SlideShare ist ein Scribd-Unternehmen logo

E gov security_tut_session_9

Mustafa Jarrar
Mustafa Jarrar
Technologie
1 von 53
Downloaden Sie, um offline zu lesen
‫أكاديمية الحكومة اإللكترونية الفلسطينية‬ The Palestinian eGovernment Academy www.egovacademy.ps Security Tutorial Sessions 9 PalGov © 2011 1
About This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the Commission of the European Communities, grant agreement 511159-TEMPUS-1- 2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps Project Consortium: Birzeit University, Palestine University of Trento, Italy (Coordinator ) Palestine Polytechnic University, Palestine Vrije Universiteit Brussel, Belgium Palestine Technical University, Palestine Université de Savoie, France Ministry of Telecom and IT, Palestine University of Namur, Belgium Ministry of Interior, Palestine TrueTrust, UK Ministry of Local Government, Palestine Coordinator: Dr. Mustafa Jarrar Birzeit University, P.O.Box 14- Birzeit, Palestine Telfax:+972 2 2982935 mjarrar@birzeit.eduPalGov © 2011 2
© Copyright Notes Everyone is encouraged to use this material, or part of it, but should properly cite the project (logo and website), and the author of that part. No part of this tutorial may be reproduced or modified in any form or by any means, without prior written permission from the project, who have the full copyrights on the material. Attribution-NonCommercial-ShareAlike CC-BY-NC-SA This license lets others remix, tweak, and build upon your work non- commercially, as long as they credit you and license their new creations under the identical terms. PalGov © 2011 3
Tutorial 5: Information Security Session 9: Federated Identity Management (FIM) Session 9 Outline: • Session 9 ILO’s. • Federated Identity Management. PalGov © 2011 4
Tutorial 5: Session 9: (FIM) - ILOs This session will contribute to the following ILOs: • A: Knowledge and Understanding • Understanding of the concepts underlying Secure Information Systems. • Have an understanding of the various techniques used in identity management; • Understand the motivation, design, operation and management of modern systems for encryption, authentication, authorization and identification. • B: Intellectual Skills • Design end-to-end secure and available systems. • The ability to analyze the information security requirements of an organization. • D: Intellectual Skills • Analysis and identification skills. PalGov © 2011 5
Tutorial 5: Information Security Session 9: Federated Identity Management (FIM) Session 9 Outline: • Session 9 ILO’s. • Federated Identity Management. PalGov © 2011 6
Federated Identity Management. • Introduction • Overview of HTTP authentications, Cookies, MS Passports and Captchas. • Trust Domains and Access Cases. • FIM Definitions and Concept • FIM examples PalGov © 2011 7
Introduction (1) • Many recognized sensitive but unclassified (SBU) networks and information systems like different ministries and entities in Palestine. • Each invested in technology, governance structures, policies and trust relationships but are not interoperable with each other. PalGov © 2011 8
Introduction (2) • Need to ensure that the right individuals have access to the authorized resources they need regardless of where they reside in the enterprise • Example: the driving license renewal example given in tutorial 1. PalGov © 2011 9
Introduction (3) • Security and privacy of information are major impediments to information exchange and system interoperability • Users must subscribe to multiple sites and manage multiple security credentials in order to get access to the resources they need at different ministries • Expensive, frustrating for users, and not scalable PalGov © 2011 10
Federated Identity Management. • Introduction • Overview of HTTP authentications and Cookies. • Trust Domains and Access Cases. • FIM Definitions and Concept • FIM examples PalGov © 2011 11
But first some background info HTTP Cookies • Cookies – allow a web server/site to store state information for itself (often encrypted) on the user’s browser • A site can store many cookies, and the client should return them all when it returns to the site • Often used to enable SSO, since the site can tell if a user is already authenticated or not PalGov © 2011 12
HTTP Redirect and Form-POST • Http Redirect – allows one server to pass information to another server via the browser, as info in a URL • Http Form-POST – one server builds a form with an action to POST it to another server, delivers the form to the browser in the message body, which then submits it to the other server PalGov © 2011 13
Privacy Protection - • User can choose to share e-mail address, name and other profile information with all participating sites (but must be same for all sites) PalGov © 2011 14
CAPTCHAs • Completely Automated Public Turing test to tell Computers and Humans Apart • Designed to stop automated user registration programs and possible DOS attack by flooding registration process • User is asked to type in some characters, that most programs are incapable of reading PalGov © 2011 15
Federated Identity Management. • Introduction • Overview of HTTP authentications and Cookies, • Trust Domains and Access Cases. • FIM Definitions and Concept • FIM examples PalGov © 2011 16
Trust Domains Definition Trust domains describe the boundaries of a security infrastructure operating under a consistent set of policies, governance, and technology mechanisms. Trust Domain 2 Trust Domain 1 ? PalGov © 2011 17
Problems with Trust Domains Problem: •Authentication and Authorization are typically recognized only within a given trust domain, unless..... What is required to achieve interoperability across different Trust Domains? PalGov © 2011 18
Different Access Cases •Case 1 : One user Access one application or service. •Case 2: One user accessing many applications •Case 3 :Many users accessing many applications PalGov © 2011 19
Case 1: One user accessing one application Steps in provisioning access: • Vetting (who are you?) • Permissions (what can you access?) • Credentials (how do I know it’s you? – passwords, smart cards, etc.) Access requires authentication of Application and credentials Services PalGov © 2011 20
Case 2: One user accessing many applications Steps in provisioning access: ×N • Vetting • Permissions • Credentials RESULT: • Each application must perform all steps above • User must keep track of N sets of credentials PalGov © 2011 21
Case 3: Many users accessing many applications Steps in provisioning access: Too many ×M×N • Vetting operations!! • Permissions • Credentials RESULTS: • Multifactor credentials & vetting become too expensive • Vetting & credentials not done well. • Vetting too far from user to be kept up to date effectively • High barrier to access PalGov © 2011 22
If not checked correctly !!! 1. John Wandelt, Georgia Tech Research Institute (GTRI), August 2007, www.it.ojp.gov/GFIPM PalGov © 2011 23
Proposed Solution (1) Provisioning identity and user attributes (vetting and credentialing) with the organization (×M users) Applications make access and authorization decisions based on trusted federation credentials and user attributes PalGov © 2011 24
Proposed Solution (2) • Huge savings in vetting and credentialing M<<M×N • Vetting is better – closer to the user since own organization does vetting • Credentialing is better – can afford multifactor • Each users only needs one credential (Single sign-on) • Lower barriers to access – more access. PalGov © 2011 25
Federated Identity Management. • Introduction • Overview of HTTP authentications, Cookies. • Trust Domains and Access Cases. • FIM Definitions and Concept • FIM examples PalGov © 2011 26
Some Definitions • Identity: – A whole set of attributes that in combination uniquely characterise a person – hair colour, sound of their voice, height, name, qualifications, past actions, reputation etc. • Attribute: – a property, quality or characteristic of an entity • Identifier: – a string used to uniquely identify an entity in a domain. Often used as login id or primary key in a database. A special type of attribute since it is usually the only one on its own that can uniquely identify an entity in a domain. – X.500/LDAP DNs, IP addresses, DNS names, URIs, key IDs, login IDs, 128 bit random numbers are all identifiers. PalGov © 2011 27
