SlideShare ist ein Scribd-Unternehmen logo

Authorization at Penn

Shumon Huque
Shumon Huque

The document discusses authorization at the University of Pennsylvania. It describes Penn's Kerberos deployment with two main realms and various departmental Windows realms in a one-way trust relationship. It also discusses the central Kerberos servers, software and hardware configuration, and additional authorization systems used. The document outlines Penn's efforts to establish a unified user namespace across the university and centralize authentication and authorization to facilitate single sign-on, simplify access management, and stay compliant with policies. Challenges of centralization include gaining buy-in for change and translating local policies to a new centralized format.

Technologie
1 von 23
Downloaden Sie, um offline zu lesen
Authorization at Penn Shumon Huque University of Pennsylvania Kerberos Conference, October 31st 2012 Massachusetts Institute of Technology Cambridge, Massachusetts, USA
[Kerberos Conference, October 2012, MIT] Kerberos Deployment • Two main realms: • UPENN.EDU : the main one • A central Windows based realm (1-way trust with UPENN.EDU) • Various other departmental Windows server based realms that mostly also have 1-way cross realm relationship with the central Kerberos servers 2
[Kerberos Conference, October 2012, MIT] Software & Hardware • Central servers run MIT Kerberos 5 version 1.5.x • Central servers run on Intel hardware and Red Hat Enterprise Linux 4.x (current generation > 4 years old) • Three servers, distributed on 3 distinct IP subnets, located in 3 distinct machine rooms around the campus • One active master (kadmin server); manual procedure in place to reconfigure alternate as master • Servers physically secured in machine rooms; run no extraneous network services, and provide limited access to the OS via an OOB console network protected by hardware token authentication 3
[Kerberos Conference, October 2012, MIT] Authorization Systems • Kerberos: authentication only • Applications need to consult separate authorization system (ours is based on Grouper) • http://www.internet2.edu/grouper/ • Many windows systems also use their usual methods (AuthZ data/PAC etc) for additional local policies • We’re interesting in looking at the PAC/PAD work in progress in the IETF 4
[Kerberos Conference, October 2012, MIT] Multi-factor Authentication • Investigated and piloted (but no production use yet): • CRYPTOCard (using SAM-2 Kerberos pre-authentication) • RSA SecurID (using 2nd input to CoSign web SSO) • (We do use SecurID to authenticate access to out-of-band console sharing networks, but this doesn’t involve Kerberos) 5
[Kerberos Conference, October 2012, MIT] 6 Unified Namespace • Decided in 1995 to unify disjoint user namespaces at Penn • Developed a basic name registry service (PennNames) and tools for applications • Coordinated with application owners from throughout Penn • Group effort to resolve name conflicts over the course of 6 or 7 years (fairly painful)
[Kerberos Conference, October 2012, MIT] 7 Why do we care about Unified Namespace? • Reduces confusion and misdirected communications • Provides a simpler handle for a broad range of campus IT services • Simplified design of campus-wide authentication system • Probably simplifies future work on centralized authorization
[Kerberos Conference, October 2012, MIT] 8 Authentication & • The act of verifying someone’s identity • The process by which users prove their identity to a service • (and vice versa “Mutual authentication”) • Doesn’t specify what a user is allowed or not allowed to do (Authorization)
[Kerberos Conference, October 2012, MIT] 9 What do we have so far? • We “know” that the user is who they claim to be (authentication) • We don’t know anything about them (roles, affiliations) • We don’t know what they can do (privileges)
[Kerberos Conference, October 2012, MIT] 10 Simple Scenario • “Hi! I’m Mark!” (Identity) • “… And here is my PennKey and password to prove it.” (Authentication) • “I want to connect to the IMAP server to read my mail.” (Authorization) • “And now I want to shut down the DNS server.” (Authorization)
[Kerberos Conference, October 2012, MIT] 11 Authorization Decisions • Is the user on a list of approved users? • Is the user a member of an approved group?
[Kerberos Conference, October 2012, MIT] 12 The Not-So-Good Old Days • Every application on its own to make authorization decisions • In practice, many assumed that authentication was good enough (“if you can log in, you’re in”) • Every application must maintain its own access control lists or eligibility/ privilege rules
[Kerberos Conference, October 2012, MIT] 13 A Better Way • Make authorization decisions according to local eligibility policy using central role and privilege definitions • “All Senior Law Faculty” • “Any staff in my department, except the birthday boy”
[Kerberos Conference, October 2012, MIT] 14 High Level AuthZ Design AuthZ Service Distributed Management, Local Data App Servers University Source Systems Access Control Lists
[Kerberos Conference, October 2012, MIT] 15 High Level AuthZ Design AuthZ Service Distributed Management, Local Data App Servers University Source Systems Access Control Lists AuthN Service (usually after an AuthN)
[Kerberos Conference, October 2012, MIT] 16 Likely Components • Grouper and Signet as elements of the AuthZ service • Web UI that allows distributed management of central store of local data • Application access to the AuthZ service by widely available mechanisms/protocols like LDAP
[Kerberos Conference, October 2012, MIT] 17 Benefits of Centralization • Consistent application of authority rules • (Many) privileges for an individual can be viewed in one place • Allows for a historical view of privileges over time • Allows for automatic revocation based on status or affiliation changes • Facilitates hierarchical control of authority
[Kerberos Conference, October 2012, MIT] 18 Making the case for • Stay in compliance with a growing list of policy mandates • Consistent rules • Easy auditing • Save both dollars and time • Automated privilege changes • Less specific knowledge needed for every application
[Kerberos Conference, October 2012, MIT] 19 Challenges of centralization • Sufficient motivation for change • Users and application providers may need related education • Resources, control • Centralized authentication forces units to relinquish control • Perhaps some software engineering required to separate authentication from authorization
[Kerberos Conference, October 2012, MIT] 20 Challenges of centralization • Units must understand current authorization/privilege policies • This will likely trigger a thorough review of those policies (probably not a bad thing, but takes time) • Units must translate those policies into new format
[Kerberos Conference, October 2012, MIT] 21 Summing up • Unified user name space (PennNames) • Addressing several password issues (many passwords, varying rules, poor password handling practices) with central AuthN • Driving towards secure and practical single signon through the native use of Kerberos • Working on two-factor AuthN possibilities • Pulling together relevant directory,AuthN,AuthZ technology pieces, plus policies, and physical identification, towards early stage Identity Management
[Kerberos Conference, October 2012, MIT] 22
[Kerberos Conference, October 2012, MIT] Questions? Shumon Huque shuque -@- upenn.edu 23

