In this talk Shankar will focus on leveraging the extensive feature set and extensible nature of the WSO2 platform to provide a robust security architecture for your enterprise. It will also touch upon some of WSO2’s experiences with customers in building a security architecture and there by extracting commonly used security architecture patterns.

1. Reinforcing Your Enterprise With
Security Architectures
S.Uthaiyashankar
VP Engineering, WSO2
shankar@wso2.com

2. The Problem…
• Security is a non-func?onal requirements
• Very easy to make security holes
• Knowledge on security is less
– ODen people feel secure through obscurity
• Too much of security will reduce usability
• Security PaHerns might help to reduce the risk
Image Source: hHp://cdn.c.photoshelter.com/img-get/I0000WglLK9YvkQM/s/750/750/gmat-matyasi-14.jpg

3. Security
• Authen?ca?on
• Authoriza?on
• Confiden?ality
• Integrity
• Non-repudia?on
• Audi?ng
• Availability
Image source: hHp://coranet.com/images/network-security.png

4. Authen<ca<on
• Direct Authen?ca?on
– Basic Authen?ca?on
– Digest Authen?ca?on
– TLS Mutual Authen?ca?on
– OAuth : Client Creden?als
Service Providers
Authen<ca<on
Service Consump<on
Image Source : hHp://www.densodynamics.com/wp-content/uploads/2016/01/gandalf.jpg

5. Authen<ca<on
• Brokered Authen?ca?on
– SAML
– OAuth : SAML2/JWT grant type
– OpenID
Service Providers
Service Providers
Service Providers
Iden?ty Provider
Service Providers
Authen<ca<on
Service Consump<on
Trust
Image source: hHp://savepic.ru/6463149.gif

6. Authen<ca<on
• Single Sign On
• Mul?-factor Authen?ca?on
Service Providers
Service Providers
Service Providers
Iden?ty Provider
Service Providers
Authen<ca<on
Service Consump<on
Trust
Image source : hHps://upload.wikimedia.org/wikipedia/commons/e/ef/CryptoCard_two_factor.jpg

7. Authen<ca<on
• Iden?ty Federa?on PaHern and Token Exchange

8. Authen<ca<on
• Iden?ty Federa?on PaHern and Token Exchange

9. Authen<ca<on
• Iden?ty Bus

10. Authen<ca<on
• Trusted Subsystem PaHern
Source: hHps://i-msdn.sec.s-msD.com/dynimg/IC2296.gif

11. Authen<ca<on
• Mul?ple User stores
Image Source: hHps://malalanayake.files.wordpress.com/2013/01/mul?ple-user-stores1.png?w=645&h=385

12. Provisioning

13. Authoriza<on
• Principle of Least Privilege
• Role based Access Control
• AHribute based Access Control
– Policy based Access Control
Image source : hHp://cdn.meme.am/instances/500x/48651236.jpg

14. Authoriza<on
• eXtensible Access Control Markup Language (XACML)
Image Source : hHps://nadeesha678.wordpress.com/2015/09/29/xacml-reference-architecture/

15. Confiden<ality : Encryp<on
Transport Level Security vs
Message Level Security
• Transport Level
• Message Level
• Symmetric Encryp?on
• Asymmetric Encryp?on
• Session key based Encryp?on
Image Source: hHp://www.the?mes.co.uk/Ho/mul?media/archive/00727/cartoon-web_727821c.jpg

16. Integrity : Digital Signatures
• Transport Level
• Message Level
• Symmetric Signature
• Asymmetric Signature
• Session key based Signature
Image Source : hHp://memegenerator.net/instance2/4350097

17. Non-repudia<on: Digital Signatures
• Message Level
• Asymmetric Signature
Image Source: hHp://www.demo?va?on.us/media/demo?vators/demo?va?on.us_DENIAL-What-ever-it-is...-I-DIDNT-DO-IT_133423312332.jpg

18. Audi<ng
• However secure you are,
people might make mistake
• Collect the (audit) logs and
analyze for
– Anomaly
– Fraud
Source: hHps://745515a37222097b0902-74ef300a2b2b2d9e236c9459912aaf20.ssl.cf2.rackcdn.com/f33df70e3ffd92d1f68827dd559aa82c.jpeg

19. Availability
• Network Level Measures
• ThroHling
• Heart beat and hot pooling
Image Source: hHps://www.corero.com/img/blog/thumb/62327%207%20365.jpg

20. Secure Deployment PaHern
Red Zone (Internet)
Firewall
Yellow Zone (DMZ)
Firewall
Green Zone (Internal)
Services, Database
API Gateway, Integra<on
Client Applica<on

21. Secure Deployment PaHern : More restricted
Red Zone (Internet)
Firewall
Yellow Zone (DMZ)
Firewall
Green Zone (Internal)
Services, Database
API Gateway, Integra<on, Message Broker
Client Applica<on

22. Thank You