Some Definitions (2) • Attribute assertion: – Statement made by an authority that an entity has a particular attribute. An authority can be the entity itself or a (trusted) third party. • Attribute certificate/authorisation credential: – Cryptographically protected (usually digitally signed) attribute assertion that can be validated • Attribute authority (AA): – An authoritative source for asserting attributes about entities • Service provider: – An entity that provides a service to clients • Identity provider: – An entity that provides an authentication service, and is often also an AA for a set of identity attributes of its users PalGov © 2011 28
FIM Definition From the RSA Web Site • “A federated identity is a single user identity that can be used to access a group of web sites bound by the ties of federation. Without federated identity, users are forced to manage different credentials for every site they use. This collection of IDs and passwords becomes difficult to manage and control over time, offering inroads for identity theft.” • “Federated identity management builds on a trust relationship established between an organization and a person. A federated identity makes it possible for the end user to use one trust relationship to access information with another, related company without establishing new credentials.” PalGov © 2011 29
FIM Definition (cont) • From Microsoft’s web site • “Federated systems need to interoperate across organizational boundaries and connect processes utilizing different technologies, identity storage, security approaches and programming models. Within a federated system, identities and their associated credentials are still stored, owned and managed separately. Each individual member of the federation continues to manage its own identities, but is capable of securely sharing and accepting identities and credentials from other members' sources.” • From IBM Tivoli’s web site • “Federated identity management can be defined as an industry framework built on top of industry standards that let subscribers from disparate organizations use their internal identification data to obtain access to the networks of all enterprises in the group”. • SO WHAT IS FIM? PalGov © 2011 30
FIM Process • Identifiers are assigned within a domain to uniquely identify an entity. They usually have no meaning outside of the domain of issuance • FIM requires identity information to be passed between domains, therefore – We need to pass (signed) attribute assertions between domains in order to identify and authorise users between domains. – FIM is not just Single Sign On, although SSO is part of FIM. Why? PalGov © 2011 31
A better FIM Definition • A group of organisations (ministries, associations, municipalities etc...) that set up trust relationships which allow them to send attribute assertions about users identities between themselves, in order to grant users access to their resources • A user can use his credentials (with AAA concept) from one or more identity providers to gain access to other sites (service providers) within the federation • Can we use it for e-gov in Palestine !! PalGov © 2011 32
User-to-Application PalGov © 2011 33
System-to-System PalGov © 2011 34
Credentials • Authentic credentials are ones that have not been tampered with and are received exactly as issued by the issuing authority • Valid credentials are ones that are trusted for use by the target resource site PalGov © 2011 35
Federated Identity Management. • Introduction • Overview of HTTP authentications, Cookies. • Trust Domains and Access Cases. • FIM Definitions and Concept • FIM Examples. PalGov © 2011 36
FIM Examples • Old Systems – Microsoft’s Passport – UK Athens • Current FIM Systems – Shibboleth – Oauth – Liberty Alliance – Cardspace – Higgins – OpenID PalGov © 2011 37
Exampe1: Microsoft’s .NET Passport • .NET Passport is an authentication system that allows users to access multiple sites using the same credentials • Each site remains in charge of its own authorisation, and may use Passport information to help in this • How does it work? Users register at a site, but their credentials and profile information are stored centrally by Microsoft at the Passport server. This means that sites must trust Microsoft to hold user credentials and authenticate users correctly. PalGov © 2011 38
The Registration Process Passport site stores user credential and profile information, and allocates the user a unique 64 bit Passport User ID (PUID) PalGov © 2011 39
Credentials referenced by Passports UID • The following are mandatory: e-mail address (unique identifier) and password • The following are optional: secret questions and answers, mobile phone number and PIN, security key • The following attributes are stored by Passport if the participating sites require it, and are shared between sites if the user opts-in – Birth Date, Country / Region, First Name, Gender, Last Name, Occupation, Postal Code, Preferred Language, State, Time Zone PalGov © 2011 40
.NET Passport Authentication PalGov © 2011 41
Intra-Site Authentication Process • When a user moves to another Participating Site (step 1), the site redirect the user to the Passport site (step 2) • The user’s client sends the Authentication cookie and Profile cookie to Passport during redirection. Passport then knows the user has already successfully authenticated (modified step 2) PalGov © 2011 42
Intra-Site Authentication Process • The Participating Sites cookie on the user’s machine is updated by Passport and the user is redirected back to the Participating Site (step 5) • The Participating Site receives the encrypted tokens from Passport and knows the user has been authenticated (step 6) • When the user logs out of Passport, all cookies are deleted and the Participating Sites cookie is used to clean up all Participating sites computers PalGov © 2011 43
Disadvantages of MS Passport ? • Because all user transactions have to involve Microsoft, as it is responsible for authenticating all users. • Why should Microsoft be involved in a federation between a car hire company and a hotel? It might be OK for Microsoft related site federations such as Hotmail and MSN, but not for all federations between all commercial companies. • Also the protocol used by Passport was developed by Microsoft therefore was not an international standard. • Passport has now been superseded by Windows Live ID, which is an identity meta-system that provides support for Passport, CardSpace and OpenID PalGov © 2011 44
Example 2: Shibboleth • Internet2 consortium project • Uses an OASIS standard protocol (SAML) for authentication at home site and authorisation via a set of user attributes provided by home site • provides users access to remote resources PalGov © 2011 45
Shibboleth Access Stages • Obtaining an authentication assertion for a user from his home site (IdP) • Using this to get a set of attribute assertions for the user • The two messages can be combined into one exchange to make the protocol more efficient PalGov © 2011 46
User Authentication using Shibboleth [2] Identity Provider Authentication WAYF Web Service Service 5. SHIB SP Signed Authn User Assertion 6. Attribute Authority PalGov © 2011 47
The WAYF Service PalGov © 2011 48
Authorization using Shibboleth [2] Authn Service Web Service User 10. SHIB SP 9. Attributes Authz service AA Server SHIB IdP PalGov © 2011 49
Shibboleth disadvantages • Single attribute authority to the service provider • Subject to phishing attacks. • No single sign off • Credentials can be stolen from a browser and used by an imposter. • Shibboleth cannot be used for services that need to know who the user is for service personalisation. PalGov © 2011 50
Bibliography 1. John Wandelt, Georgia Tech Research Institute (GTRI), August 2007, www.it.ojp.gov/GFIPM 2. Lecture Notes by David Chadwick 2011, True-Trust Ltd. 3. http://shibboleth.internet2.edu/ PalGov © 2011 51
Summary • In this session we discussed the following: – Federated Identity Management with different examples. PalGov © 2011 52
Thanks Dr. Radwan Tahboub PalGov © 2011 53