Empfohlen

Lecture 11 active directory
Lecture 11 active directoryLecture 11 active directory
Lecture 11 active directoryTanveer Malik
 
Securing elastic applications_on_mobile_devices
Securing elastic applications_on_mobile_devicesSecuring elastic applications_on_mobile_devices
Securing elastic applications_on_mobile_devicesfirzhan naqash
 
Restricted routing infrastructures PPT
Restricted routing infrastructures PPTRestricted routing infrastructures PPT
Restricted routing infrastructures PPTSai Charan
 
Chapter 3 DNIS020
Chapter 3 DNIS020Chapter 3 DNIS020
Chapter 3 DNIS020Liezelg
 
Chapter 3 dnis
Chapter 3 dnisChapter 3 dnis
Chapter 3 dnisLiezelg
 
Microservice vs. Monolithic Architecture
Microservice vs. Monolithic ArchitectureMicroservice vs. Monolithic Architecture
Microservice vs. Monolithic ArchitecturePaul Mooney
 
Microservices Architecture
Microservices ArchitectureMicroservices Architecture
Microservices ArchitectureKanushka Gayan
 
Websphere - Introduction to SSL part 1
Websphere - Introduction to SSL part 1Websphere - Introduction to SSL part 1
Websphere - Introduction to SSL part 1Vibrant Technologies & Computers
 

Empfohlen

Lecture 11 active directory
Lecture 11 active directoryLecture 11 active directory
Lecture 11 active directoryTanveer Malik
 
Securing elastic applications_on_mobile_devices
Securing elastic applications_on_mobile_devicesSecuring elastic applications_on_mobile_devices
Securing elastic applications_on_mobile_devicesfirzhan naqash
 
Restricted routing infrastructures PPT
Restricted routing infrastructures PPTRestricted routing infrastructures PPT
Restricted routing infrastructures PPTSai Charan
 
Chapter 3 DNIS020
Chapter 3 DNIS020Chapter 3 DNIS020
Chapter 3 DNIS020Liezelg
 
Chapter 3 dnis
Chapter 3 dnisChapter 3 dnis
Chapter 3 dnisLiezelg
 
Microservice vs. Monolithic Architecture
Microservice vs. Monolithic ArchitectureMicroservice vs. Monolithic Architecture
Microservice vs. Monolithic ArchitecturePaul Mooney
 
Microservices Architecture
Microservices ArchitectureMicroservices Architecture
Microservices ArchitectureKanushka Gayan
 
Websphere - Introduction to SSL part 1
Websphere - Introduction to SSL part 1Websphere - Introduction to SSL part 1
Websphere - Introduction to SSL part 1Vibrant Technologies & Computers
 
Troubleshooting Exchange Hybrid Deployments
Troubleshooting Exchange Hybrid DeploymentsTroubleshooting Exchange Hybrid Deployments
Troubleshooting Exchange Hybrid DeploymentsJoel Brda
 
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password AttacksProtecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password AttacksZoho Corporation
 
IDM and Automated Security Entitlement Systems
IDM and Automated Security Entitlement SystemsIDM and Automated Security Entitlement Systems
IDM and Automated Security Entitlement SystemsSRI Infotech
 
