.makeContextElement();
AccessResult ar = az.isAccessAllowed(ai,rr,ra,appCtx);
if (ar.isAllowed()) {
executeTransfer(transferBean);
....
} Note that code can easily be encapsulated
© 2006 BEA Systems, Inc. | 11
• Finer control over the protection of
application resources
• Enhanced audit tracking
Enhanced Security and
Compliance
• Remove security logic from the
application
• Free developers up to focus on value-
added business logic
Increased IT Efficiency
Key ALES Benefits
• Change Entitlements without modifying
the application
• Implement changing regulatory and
corporate policies faster
Better Business Agility
DataScan Technologies LLC – All Rights Reserved
12
3
2
1
Development Operational Lifecycle4
DataScan BEA Implementation
Compliance Requirements at DataScan
DataScan Company Overview
6
5
Questions & Answers
Best Practices
DataScan Technologies LLC – All Rights Reserved
13
About DataScan Technologies
DataScan Technologies is a globalleader in wholesale floorplanaccounting and risk managementsystems and services.
Founded in 1989
Located in Alpharetta, Georgia
Over 45 of the most prominent banks and captives
Operating in 15 countries
Currently manages over $45 billion in outstanding collateral
DataScan Technologies Corporate Headquarters
DataScan Technologies LLC – All Rights Reserved
14
Partial Client List
BMW Financial
World Omni Financial Corp.
California Federal Bank
Hibernia National Bank
GE Capital
Yale/Hyster
Bank One
Citizens Bank
JP Morgan Chase Bank
Key Bank
M & T Bank
PNC Bank
Wachovia
Regions Bank
Provident Bank
BB&T
Zions Bank
Huntington Bank
VW Credit, Inc.
Nissan/Renault-Mexico
New South Federal
Comerica Bank
SunTrust Bank
National City Bank
US Bank
Toro Credit Corp
PACCAR
Manheim (MAFS)
ScotiaBank
CitiCapital
CIT Group
Toyota Financial Services
Hyundai Motor Finance
Mitsubishi Motors Credit
Banknorth
DataScan Technologies LLC – All Rights Reserved
15
Wholesale Management System
Wholesale Management System (WMS)A wholesale finance and accounting systembuilt specifically for the wholesale floorplanindustry.
Dealer Access System (DAS)Allows dealerships to have Internet accessto key information in the system.
Collateral Management System (CMS)An automated floorplan data collection andrisk management system utilizing touchscreen technology.
Nationwide Audit Services (NAS)A turnkey audit inspection service featuringa professional staff utilizing CMS.
DataScan Technologies LLC – All Rights Reserved
16
Risk Management
Step 1
Step 2Auditor and Kit
Step 3Workflow Engine and E-mail Notification
Step 4
Step 5Risk Managers
DataScan Technologies LLC – All Rights Reserved
17
3
2
1
Development Operational Lifecycle4
DataScan BEA Implementation
Compliance Requirements at DataScan
DataScan Company Overview
6
5
Questions & Answers
Best Practices
DataScan Technologies LLC – All Rights Reserved
18
Business Drivers
Mission critical application for banking and automotive industry managing over $45 billion in assets
• Time to market
• Buy vs. Build
• Time/resources required for implementation and policy changes << Key
• Performance impact
• Security compliance
SAS70 Type 2
GLBA/SoX
BITS/CC-MSR
ISO 27001
BRMMI/PriSM
DataScan Technologies LLC – All Rights Reserved
19
Challenges
Require a new Security Platform for replacement of legacy-based ASP financial services system with global existing install base
Legacy system has embedded, customer-specific security logic
High maintenance required for security policy changes
Annual corporate audits (internal, SAS70 Type 2)
Bi-annual customer security open-house
Unscheduled customer ethical hacks
Rapidly evolving financial industry security requirements (BITS, ISO 27001)
DataScan Technologies LLC – All Rights Reserved
20
Compliance Overview
Sarbanes Oxley Regulations• Requires internal controls or rules in place to ensure
integrity of financial information• Section 404 – Internal controls
Graham Leech Biley Act (GLBA)• SEC 501 is centered around the admin., physical, and
technical safeguards over non-public customer information
BITS • Common Criteria Master Security Requirements• Security for the security system
ISO 27001
• IT Systems Management and Governance
BRMMI/PrISM• Upcoming Business Resiliency Maturity Model• Over 750 practices merging
COBIT, BS7799/ISO17799, ITIL, ISF, NIST 800 series, SEI BOK, DRII
DataScan Technologies LLC – All Rights Reserved
21
Compliance-Based Design