Empfohlen

E gov security_tut_session_1
E gov security_tut_session_1E gov security_tut_session_1
E gov security_tut_session_1Mustafa Jarrar
 
Intalio’S Vision For An Open Source Bpm Suite
Intalio’S Vision For An Open Source Bpm SuiteIntalio’S Vision For An Open Source Bpm Suite
Intalio’S Vision For An Open Source Bpm SuiteTomoaki Sawada
 
User Interface Patterns and Nuxeo
User Interface Patterns and NuxeoUser Interface Patterns and Nuxeo
User Interface Patterns and Nuxeoanicewick
 
Open iam technicalarchitecture-v3-a
Open iam technicalarchitecture-v3-aOpen iam technicalarchitecture-v3-a
Open iam technicalarchitecture-v3-aBibhuti Kr Jha +91-9810016292
 
Project midPoint or how a handful of fools fought the Giants
Project midPoint or how a handful of fools fought the GiantsProject midPoint or how a handful of fools fought the Giants
Project midPoint or how a handful of fools fought the GiantsRadovan Semancik
 
Evolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum
 
Open source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con euOpen source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con euFrancesco Chicchiriccò
 
Apache Syncope 2.0 Enduser UI
Apache Syncope 2.0 Enduser UIApache Syncope 2.0 Enduser UI
Apache Syncope 2.0 Enduser UIAndrea Patricelli
 

Empfohlen

E gov security_tut_session_1
E gov security_tut_session_1E gov security_tut_session_1
E gov security_tut_session_1Mustafa Jarrar
 
Intalio’S Vision For An Open Source Bpm Suite
Intalio’S Vision For An Open Source Bpm SuiteIntalio’S Vision For An Open Source Bpm Suite
Intalio’S Vision For An Open Source Bpm SuiteTomoaki Sawada
 
User Interface Patterns and Nuxeo
User Interface Patterns and NuxeoUser Interface Patterns and Nuxeo
User Interface Patterns and Nuxeoanicewick
 
Open iam technicalarchitecture-v3-a
Open iam technicalarchitecture-v3-aOpen iam technicalarchitecture-v3-a
Open iam technicalarchitecture-v3-aBibhuti Kr Jha +91-9810016292
 
Project midPoint or how a handful of fools fought the Giants
Project midPoint or how a handful of fools fought the GiantsProject midPoint or how a handful of fools fought the Giants
Project midPoint or how a handful of fools fought the GiantsRadovan Semancik
 
Evolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum
 
Open source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con euOpen source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con euFrancesco Chicchiriccò
 
Apache Syncope 2.0 Enduser UI
Apache Syncope 2.0 Enduser UIApache Syncope 2.0 Enduser UI
Apache Syncope 2.0 Enduser UIAndrea Patricelli
 
Nuxeo World Session: Case Management Framework
Nuxeo World Session: Case Management FrameworkNuxeo World Session: Case Management Framework
Nuxeo World Session: Case Management FrameworkNuxeo
 
Nuxeo ECM Platform - Technical Overview
Nuxeo ECM Platform - Technical OverviewNuxeo ECM Platform - Technical Overview
Nuxeo ECM Platform - Technical OverviewNuxeo
 
Identity Management with midPoint
Identity Management with midPointIdentity Management with midPoint
Identity Management with midPointRadovan Semancik
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 
Understanding Document Managment Systems and Nuxeo
Understanding Document Managment Systems and NuxeoUnderstanding Document Managment Systems and Nuxeo
Understanding Document Managment Systems and Nuxeoanicewick
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
E gov security_tut_session_3
E gov security_tut_session_3E gov security_tut_session_3
E gov security_tut_session_3Mustafa Jarrar
 