Architecture patterns overview
Architecture patterns overviewArchitecture patterns overview
Architecture patterns overviewNickleus Jimenez
 
Introdution to Management Reporter - T3 Amplify 2013
Introdution to Management Reporter - T3 Amplify 2013Introdution to Management Reporter - T3 Amplify 2013
Introdution to Management Reporter - T3 Amplify 2013vweinstein
 
Data Architecturen Not Just for Microservices
Data Architecturen Not Just for MicroservicesData Architecturen Not Just for Microservices
Data Architecturen Not Just for MicroservicesEberhard Wolff
 
Softvative Microsoft Sharepoint Brainstorming plan V1.1
Softvative Microsoft Sharepoint Brainstorming plan V1.1Softvative Microsoft Sharepoint Brainstorming plan V1.1
Softvative Microsoft Sharepoint Brainstorming plan V1.1Faisal Masood
 
UX class presentation
UX class presentationUX class presentation
UX class presentationTheo V
 
Private Taxi Service Weybridge
Private Taxi Service WeybridgePrivate Taxi Service Weybridge
Private Taxi Service Weybridgetaxisweybridgeuk
 
Shaw Kimberly_Generic_Executive Resume_September 28 2016_Revised
Shaw Kimberly_Generic_Executive Resume_September 28 2016_RevisedShaw Kimberly_Generic_Executive Resume_September 28 2016_Revised
Shaw Kimberly_Generic_Executive Resume_September 28 2016_RevisedKimberly Shaw FACHE
 
Corn disorders A Lecture By Mr Allah Dad Khan
Corn disorders A Lecture By Mr Allah Dad Khan Corn disorders A Lecture By Mr Allah Dad Khan
Corn disorders A Lecture By Mr Allah Dad Khan Mr.Allah Dad Khan
 
Моделювання та аналіз транспортних потоків на вул. Хрщатик
Моделювання та аналіз транспортних потоків на вул. ХрщатикМоделювання та аналіз транспортних потоків на вул. Хрщатик
Моделювання та аналіз транспортних потоків на вул. ХрщатикDepartment_of_urban_planning
 
Zeichen für die Erfordernis von Langform für Ihre Landing-Page
Zeichen für die Erfordernis von Langform für Ihre Landing-PageZeichen für die Erfordernis von Langform für Ihre Landing-Page
Zeichen für die Erfordernis von Langform für Ihre Landing-PageDieter Ziegler
 
Maiz amilaceo
Maiz amilaceoMaiz amilaceo
Maiz amilaceoLuis Alonso Estrada Cordova
 
Changing trends in agricultural extensionA Presentation By Mr Allah Dad Khan ...
Changing trends in agricultural extensionA Presentation By Mr Allah Dad Khan ...Changing trends in agricultural extensionA Presentation By Mr Allah Dad Khan ...
Changing trends in agricultural extensionA Presentation By Mr Allah Dad Khan ...Mr.Allah Dad Khan
 
Risna ayu fitriani_ly_x. pdf
Risna ayu fitriani_ly_x. pdfRisna ayu fitriani_ly_x. pdf
Risna ayu fitriani_ly_x. pdfRisnaayu157
 
IPv6 Transition in Research & Education
IPv6 Transition in Research & EducationIPv6 Transition in Research & Education
IPv6 Transition in Research & EducationShumon Huque
 
Act. 4
Act. 4Act. 4
Act. 4Cristina Ramirez
 
DANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLSDANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLSShumon Huque
 
торохтій ніна олексіївна
торохтій ніна олексіївнаторохтій ніна олексіївна
торохтій ніна олексіївнаtamaraivanova
 
New trends in agriculture Mustard insects A Lecture By Mr Allah Dad Khan
New trends in agriculture Mustard insects A Lecture By Mr Allah Dad KhanNew trends in agriculture Mustard insects A Lecture By Mr Allah Dad Khan
New trends in agriculture Mustard insects A Lecture By Mr Allah Dad KhanMr.Allah Dad Khan
 
DanielRothbart2015
DanielRothbart2015DanielRothbart2015
DanielRothbart2015Daniel Rothbart
 

Weitere ähnliche Inhalte

Was ist angesagt?

