The document discusses various security architectures and patterns that can reinforce an enterprise's security. It covers authentication methods like direct authentication, brokered authentication, and single sign-on. It also discusses authorization techniques like role-based access control and attribute-based access control. Additionally, it outlines ways to ensure confidentiality through encryption, integrity through digital signatures, non-repudiation also using digital signatures, auditing to detect anomalies and fraud, and patterns for availability and secure deployment with demilitarized zones and firewalls. The document provides an overview of important security concepts and architectures that can help reduce risk within an enterprise.
Reinforcing Your Enterprise With Security Architectures
1. Reinforcing Your Enterprise With
Security Architectures
S.Uthaiyashankar
VP Engineering, WSO2
shankar@wso2.com
2. The Problem…
• Security is a non-functional requirements
• Very easy to make security holes
• Knowledge on security is less
– Often people feel secure through obscurity
• Too much of security will reduce usability
• Security Patterns might help to reduce the risk
Image Source: http://cdn.c.photoshelter.com/img-get/I0000WglLK9YvkQM/s/750/750/gmat-matyasi-14.jpg
4. Authentication
• Direct Authentication
– Basic Authentication
– Digest Authentication
– TLS Mutual Authentication
– OAuth : Client Credentials
Service Providers
Authentication
Service Consumption
Image Source : http://www.densodynamics.com/wp-content/uploads/2016/01/gandalf.jpg
5. Authentication
• Brokered Authentication
– SAML
– OAuth : SAML2/JWT grant type
– OpenID
Service Providers
Service Providers
Service Providers
Identity Provider
Service Providers
Authentication
Service Consumption
Trust
Image source: http://savepic.ru/6463149.gif
6. Authentication
• Single Sign On
• Multi-factor Authentication
Service Providers
Service Providers
Service Providers
Identity Provider
Service Providers
Authentication
Service Consumption
Trust
Image source : https://upload.wikimedia.org/wikipedia/commons/e/ef/CryptoCard_two_factor.jpg
13. Authorization
• Principle of Least Privilege
• Role based Access Control
• Attribute based Access Control
– Policy based Access Control
Image source : http://cdn.meme.am/instances/500x/48651236.jpg
14. Authorization
• eXtensible Access Control Markup Language (XACML)
Image Source : https://nadeesha678.wordpress.com/2015/09/29/xacml-reference-architecture/
15. Confidentiality : Encryption
Transport Level Security vs
Message Level Security
• Transport Level
• Message Level
• Symmetric Encryption
• Asymmetric Encryption
• Session key based Encryption
Image Source: http://www.thetimes.co.uk/tto/multimedia/archive/00727/cartoon-web_727821c.jpg
16. Integrity : Digital Signatures
• Transport Level
• Message Level
• Symmetric Signature
• Asymmetric Signature
• Session key based Signature
Image Source : http://memegenerator.net/instance2/4350097
18. Auditing
• However secure you are,
people might make mistake
• Collect the (audit) logs and
analyze for
– Anomaly
– Fraud
Source: https://745515a37222097b0902-74ef300a2b2b2d9e236c9459912aaf20.ssl.cf2.rackcdn.com/f33df70e3ffd92d1f68827dd559aa82c.jpeg
19. Availability
• Network Level Measures
• Throttling
• Heart beat and hot pooling
Image Source: https://www.corero.com/img/blog/thumb/62327%207%20365.jpg
20. Secure Deployment Pattern
Red Zone (Internet)
Firewall
Yellow Zone (DMZ)
Firewall
Green Zone (Internal)
Services, Database
API Gateway, Integration
Client Application
21. Secure Deployment Pattern : More restricted
Red Zone (Internet)
Firewall
Yellow Zone (DMZ)
Firewall
Green Zone (Internal)
Services, Database
API Gateway, Integration, Message Broker
Client Application