E gov security_tut_session_12
E gov security_tut_session_12E gov security_tut_session_12
E gov security_tut_session_12Mustafa Jarrar
 
E gov security_tut_session_11
E gov security_tut_session_11E gov security_tut_session_11
E gov security_tut_session_11Mustafa Jarrar
 
Pal gov.tutorial6.session7.it contract
Pal gov.tutorial6.session7.it contractPal gov.tutorial6.session7.it contract
Pal gov.tutorial6.session7.it contractMustafa Jarrar
 
Section 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access Board
Section 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access BoardSection 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access Board
Section 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access BoardVirtual Ability, Inc.
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingPing Identity
 
Bridging the Cloud Sign-On Gap
Bridging the Cloud Sign-On GapBridging the Cloud Sign-On Gap
Bridging the Cloud Sign-On GapOracleIDM
 
ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)
ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)
ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)EDINA, University of Edinburgh
 
Development of a Multi-eID access control system.
Development of a Multi-eID access control system. Development of a Multi-eID access control system.
Development of a Multi-eID access control system. ePractice.eu
 
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudSecuring Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudVMware Tanzu
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...
FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...
FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...openi_ict
 
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2SWXG 2010.6.9 v2
SWXG 2010.6.9 v2Paul Trevithick
 
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...WSO2
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Donald Malloy
 

Weitere ähnliche Inhalte

Andere mochten auch

Nuxeo World Session: Case Management Framework
Nuxeo World Session: Case Management FrameworkNuxeo World Session: Case Management Framework
Nuxeo World Session: Case Management FrameworkNuxeo
 
Nuxeo ECM Platform - Technical Overview
Nuxeo ECM Platform - Technical OverviewNuxeo ECM Platform - Technical Overview
Nuxeo ECM Platform - Technical OverviewNuxeo
 
Identity Management with midPoint
Identity Management with midPointIdentity Management with midPoint
Identity Management with midPointRadovan Semancik
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 
Understanding Document Managment Systems and Nuxeo
Understanding Document Managment Systems and NuxeoUnderstanding Document Managment Systems and Nuxeo
Understanding Document Managment Systems and Nuxeoanicewick
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 

Andere mochten auch (6)

Nuxeo World Session: Case Management Framework
Nuxeo World Session: Case Management FrameworkNuxeo World Session: Case Management Framework
Nuxeo World Session: Case Management Framework
 
Nuxeo ECM Platform - Technical Overview
Nuxeo ECM Platform - Technical OverviewNuxeo ECM Platform - Technical Overview
Nuxeo ECM Platform - Technical Overview
 
Identity Management with midPoint
Identity Management with midPointIdentity Management with midPoint
Identity Management with midPoint
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
 
Understanding Document Managment Systems and Nuxeo
Understanding Document Managment Systems and NuxeoUnderstanding Document Managment Systems and Nuxeo
Understanding Document Managment Systems and Nuxeo
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 

Ähnlich wie E gov security_tut_session_9

E gov security_tut_session_3
E gov security_tut_session_3E gov security_tut_session_3
E gov security_tut_session_3Mustafa Jarrar
 
E gov security_tut_session_12
E gov security_tut_session_12E gov security_tut_session_12
E gov security_tut_session_12Mustafa Jarrar
 
E gov security_tut_session_11
E gov security_tut_session_11E gov security_tut_session_11
E gov security_tut_session_11Mustafa Jarrar
 
Pal gov.tutorial6.session7.it contract
Pal gov.tutorial6.session7.it contractPal gov.tutorial6.session7.it contract
Pal gov.tutorial6.session7.it contractMustafa Jarrar
 
Section 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access Board
Section 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access BoardSection 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access Board
Section 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access BoardVirtual Ability, Inc.
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingPing Identity
 
Bridging the Cloud Sign-On Gap
Bridging the Cloud Sign-On GapBridging the Cloud Sign-On Gap
Bridging the Cloud Sign-On GapOracleIDM
 
ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)
ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)
ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)EDINA, University of Edinburgh
 
Development of a Multi-eID access control system.
Development of a Multi-eID access control system. Development of a Multi-eID access control system.
Development of a Multi-eID access control system. ePractice.eu
 
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudSecuring Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudVMware Tanzu
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...
FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...
FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...openi_ict
 
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...WSO2
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Donald Malloy
 
Market Study on Mobile Authentication
Market Study on Mobile AuthenticationMarket Study on Mobile Authentication
Market Study on Mobile AuthenticationFIDO Alliance
 
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...mfrancis
 
508 and wcag 2 better together
508 and wcag 2 better together508 and wcag 2 better together
508 and wcag 2 better togetherShaun Hoppel
 
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, GeldardseBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, GeldardsJon Egley
 

Ähnlich wie E gov security_tut_session_9 (20)

E gov security_tut_session_3
E gov security_tut_session_3E gov security_tut_session_3
E gov security_tut_session_3
 
E gov security_tut_session_12
E gov security_tut_session_12E gov security_tut_session_12
E gov security_tut_session_12
 
E gov security_tut_session_11
E gov security_tut_session_11E gov security_tut_session_11
E gov security_tut_session_11
 
Pal gov.tutorial6.session7.it contract
Pal gov.tutorial6.session7.it contractPal gov.tutorial6.session7.it contract
Pal gov.tutorial6.session7.it contract
 
Section 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access Board
Section 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access BoardSection 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access Board
Section 508 & Accessibility - IDRAC 2014 - Timothy Creagon - US Access Board
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
 
Bridging the Cloud Sign-On Gap
Bridging the Cloud Sign-On GapBridging the Cloud Sign-On Gap
Bridging the Cloud Sign-On Gap
 
ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)
ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)
ESDIN - OGC Web Services Shibboleth Interoperability Experiment (OSI)
 
Development of a Multi-eID access control system.
Development of a Multi-eID access control system. Development of a Multi-eID access control system.
Development of a Multi-eID access control system.
 