Troubleshooting Exchange Hybrid Deployments
Troubleshooting Exchange Hybrid DeploymentsTroubleshooting Exchange Hybrid Deployments
Troubleshooting Exchange Hybrid DeploymentsJoel Brda
 
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password AttacksProtecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password AttacksZoho Corporation
 
IDM and Automated Security Entitlement Systems
IDM and Automated Security Entitlement SystemsIDM and Automated Security Entitlement Systems
IDM and Automated Security Entitlement SystemsSRI Infotech
 
Architecture patterns overview
Architecture patterns overviewArchitecture patterns overview
Architecture patterns overviewNickleus Jimenez
 
Introdution to Management Reporter - T3 Amplify 2013
Introdution to Management Reporter - T3 Amplify 2013Introdution to Management Reporter - T3 Amplify 2013
Introdution to Management Reporter - T3 Amplify 2013vweinstein
 
Data Architecturen Not Just for Microservices
Data Architecturen Not Just for MicroservicesData Architecturen Not Just for Microservices
Data Architecturen Not Just for MicroservicesEberhard Wolff
 
Softvative Microsoft Sharepoint Brainstorming plan V1.1
Softvative Microsoft Sharepoint Brainstorming plan V1.1Softvative Microsoft Sharepoint Brainstorming plan V1.1
Softvative Microsoft Sharepoint Brainstorming plan V1.1Faisal Masood
 

Was ist angesagt? (7)

Troubleshooting Exchange Hybrid Deployments
Troubleshooting Exchange Hybrid DeploymentsTroubleshooting Exchange Hybrid Deployments
Troubleshooting Exchange Hybrid Deployments
 
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password AttacksProtecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
 
IDM and Automated Security Entitlement Systems
IDM and Automated Security Entitlement SystemsIDM and Automated Security Entitlement Systems
IDM and Automated Security Entitlement Systems
 
Architecture patterns overview
Architecture patterns overviewArchitecture patterns overview
Architecture patterns overview
 
Introdution to Management Reporter - T3 Amplify 2013
Introdution to Management Reporter - T3 Amplify 2013Introdution to Management Reporter - T3 Amplify 2013
Introdution to Management Reporter - T3 Amplify 2013
 
Data Architecturen Not Just for Microservices
Data Architecturen Not Just for MicroservicesData Architecturen Not Just for Microservices
Data Architecturen Not Just for Microservices
 
Softvative Microsoft Sharepoint Brainstorming plan V1.1
Softvative Microsoft Sharepoint Brainstorming plan V1.1Softvative Microsoft Sharepoint Brainstorming plan V1.1
Softvative Microsoft Sharepoint Brainstorming plan V1.1
 

Andere mochten auch

UX class presentation
UX class presentationUX class presentation
UX class presentationTheo V
 
Private Taxi Service Weybridge
Private Taxi Service WeybridgePrivate Taxi Service Weybridge
Private Taxi Service Weybridgetaxisweybridgeuk
 
Shaw Kimberly_Generic_Executive Resume_September 28 2016_Revised
Shaw Kimberly_Generic_Executive Resume_September 28 2016_RevisedShaw Kimberly_Generic_Executive Resume_September 28 2016_Revised
Shaw Kimberly_Generic_Executive Resume_September 28 2016_RevisedKimberly Shaw FACHE
 
Corn disorders A Lecture By Mr Allah Dad Khan
Corn disorders A Lecture By Mr Allah Dad Khan Corn disorders A Lecture By Mr Allah Dad Khan
Corn disorders A Lecture By Mr Allah Dad Khan Mr.Allah Dad Khan
 
Моделювання та аналіз транспортних потоків на вул. Хрщатик
Моделювання та аналіз транспортних потоків на вул. ХрщатикМоделювання та аналіз транспортних потоків на вул. Хрщатик
Моделювання та аналіз транспортних потоків на вул. ХрщатикDepartment_of_urban_planning
 
Zeichen für die Erfordernis von Langform für Ihre Landing-Page
Zeichen für die Erfordernis von Langform für Ihre Landing-PageZeichen für die Erfordernis von Langform für Ihre Landing-Page
Zeichen für die Erfordernis von Langform für Ihre Landing-PageDieter Ziegler
 
Changing trends in agricultural extensionA Presentation By Mr Allah Dad Khan ...
Changing trends in agricultural extensionA Presentation By Mr Allah Dad Khan ...Changing trends in agricultural extensionA Presentation By Mr Allah Dad Khan ...
Changing trends in agricultural extensionA Presentation By Mr Allah Dad Khan ...Mr.Allah Dad Khan
 
Risna ayu fitriani_ly_x. pdf
Risna ayu fitriani_ly_x. pdfRisna ayu fitriani_ly_x. pdf
Risna ayu fitriani_ly_x. pdfRisnaayu157
 
IPv6 Transition in Research & Education
IPv6 Transition in Research & EducationIPv6 Transition in Research & Education
IPv6 Transition in Research & EducationShumon Huque
 
DANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLSDANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLSShumon Huque
 
торохтій ніна олексіївна
торохтій ніна олексіївнаторохтій ніна олексіївна
торохтій ніна олексіївнаtamaraivanova
 
New trends in agriculture Mustard insects A Lecture By Mr Allah Dad Khan
New trends in agriculture Mustard insects A Lecture By Mr Allah Dad KhanNew trends in agriculture Mustard insects A Lecture By Mr Allah Dad Khan
New trends in agriculture Mustard insects A Lecture By Mr Allah Dad KhanMr.Allah Dad Khan
 

