SlideShare a Scribd company logo

Patterns and Antipatterns in Enterprise Security

WSO2
WSO2

To view recording of this webinar please use below URL: Attacks against information systems is on the rise making enterprise security a major concern. It’s important to identify and address security needs such as confidentiality, integrity, availability and auditability of information. Enterprise security patterns facilitate balanced and informed decisions about security needs, as well as provide a rationale for the evolution of security needs over time. Antipatterns, which are fostered by misapplications of concepts and misunderstandings of security concerns, should be avoided. Enterprise security patterns and antipatterns solve these security concerns by addressing recurrent problems and challenges. These security patterns facilitate balanced and informed decisions about security needs, avoid the misapplication of concepts and misunderstanding of security concerns and provide a rationale for evolution of security needs over time. This webinar will Deep dive into enterprise security patterns and antipatterns Explore the importance of using them Discuss how to apply them with WSO2 Identity Server

1 of 67
Downloaded 54 times
Patterns and Antipatterns in Enterprise Security Johann Nallathamby Malithi Edirisinghe 1
For whom? ● Looking to learn about Identity and Access Management Patterns to solve real world business problems. ● Some experience with Identity and Access Management Technologies. E.g. Directories, SAML2, OAuth2 which are some of the most commonly used data standards / protocols for transporting Identity and Access Management data. ● Main focus is on Identity and Access Management Patterns. ○ NOT Network Security ○ NOT OS Security 2
1. Identity Integration / Virtual Directory 3
Problem ● Users to the system can come from multiple sources ● A single user’s attributes can come from multiple sources ● User credentials and attributes can come from separate sources Solution ● Mount multiple user stores for user management and make the number and type of user stores transparent to the application ● Connect the credential stores and identity stores to the system and provide a unified view of the user's’ identity hiding away the complexity in aggregating those data 4
2. Identity Broker 5
Problem Users will work with multiple applications in an enterprise. They will have to use specific credentials for each. ● Disjointed User Experience ● Complicated user and account management ● Security Threats Solution Delegate authentication to a trusted identity provider - Brokered Identity 6
Benefits ● Single Sign On ● Separate user authentication from application code ● Hides user credentials from applications ● Removes administrative overhead from applications ● Improves user experience Limitations ● Authentication can be a single point of failure. ● Introduce a single point where the security of the entire system can be breached 7
3. Identity Federation 8
Problem Users will use applications across enterprise borders and cloud. Solution Multiple trust domains with multiple Identity Providers. Federated authentication based on the trust relationship 9
Benefits ● Single Sign On ● No need of managing accounts in the on premise userstore ● Reduce administration overhead Limitations Security of the system can be compromised if any of the Identity Provider that your Identity Provider trusts are breached. 10
3.1. Identity Federation Variation -1 Inter-Domain Token Exchange 11
Problem A consumer who is living in a trust domain needs to interact with a service that is developed in a federated trust domain Solution Establish a trust relationship between the two Identity Providers residing in each trust domain. IdP-A IdP-B Consumer Service Trust Trust Trust Trust Domain A Trust Domain B 12
Benefits ● Flexible in maintaining trust domains ● Facilitates federated interactions between consumers and services across trust domains ● Same model can be extended to address more complex federation scenarios Limitations Introduces certain level of dependency between the consumer and the Identity Provider in the other trust domain 13
3.2. Identity Federation Variation -2 Intra-Domain Token Exchange 14
Problem A consumer who is living in a trust domain needs to interact with a service that is developed in a federated trust domain, without any dependencies to entities in the other trust domain Solution Consumer presents the token to the service in the other trust domain. Service will validate the token with its Identity Provider. IdP-A IdP-B Consumer Service Trust Trust Trust Trust Domain A Trust Domain B 15
Benefits ● Removes dependencies between consumers and service in different trust domains ● Can handle different token claim representations Limitations ● Adds complexity to the mechanism used to model the trust relationship with the Identity Provider in the other trust domain ● Makes the services to accept messages that are not issued by the Identity Provider that they trusts 16
3.3. Identity Federation Variation -3 Third Party Trust Establisher 17
Problem Creation of trust between Identity Providers can be complex. Ex: Cannot establish direct trust relationship as some identity information cannot be shared with partner company. Solution Establish the trust relationship with a third party Identity Provider, that act as a bridge between other Identity Providers IdP-A IdP-B Consumer Service Trust Trust Trust Trust Domain A Trust Domain BIdP-C Trust Trust 18
Benefits Isolates the complexities of the federated environment from different trust domains Limitations Introduces a new component that needs to maintained 19