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudSecuring Microservices in Hybrid Cloud
Securing Microservices in Hybrid Cloud
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...
FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...
FIA Dublin Presentations: The role of APIs in exposing cross-device functiona...
 
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
 
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
[WSO2 Integration Summit Johannesburg 2019] Security in a Distributed Computi...
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
Market Study on Mobile Authentication
Market Study on Mobile AuthenticationMarket Study on Mobile Authentication
Market Study on Mobile Authentication
 
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
 
508 and wcag 2 better together
508 and wcag 2 better together508 and wcag 2 better together
508 and wcag 2 better together
 
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, GeldardseBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
 

Mehr von Mustafa Jarrar

Clustering Arabic Tweets for Sentiment Analysis
Clustering Arabic Tweets for Sentiment AnalysisClustering Arabic Tweets for Sentiment Analysis
Clustering Arabic Tweets for Sentiment AnalysisMustafa Jarrar
 
Classifying Processes and Basic Formal Ontology
Classifying Processes and Basic Formal OntologyClassifying Processes and Basic Formal Ontology
Classifying Processes and Basic Formal OntologyMustafa Jarrar
 
Discrete Mathematics Course Outline
Discrete Mathematics Course OutlineDiscrete Mathematics Course Outline
Discrete Mathematics Course OutlineMustafa Jarrar
 
Business Process Implementation
Business Process ImplementationBusiness Process Implementation
Business Process ImplementationMustafa Jarrar
 
Business Process Design and Re-engineering
Business Process Design and Re-engineeringBusiness Process Design and Re-engineering
Business Process Design and Re-engineeringMustafa Jarrar
 
BPMN 2.0 Analytical Constructs
BPMN 2.0 Analytical ConstructsBPMN 2.0 Analytical Constructs
BPMN 2.0 Analytical ConstructsMustafa Jarrar
 
BPMN 2.0 Descriptive Constructs
BPMN 2.0 Descriptive Constructs BPMN 2.0 Descriptive Constructs
BPMN 2.0 Descriptive Constructs Mustafa Jarrar
 
Introduction to Business Process Management
Introduction to Business Process ManagementIntroduction to Business Process Management
Introduction to Business Process ManagementMustafa Jarrar
 
Customer Complaint Ontology
Customer Complaint Ontology Customer Complaint Ontology
Customer Complaint Ontology Mustafa Jarrar
 
Subset, Equality, and Exclusion Rules
Subset, Equality, and Exclusion RulesSubset, Equality, and Exclusion Rules
Subset, Equality, and Exclusion RulesMustafa Jarrar
 
Schema Modularization in ORM
Schema Modularization in ORMSchema Modularization in ORM
Schema Modularization in ORMMustafa Jarrar
 
On Computer Science Trends and Priorities in Palestine
On Computer Science Trends and Priorities in PalestineOn Computer Science Trends and Priorities in Palestine
On Computer Science Trends and Priorities in PalestineMustafa Jarrar
 
Lessons from Class Recording & Publishing of Eight Online Courses
Lessons from Class Recording & Publishing of Eight Online CoursesLessons from Class Recording & Publishing of Eight Online Courses
Lessons from Class Recording & Publishing of Eight Online CoursesMustafa Jarrar
 
Presentation curras paper-emnlp2014-final
Presentation curras paper-emnlp2014-finalPresentation curras paper-emnlp2014-final
Presentation curras paper-emnlp2014-finalMustafa Jarrar
 
Jarrar: Future Internet in Horizon 2020 Calls
Jarrar: Future Internet in Horizon 2020 CallsJarrar: Future Internet in Horizon 2020 Calls
Jarrar: Future Internet in Horizon 2020 CallsMustafa Jarrar
 
Habash: Arabic Natural Language Processing
Habash: Arabic Natural Language ProcessingHabash: Arabic Natural Language Processing
Habash: Arabic Natural Language ProcessingMustafa Jarrar
 
Adnan: Introduction to Natural Language Processing
Adnan: Introduction to Natural Language Processing Adnan: Introduction to Natural Language Processing
Adnan: Introduction to Natural Language Processing Mustafa Jarrar
 
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
Riestra: How to Design and engineer Competitive Horizon 2020 ProposalsRiestra: How to Design and engineer Competitive Horizon 2020 Proposals
Riestra: How to Design and engineer Competitive Horizon 2020 ProposalsMustafa Jarrar
 
Bouquet: SIERA Workshop on The Pillars of Horizon2020
Bouquet: SIERA Workshop on The Pillars of Horizon2020Bouquet: SIERA Workshop on The Pillars of Horizon2020
Bouquet: SIERA Workshop on The Pillars of Horizon2020Mustafa Jarrar
 
Jarrar: Sparql Project
Jarrar: Sparql ProjectJarrar: Sparql Project
Jarrar: Sparql ProjectMustafa Jarrar
 

Mehr von Mustafa Jarrar (20)

Clustering Arabic Tweets for Sentiment Analysis
Clustering Arabic Tweets for Sentiment AnalysisClustering Arabic Tweets for Sentiment Analysis
Clustering Arabic Tweets for Sentiment Analysis
 
Classifying Processes and Basic Formal Ontology
Classifying Processes and Basic Formal OntologyClassifying Processes and Basic Formal Ontology
Classifying Processes and Basic Formal Ontology
 
Discrete Mathematics Course Outline
Discrete Mathematics Course OutlineDiscrete Mathematics Course Outline
Discrete Mathematics Course Outline
 
Business Process Implementation
Business Process ImplementationBusiness Process Implementation
Business Process Implementation
 