Andere mochten auch (17)

UX class presentation
UX class presentationUX class presentation
UX class presentation
 
Private Taxi Service Weybridge
Private Taxi Service WeybridgePrivate Taxi Service Weybridge
Private Taxi Service Weybridge
 
Shaw Kimberly_Generic_Executive Resume_September 28 2016_Revised
Shaw Kimberly_Generic_Executive Resume_September 28 2016_RevisedShaw Kimberly_Generic_Executive Resume_September 28 2016_Revised
Shaw Kimberly_Generic_Executive Resume_September 28 2016_Revised
 
Corn disorders A Lecture By Mr Allah Dad Khan
Corn disorders A Lecture By Mr Allah Dad Khan Corn disorders A Lecture By Mr Allah Dad Khan
Corn disorders A Lecture By Mr Allah Dad Khan
 
Моделювання та аналіз транспортних потоків на вул. Хрщатик
Моделювання та аналіз транспортних потоків на вул. ХрщатикМоделювання та аналіз транспортних потоків на вул. Хрщатик
Моделювання та аналіз транспортних потоків на вул. Хрщатик
 
Zeichen für die Erfordernis von Langform für Ihre Landing-Page
Zeichen für die Erfordernis von Langform für Ihre Landing-PageZeichen für die Erfordernis von Langform für Ihre Landing-Page
Zeichen für die Erfordernis von Langform für Ihre Landing-Page
 
Maiz amilaceo
Maiz amilaceoMaiz amilaceo
Maiz amilaceo
 
Changing trends in agricultural extensionA Presentation By Mr Allah Dad Khan ...
Changing trends in agricultural extensionA Presentation By Mr Allah Dad Khan ...Changing trends in agricultural extensionA Presentation By Mr Allah Dad Khan ...
Changing trends in agricultural extensionA Presentation By Mr Allah Dad Khan ...
 
Risna ayu fitriani_ly_x. pdf
Risna ayu fitriani_ly_x. pdfRisna ayu fitriani_ly_x. pdf
Risna ayu fitriani_ly_x. pdf
 
IPv6 Transition in Research & Education
IPv6 Transition in Research & EducationIPv6 Transition in Research & Education
IPv6 Transition in Research & Education
 
Act. 4
Act. 4Act. 4
Act. 4
 
DANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLSDANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLS
 
торохтій ніна олексіївна
торохтій ніна олексіївнаторохтій ніна олексіївна
торохтій ніна олексіївна
 
New trends in agriculture Mustard insects A Lecture By Mr Allah Dad Khan
New trends in agriculture Mustard insects A Lecture By Mr Allah Dad KhanNew trends in agriculture Mustard insects A Lecture By Mr Allah Dad Khan
New trends in agriculture Mustard insects A Lecture By Mr Allah Dad Khan
 
DanielRothbart2015
DanielRothbart2015DanielRothbart2015
DanielRothbart2015
 
Bamberger CV 3-2015
Bamberger CV 3-2015Bamberger CV 3-2015
Bamberger CV 3-2015
 
PS310_finalpaper
PS310_finalpaperPS310_finalpaper
PS310_finalpaper
 

Ähnlich wie Authorization at Penn

Win2KServer Active Directory
Win2KServer Active DirectoryWin2KServer Active Directory
Win2KServer Active DirectoryPhil Ashman
 
Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)Shumon Huque
 
Software Architecture and Architectors: useless VS valuable
Software Architecture and Architectors: useless VS valuableSoftware Architecture and Architectors: useless VS valuable
Software Architecture and Architectors: useless VS valuableComsysto Reply GmbH
 
Introduction to Microservices
Introduction to MicroservicesIntroduction to Microservices
Introduction to MicroservicesMahmoudZidan41
 
Microservice Architecture
Microservice ArchitectureMicroservice Architecture
Microservice ArchitectureEngin Yoeyen
 
Grokking microservices in 5 minutes
Grokking microservices in 5 minutesGrokking microservices in 5 minutes
Grokking microservices in 5 minutesAndrew Siemer
 
To Kill a Monolith: Slaying the Demons of a Monolith with Node.js Microservic...
To Kill a Monolith: Slaying the Demons of a Monolith with Node.js Microservic...To Kill a Monolith: Slaying the Demons of a Monolith with Node.js Microservic...
To Kill a Monolith: Slaying the Demons of a Monolith with Node.js Microservic...Tony Erwin
 
Chapter08 -- network operating systems and windows server 2003-based networking
Chapter08 -- network operating systems and windows server 2003-based networkingChapter08 -- network operating systems and windows server 2003-based networking
Chapter08 -- network operating systems and windows server 2003-based networkingRaja Waseem Akhtar
 