Prioritize design around “required” BITS topics
Consolidate past ethical hacks and audits
Time boxed delivery, focus on good design
Balance delivery priorities with risk analysis
Security Compliance Road Map
• Policies
• Processes
• Controls
• Audits/Monitoring
DataScan Technologies LLC – All Rights Reserved
22
ALES Compliance Mapping
Compliance based requirements and design
Transparent security implementation
Standards support
• SAML
• XACML
DataScan Technologies LLC – All Rights Reserved
23
3
2
1
Development Operational Lifecycle4
DataScan BEA Implementation
Compliance Requirements at DataScan
DataScan Company Overview
6
5
Questions & Answers
Best Practices
DataScan Technologies LLC – All Rights Reserved
24
SOA Based Implementation
DataScan Technologies LLC – All Rights Reserved
25
ALES Implementation
Architecture Overview
• Plain Java, Leverage BEA
DataScan Technologies LLC – All Rights Reserved
26
ALES Deployment
1. Cluster
2. JVM
3. Managed Server
4. Sessions
5. ALES SSM
6. Connection Pools
7. EAR Deployment
8. Security Policy Administration
9. Portal Desktop Administration
Operational Overview
DataScan Technologies LLC – All Rights Reserved
27
3
2
1
Development Operational Lifecycle4
DataScan BEA Implementation
Compliance Requirements at DataScan
DataScan Company Overview
6
5
Questions & Answers
Best Practices
DataScan Technologies LLC – All Rights Reserved
28
Development Team Composition
BEA Professional Services
• Initial Proof of Concept
• Assistance with design
• Working construction road map
Development Team
• Back End and Front End teams
• Security team
• Continuous builds to QA
• Authentication only
• Portal based security
DataScan Technologies LLC – All Rights Reserved
29
Operational Lifecycle
Security Development Team
• Specialized, with contractors
IT Administration
• Security administrators (2-3)
• Dedicated with back-up
Documentation and Checklists
• Packaged deployment
DataScan Technologies LLC – All Rights Reserved
30
Operational Environments
Distinct Environments
• Development, QA Smoke Testing and Functional Testing “Live”, Customer Beta/UAT, Support, Production and Disaster Recovery
Utilizing Virtualization
Growth and Performance
• Current production list includes four major financial institutions
• Rolling out to all customers over the next two years
• Utilizing virtualization
2 x 4-way Dual Core 64 bit RedHat Linux AS 4.0, 32Gb RAM, XEN environments
800+ users daily CPU load not exceeding 3%
Risk Managers, Bank Users, Dealerships
DataScan Technologies LLC – All Rights Reserved
31
3
2
1
Development Operational Lifecycle4
DataScan BEA Implementation
Compliance Requirements at DataScan
DataScan Company Overview
6
5
Questions & Answers
Best Practices
DataScan Technologies LLC – All Rights Reserved
32
Why BEA?
BEA Selection Criteria
• Track record and solution completeness
• Product suitability
Architecture
Road Map
• Support
Key Factors
• Provides an elegant means to extract Security Logic from the application
• Disconnected design provides high performance and resiliency
• Provides flexible configuration with minimal maintenance and operational resiliency
DataScan Technologies LLC – All Rights Reserved
33
Kick Off
Step by Step – Key Success Factors
• Proposed Project
Project plan called for a three month implementation for pilot target
• Gain Sponsorship
Demonstrate value: Prototype and POC
Leverage existing platform
• Establish Goals and Value Proposition
Capitalize on performance
Create gurus: Early mastery and battle scars
DataScan Technologies LLC – All Rights Reserved
34
Best Practices
Partner with BEA Professional Services, leverage BEA Support (Hotline, Website) and BEA Educational Services classes
Train IT first! System administration is key
Build a workable environment (workstation/server)
Integrate prototypes into plan
Focus on what works, take risks where they are manageable
Integrate BEA with other departments early (IT, Support, etc.)
DataScan Technologies LLC – All Rights Reserved
35
Looking Forward
Customer and Regulation Driven
• SAML Implementation
• Refinement of standards and compliance
• Full security-visibility throughout architectural stack
DataScan Technologies LLC – All Rights Reserved
36
3
2
1
Development Operational Lifecycle4
DataScan BEA Implementation
Compliance Requirements at DataScan
DataScan Company Overview
6
5
Questions & Answers
Best Practices
Thank You!
Questions?