Business Process Design and Re-engineering
Business Process Design and Re-engineeringBusiness Process Design and Re-engineering
Business Process Design and Re-engineering
 
BPMN 2.0 Analytical Constructs
BPMN 2.0 Analytical ConstructsBPMN 2.0 Analytical Constructs
BPMN 2.0 Analytical Constructs
 
BPMN 2.0 Descriptive Constructs
BPMN 2.0 Descriptive Constructs BPMN 2.0 Descriptive Constructs
BPMN 2.0 Descriptive Constructs
 
Introduction to Business Process Management
Introduction to Business Process ManagementIntroduction to Business Process Management
Introduction to Business Process Management
 
Customer Complaint Ontology
Customer Complaint Ontology Customer Complaint Ontology
Customer Complaint Ontology
 
Subset, Equality, and Exclusion Rules
Subset, Equality, and Exclusion RulesSubset, Equality, and Exclusion Rules
Subset, Equality, and Exclusion Rules
 
Schema Modularization in ORM
Schema Modularization in ORMSchema Modularization in ORM
Schema Modularization in ORM
 
On Computer Science Trends and Priorities in Palestine
On Computer Science Trends and Priorities in PalestineOn Computer Science Trends and Priorities in Palestine
On Computer Science Trends and Priorities in Palestine
 
Lessons from Class Recording & Publishing of Eight Online Courses
Lessons from Class Recording & Publishing of Eight Online CoursesLessons from Class Recording & Publishing of Eight Online Courses
Lessons from Class Recording & Publishing of Eight Online Courses
 
Presentation curras paper-emnlp2014-final
Presentation curras paper-emnlp2014-finalPresentation curras paper-emnlp2014-final
Presentation curras paper-emnlp2014-final
 
Jarrar: Future Internet in Horizon 2020 Calls
Jarrar: Future Internet in Horizon 2020 CallsJarrar: Future Internet in Horizon 2020 Calls
Jarrar: Future Internet in Horizon 2020 Calls
 
Habash: Arabic Natural Language Processing
Habash: Arabic Natural Language ProcessingHabash: Arabic Natural Language Processing
Habash: Arabic Natural Language Processing
 
Adnan: Introduction to Natural Language Processing
Adnan: Introduction to Natural Language Processing Adnan: Introduction to Natural Language Processing
Adnan: Introduction to Natural Language Processing
 
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
Riestra: How to Design and engineer Competitive Horizon 2020 ProposalsRiestra: How to Design and engineer Competitive Horizon 2020 Proposals
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
 
Bouquet: SIERA Workshop on The Pillars of Horizon2020
Bouquet: SIERA Workshop on The Pillars of Horizon2020Bouquet: SIERA Workshop on The Pillars of Horizon2020
Bouquet: SIERA Workshop on The Pillars of Horizon2020
 
Jarrar: Sparql Project
Jarrar: Sparql ProjectJarrar: Sparql Project
Jarrar: Sparql Project
 

Kürzlich hochgeladen

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Kürzlich hochgeladen (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