Scaling Systems: Architectures that grow
Scaling Systems: Architectures that growScaling Systems: Architectures that grow
Scaling Systems: Architectures that growGibraltar Software
 
Distributed Systems Architecture in Software Engineering SE11
Distributed Systems Architecture in Software Engineering SE11Distributed Systems Architecture in Software Engineering SE11
Distributed Systems Architecture in Software Engineering SE11koolkampus
 
Windows Network concepts
Windows Network conceptsWindows Network concepts
Windows Network conceptsDuressa Teshome
 
Java EE microservices architecture - evolving the monolith
Java EE microservices architecture - evolving the monolithJava EE microservices architecture - evolving the monolith
Java EE microservices architecture - evolving the monolithMarkus Eisele
 
Docker-N-Beyond
Docker-N-BeyondDocker-N-Beyond
Docker-N-Beyondsantosh007
 
gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1Anne Starr
 

Ähnlich wie Authorization at Penn (20)

Win2KServer Active Directory
Win2KServer Active DirectoryWin2KServer Active Directory
Win2KServer Active Directory
 
Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)
 
Software Architecture and Architectors: useless VS valuable
Software Architecture and Architectors: useless VS valuableSoftware Architecture and Architectors: useless VS valuable
Software Architecture and Architectors: useless VS valuable
 
Introduction to Microservices
Introduction to MicroservicesIntroduction to Microservices
Introduction to Microservices
 
Microservice Architecture
Microservice ArchitectureMicroservice Architecture
Microservice Architecture
 
Active directoryfinal
Active directoryfinalActive directoryfinal
Active directoryfinal
 
Grokking microservices in 5 minutes
Grokking microservices in 5 minutesGrokking microservices in 5 minutes
Grokking microservices in 5 minutes
 
To Kill a Monolith: Slaying the Demons of a Monolith with Node.js Microservic...
To Kill a Monolith: Slaying the Demons of a Monolith with Node.js Microservic...To Kill a Monolith: Slaying the Demons of a Monolith with Node.js Microservic...
To Kill a Monolith: Slaying the Demons of a Monolith with Node.js Microservic...
 
Chapter08 -- network operating systems and windows server 2003-based networking
Chapter08 -- network operating systems and windows server 2003-based networkingChapter08 -- network operating systems and windows server 2003-based networking
Chapter08 -- network operating systems and windows server 2003-based networking
 
Scaling Systems: Architectures that grow
Scaling Systems: Architectures that growScaling Systems: Architectures that grow
Scaling Systems: Architectures that grow
 
MCSA 70-412 Chapter 03
MCSA 70-412 Chapter 03MCSA 70-412 Chapter 03
MCSA 70-412 Chapter 03
 
Federated and fabulous identity
Federated and fabulous identityFederated and fabulous identity
Federated and fabulous identity
 
dos_security_final
dos_security_finaldos_security_final
dos_security_final
 
Null talk
Null talkNull talk
Null talk
 
Distributed Systems Architecture in Software Engineering SE11
Distributed Systems Architecture in Software Engineering SE11Distributed Systems Architecture in Software Engineering SE11
Distributed Systems Architecture in Software Engineering SE11
 
Windows Network concepts
Windows Network conceptsWindows Network concepts
Windows Network concepts
 
Java EE microservices architecture - evolving the monolith
Java EE microservices architecture - evolving the monolithJava EE microservices architecture - evolving the monolith
Java EE microservices architecture - evolving the monolith
 
652.ppt
652.ppt652.ppt
652.ppt
 
Docker-N-Beyond
Docker-N-BeyondDocker-N-Beyond
Docker-N-Beyond
 
gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1
 

Mehr von Shumon Huque

Client Certificates in DANE TLSA Records
Client Certificates in DANE TLSA RecordsClient Certificates in DANE TLSA Records
Client Certificates in DANE TLSA RecordsShumon Huque
 
Query-name Minimization and Authoritative Server Behavior
Query-name Minimization and Authoritative Server BehaviorQuery-name Minimization and Authoritative Server Behavior
Query-name Minimization and Authoritative Server BehaviorShumon Huque
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
Hands-on getdns Tutorial
Hands-on getdns TutorialHands-on getdns Tutorial
Hands-on getdns TutorialShumon Huque
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013Shumon Huque
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
IPv6 Deployment Panel
IPv6 Deployment PanelIPv6 Deployment Panel
IPv6 Deployment PanelShumon Huque
 
A survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E CommunityA survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E CommunityShumon Huque
 
World IPv6 Launch at Penn
World IPv6 Launch at PennWorld IPv6 Launch at Penn
World IPv6 Launch at PennShumon Huque
 
IPv6 Security Panel (U of Penn)
IPv6 Security Panel (U of Penn)IPv6 Security Panel (U of Penn)
IPv6 Security Panel (U of Penn)Shumon Huque
 