E gov security_tut_session_9

  • 1. ‫أكاديمية الحكومة اإللكترونية الفلسطينية‬ The Palestinian eGovernment Academy www.egovacademy.ps Security Tutorial Sessions 9 PalGov © 2011 1
  • 2. About This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the Commission of the European Communities, grant agreement 511159-TEMPUS-1- 2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps Project Consortium: Birzeit University, Palestine University of Trento, Italy (Coordinator ) Palestine Polytechnic University, Palestine Vrije Universiteit Brussel, Belgium Palestine Technical University, Palestine Université de Savoie, France Ministry of Telecom and IT, Palestine University of Namur, Belgium Ministry of Interior, Palestine TrueTrust, UK Ministry of Local Government, Palestine Coordinator: Dr. Mustafa Jarrar Birzeit University, P.O.Box 14- Birzeit, Palestine Telfax:+972 2 2982935 mjarrar@birzeit.eduPalGov © 2011 2
  • 3. © Copyright Notes Everyone is encouraged to use this material, or part of it, but should properly cite the project (logo and website), and the author of that part. No part of this tutorial may be reproduced or modified in any form or by any means, without prior written permission from the project, who have the full copyrights on the material. Attribution-NonCommercial-ShareAlike CC-BY-NC-SA This license lets others remix, tweak, and build upon your work non- commercially, as long as they credit you and license their new creations under the identical terms. PalGov © 2011 3
  • 4. Tutorial 5: Information Security Session 9: Federated Identity Management (FIM) Session 9 Outline: • Session 9 ILO’s. • Federated Identity Management. PalGov © 2011 4
  • 5. Tutorial 5: Session 9: (FIM) - ILOs This session will contribute to the following ILOs: • A: Knowledge and Understanding • Understanding of the concepts underlying Secure Information Systems. • Have an understanding of the various techniques used in identity management; • Understand the motivation, design, operation and management of modern systems for encryption, authentication, authorization and identification. • B: Intellectual Skills • Design end-to-end secure and available systems. • The ability to analyze the information security requirements of an organization. • D: Intellectual Skills • Analysis and identification skills. PalGov © 2011 5
  • 6. Tutorial 5: Information Security Session 9: Federated Identity Management (FIM) Session 9 Outline: • Session 9 ILO’s. • Federated Identity Management. PalGov © 2011 6
  • 7. Federated Identity Management. • Introduction • Overview of HTTP authentications, Cookies, MS Passports and Captchas. • Trust Domains and Access Cases. • FIM Definitions and Concept • FIM examples PalGov © 2011 7
  • 8. Introduction (1) • Many recognized sensitive but unclassified (SBU) networks and information systems like different ministries and entities in Palestine. • Each invested in technology, governance structures, policies and trust relationships but are not interoperable with each other. PalGov © 2011 8
  • 9. Introduction (2) • Need to ensure that the right individuals have access to the authorized resources they need regardless of where they reside in the enterprise • Example: the driving license renewal example given in tutorial 1. PalGov © 2011 9
  • 10. Introduction (3) • Security and privacy of information are major impediments to information exchange and system interoperability • Users must subscribe to multiple sites and manage multiple security credentials in order to get access to the resources they need at different ministries • Expensive, frustrating for users, and not scalable PalGov © 2011 10
  • 11. Federated Identity Management. • Introduction • Overview of HTTP authentications and Cookies. • Trust Domains and Access Cases. • FIM Definitions and Concept • FIM examples PalGov © 2011 11
  • 12. But first some background info HTTP Cookies • Cookies – allow a web server/site to store state information for itself (often encrypted) on the user’s browser • A site can store many cookies, and the client should return them all when it returns to the site • Often used to enable SSO, since the site can tell if a user is already authenticated or not PalGov © 2011 12
  • 13. HTTP Redirect and Form-POST • Http Redirect – allows one server to pass information to another server via the browser, as info in a URL • Http Form-POST – one server builds a form with an action to POST it to another server, delivers the form to the browser in the message body, which then submits it to the other server PalGov © 2011 13
  • 14. Privacy Protection - • User can choose to share e-mail address, name and other profile information with all participating sites (but must be same for all sites) PalGov © 2011 14
  • 15. CAPTCHAs • Completely Automated Public Turing test to tell Computers and Humans Apart • Designed to stop automated user registration programs and possible DOS attack by flooding registration process • User is asked to type in some characters, that most programs are incapable of reading PalGov © 2011 15
  • 16. Federated Identity Management. • Introduction • Overview of HTTP authentications and Cookies, • Trust Domains and Access Cases. • FIM Definitions and Concept • FIM examples PalGov © 2011 16
  • 17. Trust Domains Definition Trust domains describe the boundaries of a security infrastructure operating under a consistent set of policies, governance, and technology mechanisms. Trust Domain 2 Trust Domain 1 ? PalGov © 2011 17
  • 18. Problems with Trust Domains Problem: •Authentication and Authorization are typically recognized only within a given trust domain, unless..... What is required to achieve interoperability across different Trust Domains? PalGov © 2011 18
  • 19. Different Access Cases •Case 1 : One user Access one application or service. •Case 2: One user accessing many applications •Case 3 :Many users accessing many applications PalGov © 2011 19
  • 20. Case 1: One user accessing one application Steps in provisioning access: • Vetting (who are you?) • Permissions (what can you access?) • Credentials (how do I know it’s you? – passwords, smart cards, etc.) Access requires authentication of Application and credentials Services PalGov © 2011 20
  • 21. Case 2: One user accessing many applications Steps in provisioning access: ×N • Vetting • Permissions • Credentials RESULT: • Each application must perform all steps above • User must keep track of N sets of credentials PalGov © 2011 21
  • 22. Case 3: Many users accessing many applications Steps in provisioning access: Too many ×M×N • Vetting operations!! • Permissions • Credentials RESULTS: • Multifactor credentials & vetting become too expensive • Vetting & credentials not done well. • Vetting too far from user to be kept up to date effectively • High barrier to access PalGov © 2011 22
  • 23. If not checked correctly !!! 1. John Wandelt, Georgia Tech Research Institute (GTRI), August 2007, www.it.ojp.gov/GFIPM PalGov © 2011 23
  • 24. Proposed Solution (1) Provisioning identity and user attributes (vetting and credentialing) with the organization (×M users) Applications make access and authorization decisions based on trusted federation credentials and user attributes PalGov © 2011 24
  • 25. Proposed Solution (2) • Huge savings in vetting and credentialing M<<M×N • Vetting is better – closer to the user since own organization does vetting • Credentialing is better – can afford multifactor • Each users only needs one credential (Single sign-on) • Lower barriers to access – more access. PalGov © 2011 25
  • 26. Federated Identity Management. • Introduction • Overview of HTTP authentications, Cookies. • Trust Domains and Access Cases. • FIM Definitions and Concept • FIM examples PalGov © 2011 26
  • 27. Some Definitions • Identity: – A whole set of attributes that in combination uniquely characterise a person – hair colour, sound of their voice, height, name, qualifications, past actions, reputation etc. • Attribute: – a property, quality or characteristic of an entity • Identifier: – a string used to uniquely identify an entity in a domain. Often used as login id or primary key in a database. A special type of attribute since it is usually the only one on its own that can uniquely identify an entity in a domain. – X.500/LDAP DNs, IP addresses, DNS names, URIs, key IDs, login IDs, 128 bit random numbers are all identifiers. PalGov © 2011 27