Open Source VoIP at Penn
Open Source VoIP at PennOpen Source VoIP at Penn
Open Source VoIP at PennShumon Huque
 
.EDU DNSSEC Testbed - Lessons Learned
.EDU DNSSEC Testbed - Lessons Learned.EDU DNSSEC Testbed - Lessons Learned
.EDU DNSSEC Testbed - Lessons LearnedShumon Huque
 
IPv6 Campus Deployment Panel
IPv6 Campus Deployment PanelIPv6 Campus Deployment Panel
IPv6 Campus Deployment PanelShumon Huque
 
.EDU DNSSEC Testbed
.EDU DNSSEC Testbed.EDU DNSSEC Testbed
.EDU DNSSEC TestbedShumon Huque
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC PilotShumon Huque
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC PilotShumon Huque
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC PilotShumon Huque
 

Mehr von Shumon Huque (20)

Client Certificates in DANE TLSA Records
Client Certificates in DANE TLSA RecordsClient Certificates in DANE TLSA Records
Client Certificates in DANE TLSA Records
 
Query-name Minimization and Authoritative Server Behavior
Query-name Minimization and Authoritative Server BehaviorQuery-name Minimization and Authoritative Server Behavior
Query-name Minimization and Authoritative Server Behavior
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
Hands-on getdns Tutorial
Hands-on getdns TutorialHands-on getdns Tutorial
Hands-on getdns Tutorial
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
 
IPv6 Deployment Panel
IPv6 Deployment PanelIPv6 Deployment Panel
IPv6 Deployment Panel
 
A survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E CommunityA survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E Community
 
World IPv6 Launch at Penn
World IPv6 Launch at PennWorld IPv6 Launch at Penn
World IPv6 Launch at Penn
 
IPv6 Security Panel (U of Penn)
IPv6 Security Panel (U of Penn)IPv6 Security Panel (U of Penn)
IPv6 Security Panel (U of Penn)
 
Open Source VoIP at Penn
Open Source VoIP at PennOpen Source VoIP at Penn
Open Source VoIP at Penn
 
.EDU DNSSEC Testbed - Lessons Learned
.EDU DNSSEC Testbed - Lessons Learned.EDU DNSSEC Testbed - Lessons Learned
.EDU DNSSEC Testbed - Lessons Learned
 
IPv6 Campus Deployment Panel
IPv6 Campus Deployment PanelIPv6 Campus Deployment Panel
IPv6 Campus Deployment Panel
 
.EDU DNSSEC Testbed
.EDU DNSSEC Testbed.EDU DNSSEC Testbed
.EDU DNSSEC Testbed
 
DNSSEC at Penn
DNSSEC at PennDNSSEC at Penn
DNSSEC at Penn
 
PennNet and MAGPI
PennNet and MAGPIPennNet and MAGPI
PennNet and MAGPI
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
 

Kürzlich hochgeladen

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Evolution of Money: Digital Transformation and CBDCs in Central Banking
The Evolution of Money: Digital Transformation and CBDCs in Central BankingThe Evolution of Money: Digital Transformation and CBDCs in Central Banking
The Evolution of Money: Digital Transformation and CBDCs in Central BankingSelcen Ozturkcan
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Kürzlich hochgeladen (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Evolution of Money: Digital Transformation and CBDCs in Central Banking
The Evolution of Money: Digital Transformation and CBDCs in Central BankingThe Evolution of Money: Digital Transformation and CBDCs in Central Banking
The Evolution of Money: Digital Transformation and CBDCs in Central Banking
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