  • 28. Some Definitions (2) • Attribute assertion: – Statement made by an authority that an entity has a particular attribute. An authority can be the entity itself or a (trusted) third party. • Attribute certificate/authorisation credential: – Cryptographically protected (usually digitally signed) attribute assertion that can be validated • Attribute authority (AA): – An authoritative source for asserting attributes about entities • Service provider: – An entity that provides a service to clients • Identity provider: – An entity that provides an authentication service, and is often also an AA for a set of identity attributes of its users PalGov © 2011 28
  • 29. FIM Definition From the RSA Web Site • “A federated identity is a single user identity that can be used to access a group of web sites bound by the ties of federation. Without federated identity, users are forced to manage different credentials for every site they use. This collection of IDs and passwords becomes difficult to manage and control over time, offering inroads for identity theft.” • “Federated identity management builds on a trust relationship established between an organization and a person. A federated identity makes it possible for the end user to use one trust relationship to access information with another, related company without establishing new credentials.” PalGov © 2011 29
  • 30. FIM Definition (cont) • From Microsoft’s web site • “Federated systems need to interoperate across organizational boundaries and connect processes utilizing different technologies, identity storage, security approaches and programming models. Within a federated system, identities and their associated credentials are still stored, owned and managed separately. Each individual member of the federation continues to manage its own identities, but is capable of securely sharing and accepting identities and credentials from other members' sources.” • From IBM Tivoli’s web site • “Federated identity management can be defined as an industry framework built on top of industry standards that let subscribers from disparate organizations use their internal identification data to obtain access to the networks of all enterprises in the group”. • SO WHAT IS FIM? PalGov © 2011 30
  • 31. FIM Process • Identifiers are assigned within a domain to uniquely identify an entity. They usually have no meaning outside of the domain of issuance • FIM requires identity information to be passed between domains, therefore – We need to pass (signed) attribute assertions between domains in order to identify and authorise users between domains. – FIM is not just Single Sign On, although SSO is part of FIM. Why? PalGov © 2011 31
  • 32. A better FIM Definition • A group of organisations (ministries, associations, municipalities etc...) that set up trust relationships which allow them to send attribute assertions about users identities between themselves, in order to grant users access to their resources • A user can use his credentials (with AAA concept) from one or more identity providers to gain access to other sites (service providers) within the federation • Can we use it for e-gov in Palestine !! PalGov © 2011 32
  • 33. User-to-Application PalGov © 2011 33
  • 34. System-to-System PalGov © 2011 34
  • 35. Credentials • Authentic credentials are ones that have not been tampered with and are received exactly as issued by the issuing authority • Valid credentials are ones that are trusted for use by the target resource site PalGov © 2011 35
  • 36. Federated Identity Management. • Introduction • Overview of HTTP authentications, Cookies. • Trust Domains and Access Cases. • FIM Definitions and Concept • FIM Examples. PalGov © 2011 36
  • 37. FIM Examples • Old Systems – Microsoft’s Passport – UK Athens • Current FIM Systems – Shibboleth – Oauth – Liberty Alliance – Cardspace – Higgins – OpenID PalGov © 2011 37
  • 38. Exampe1: Microsoft’s .NET Passport • .NET Passport is an authentication system that allows users to access multiple sites using the same credentials • Each site remains in charge of its own authorisation, and may use Passport information to help in this • How does it work? Users register at a site, but their credentials and profile information are stored centrally by Microsoft at the Passport server. This means that sites must trust Microsoft to hold user credentials and authenticate users correctly. PalGov © 2011 38
  • 39. The Registration Process Passport site stores user credential and profile information, and allocates the user a unique 64 bit Passport User ID (PUID) PalGov © 2011 39
  • 40. Credentials referenced by Passports UID • The following are mandatory: e-mail address (unique identifier) and password • The following are optional: secret questions and answers, mobile phone number and PIN, security key • The following attributes are stored by Passport if the participating sites require it, and are shared between sites if the user opts-in – Birth Date, Country / Region, First Name, Gender, Last Name, Occupation, Postal Code, Preferred Language, State, Time Zone PalGov © 2011 40
  • 41. .NET Passport Authentication PalGov © 2011 41
  • 42. Intra-Site Authentication Process • When a user moves to another Participating Site (step 1), the site redirect the user to the Passport site (step 2) • The user’s client sends the Authentication cookie and Profile cookie to Passport during redirection. Passport then knows the user has already successfully authenticated (modified step 2) PalGov © 2011 42
  • 43. Intra-Site Authentication Process • The Participating Sites cookie on the user’s machine is updated by Passport and the user is redirected back to the Participating Site (step 5) • The Participating Site receives the encrypted tokens from Passport and knows the user has been authenticated (step 6) • When the user logs out of Passport, all cookies are deleted and the Participating Sites cookie is used to clean up all Participating sites computers PalGov © 2011 43
  • 44. Disadvantages of MS Passport ? • Because all user transactions have to involve Microsoft, as it is responsible for authenticating all users. • Why should Microsoft be involved in a federation between a car hire company and a hotel? It might be OK for Microsoft related site federations such as Hotmail and MSN, but not for all federations between all commercial companies. • Also the protocol used by Passport was developed by Microsoft therefore was not an international standard. • Passport has now been superseded by Windows Live ID, which is an identity meta-system that provides support for Passport, CardSpace and OpenID PalGov © 2011 44
  • 45. Example 2: Shibboleth • Internet2 consortium project • Uses an OASIS standard protocol (SAML) for authentication at home site and authorisation via a set of user attributes provided by home site • provides users access to remote resources PalGov © 2011 45
  • 46. Shibboleth Access Stages • Obtaining an authentication assertion for a user from his home site (IdP) • Using this to get a set of attribute assertions for the user • The two messages can be combined into one exchange to make the protocol more efficient PalGov © 2011 46
  • 47. User Authentication using Shibboleth [2] Identity Provider Authentication WAYF Web Service Service 5. SHIB SP Signed Authn User Assertion 6. Attribute Authority PalGov © 2011 47
  • 48. The WAYF Service PalGov © 2011 48
  • 49. Authorization using Shibboleth [2] Authn Service Web Service User 10. SHIB SP 9. Attributes Authz service AA Server SHIB IdP PalGov © 2011 49
  • 50. Shibboleth disadvantages • Single attribute authority to the service provider • Subject to phishing attacks. • No single sign off • Credentials can be stolen from a browser and used by an imposter. • Shibboleth cannot be used for services that need to know who the user is for service personalisation. PalGov © 2011 50
  • 51. Bibliography 1. John Wandelt, Georgia Tech Research Institute (GTRI), August 2007, www.it.ojp.gov/GFIPM 2. Lecture Notes by David Chadwick 2011, True-Trust Ltd. 3. http://shibboleth.internet2.edu/ PalGov © 2011 51
  • 52. Summary • In this session we discussed the following: – Federated Identity Management with different examples. PalGov © 2011 52
  • 53. Thanks Dr. Radwan Tahboub PalGov © 2011 53