Authorization at Penn

  • 1. Authorization at Penn Shumon Huque University of Pennsylvania Kerberos Conference, October 31st 2012 Massachusetts Institute of Technology Cambridge, Massachusetts, USA
  • 2. [Kerberos Conference, October 2012, MIT] Kerberos Deployment • Two main realms: • UPENN.EDU : the main one • A central Windows based realm (1-way trust with UPENN.EDU) • Various other departmental Windows server based realms that mostly also have 1-way cross realm relationship with the central Kerberos servers 2
  • 3. [Kerberos Conference, October 2012, MIT] Software & Hardware • Central servers run MIT Kerberos 5 version 1.5.x • Central servers run on Intel hardware and Red Hat Enterprise Linux 4.x (current generation > 4 years old) • Three servers, distributed on 3 distinct IP subnets, located in 3 distinct machine rooms around the campus • One active master (kadmin server); manual procedure in place to reconfigure alternate as master • Servers physically secured in machine rooms; run no extraneous network services, and provide limited access to the OS via an OOB console network protected by hardware token authentication 3
  • 4. [Kerberos Conference, October 2012, MIT] Authorization Systems • Kerberos: authentication only • Applications need to consult separate authorization system (ours is based on Grouper) • http://www.internet2.edu/grouper/ • Many windows systems also use their usual methods (AuthZ data/PAC etc) for additional local policies • We’re interesting in looking at the PAC/PAD work in progress in the IETF 4
  • 5. [Kerberos Conference, October 2012, MIT] Multi-factor Authentication • Investigated and piloted (but no production use yet): • CRYPTOCard (using SAM-2 Kerberos pre-authentication) • RSA SecurID (using 2nd input to CoSign web SSO) • (We do use SecurID to authenticate access to out-of-band console sharing networks, but this doesn’t involve Kerberos) 5
  • 6. [Kerberos Conference, October 2012, MIT] 6 Unified Namespace • Decided in 1995 to unify disjoint user namespaces at Penn • Developed a basic name registry service (PennNames) and tools for applications • Coordinated with application owners from throughout Penn • Group effort to resolve name conflicts over the course of 6 or 7 years (fairly painful)
  • 7. [Kerberos Conference, October 2012, MIT] 7 Why do we care about Unified Namespace? • Reduces confusion and misdirected communications • Provides a simpler handle for a broad range of campus IT services • Simplified design of campus-wide authentication system • Probably simplifies future work on centralized authorization
  • 8. [Kerberos Conference, October 2012, MIT] 8 Authentication & • The act of verifying someone’s identity • The process by which users prove their identity to a service • (and vice versa “Mutual authentication”) • Doesn’t specify what a user is allowed or not allowed to do (Authorization)
  • 9. [Kerberos Conference, October 2012, MIT] 9 What do we have so far? • We “know” that the user is who they claim to be (authentication) • We don’t know anything about them (roles, affiliations) • We don’t know what they can do (privileges)
  • 10. [Kerberos Conference, October 2012, MIT] 10 Simple Scenario • “Hi! I’m Mark!” (Identity) • “… And here is my PennKey and password to prove it.” (Authentication) • “I want to connect to the IMAP server to read my mail.” (Authorization) • “And now I want to shut down the DNS server.” (Authorization)
  • 11. [Kerberos Conference, October 2012, MIT] 11 Authorization Decisions • Is the user on a list of approved users? • Is the user a member of an approved group?
  • 12. [Kerberos Conference, October 2012, MIT] 12 The Not-So-Good Old Days • Every application on its own to make authorization decisions • In practice, many assumed that authentication was good enough (“if you can log in, you’re in”) • Every application must maintain its own access control lists or eligibility/ privilege rules
  • 13. [Kerberos Conference, October 2012, MIT] 13 A Better Way • Make authorization decisions according to local eligibility policy using central role and privilege definitions • “All Senior Law Faculty” • “Any staff in my department, except the birthday boy”
  • 14. [Kerberos Conference, October 2012, MIT] 14 High Level AuthZ Design AuthZ Service Distributed Management, Local Data App Servers University Source Systems Access Control Lists
  • 15. [Kerberos Conference, October 2012, MIT] 15 High Level AuthZ Design AuthZ Service Distributed Management, Local Data App Servers University Source Systems Access Control Lists AuthN Service (usually after an AuthN)
  • 16. [Kerberos Conference, October 2012, MIT] 16 Likely Components • Grouper and Signet as elements of the AuthZ service • Web UI that allows distributed management of central store of local data • Application access to the AuthZ service by widely available mechanisms/protocols like LDAP
  • 17. [Kerberos Conference, October 2012, MIT] 17 Benefits of Centralization • Consistent application of authority rules • (Many) privileges for an individual can be viewed in one place • Allows for a historical view of privileges over time • Allows for automatic revocation based on status or affiliation changes • Facilitates hierarchical control of authority
  • 18. [Kerberos Conference, October 2012, MIT] 18 Making the case for • Stay in compliance with a growing list of policy mandates • Consistent rules • Easy auditing • Save both dollars and time • Automated privilege changes • Less specific knowledge needed for every application
  • 19. [Kerberos Conference, October 2012, MIT] 19 Challenges of centralization • Sufficient motivation for change • Users and application providers may need related education • Resources, control • Centralized authentication forces units to relinquish control • Perhaps some software engineering required to separate authentication from authorization
  • 20. [Kerberos Conference, October 2012, MIT] 20 Challenges of centralization • Units must understand current authorization/privilege policies • This will likely trigger a thorough review of those policies (probably not a bad thing, but takes time) • Units must translate those policies into new format
  • 21. [Kerberos Conference, October 2012, MIT] 21 Summing up • Unified user name space (PennNames) • Addressing several password issues (many passwords, varying rules, poor password handling practices) with central AuthN • Driving towards secure and practical single signon through the native use of Kerberos • Working on two-factor AuthN possibilities • Pulling together relevant directory,AuthN,AuthZ technology pieces, plus policies, and physical identification, towards early stage Identity Management
  • 23. [Kerberos Conference, October 2012, MIT] Questions? Shumon Huque shuque -@- upenn.edu 23