4. Identity Hub 20
Problem ● Increasing no of Service Providers and Identity Providers ● Each Service Provider has to trust Each Identity Provider Not scalable Hard to manage Source : http://blog.facilelogin.com/2014/10/identity-federation-patterns-with-wso2. html Spaghetti 21
Solution One Identity Broker trusted by relying parties and federated parties acting as a hub 22
5. Identity Bridge 23
Problem ● Multiple Identity Federation Protocols SAML, OpenID Connect, WS-Federation etc. ● But federation systems relies on only one protocol Ex: Silo of SAML Federation Silo of OpenID Connect Federation Source : http://blog.facilelogin.com/2014/10/identity-federation-patterns-with-wso2. html Federation Silos 24
Solution ● Bridge between protocols. SAML with OpenID Connect 25
Benefits ● Single Sign On across heterogeneous protocols ● Identity federation between Service Providers and Identity Providers with heterogeneous federation protocols ● Scalability Limitations ● Authentication can be a single point of failure. ● Introduce a single point where the security of the entire system can be breached 26
6. Claim/Role Transformer 27
Problem Service Providers may not be able to understand claims or roles of the subject, in the format issued by Identity Providers and vise versa. Solution Convert incoming claims to the expected format Benefits ● Process claims in a single point reducing the complexity of enforcing brokered trust ● Can be used with legacy systems 28
7. Multi-factor Authentication 29
Problem Digital identity fraud is still on the rise Needs “strong” user authentication Solution Use two or more authentication factors ● Something known to only the user (Knowledge based) password, shared secret, PIN ● Something held only by the user (Possession based) security token, smart card, mobile device ● Something inherent only to the user (Biometric) facial recognition, fingerprint, voice recognition 30
8. Multi-option Authentication 31
Problem Multiple domains essentially isolated due to lack of mutual inbound or outbound trust relationships. Service Providers opt for different login options Solution Multiple login options are presented to the user as per the Service Provider application. 32
9. Adaptive Authentication 33
Problem Needs “strong” user authentication, if and only if there is an actual risk. Solution Provide additional authentication steps, if and only if the risk profile (derived from a matrix of variables) is high. Enhance user experience 34
10. Authorization Patterns 35
36 MAC vs. DAC ● Mandatory Access Control (MAC) ○ Centralized security policy ○ Users do not have the ability to override the policy ● Discretionary Access Control (DAC) ○ Governs the ability of subjects to access objects ○ Allows users the ability to make policy decisions and/or assign security attributes. ○ The traditional Unix system of users, groups, and read-write- execute permissions is an example of DAC.
37 Access Control Patterns ● Access Matrix / Access Control Table / Access Control List ● Role Based Access Control (RBAC) ● Group Based Access Control ● Claim Based Access Control ● Policy Based ● Hierarchical Authorization ○ Hierarchical Tenants ○ Hierarchical Groups/Roles ○ Hierarchical Resources ● Multilevel Access Control
38 Access Control Patterns
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise Security
11. SSO with Delegated Access Control 41
Problem Consumers need to access back-end APIs on behalf of the logged in user. 42 Solution Should adhere to some access delegation protocol Ex: OAuth Exchange the authentication token to some access token SAML token, JSON Web Token (JWT)
43
44
12. Outbound Provisioning 45
46
47
48
49
13. JIT Provisioning / Shadow Accounts 50
Requirements ● Transient Name IDs ● Persistent Name IDs ● Identity Protection ● Identity Mapping ● Identity Collision 51
14. Trusted Subsystem 52
53 Problem Securing a n-tier application ● Securing only the top most layer ● Expansion in the number and kinds of users ● Heterogeneous devices ● Unlimited connections ● Who should be allowed to access the data? ● Cannot protect from an attack originating from the local area network within the company. ● Who has already accessed the data? Source : http://blog.facilelogin.com/2014/10/identity-federation-patterns-with-w html
54 Solution 1 Impersonation and Delegation ● Delegation is the process of allowing another party to act on behalf of an identity. ● This process bestows upon a party the rights and privileges of another party to perform a set of tasks. ● Impersonation can be viewed as the most relaxed form of delegation, such that one identity is assigned the complete set of permissions of the impersonated identity.
55 Solution 2 Trusted Subsystem ● Trusted subsystem model implies that application services are trusted to perform a specific set of application tasks. ● Frequently, downstream services need to make application authorization decisions. ● To do so, the service must know the identity of the end user. ● While the ability to flow the identity of the end user is an inherent property of the delegation model, it is not so for the trusted subsystem model and special efforts must be made to include this feature. Source : https://msdn.microsoft.com/en-us/library/aa905320. aspx#trstsubsysdes_topic6
56 Solution 2 Contd. Trusted Subsystem ● Authenticate and verify the identity of the upstream or downstream service they are communicating with. ● Decide if the identified service is a trusted subsystem for a specific set of application functions, including propagating identity claims. ● Protect the integrity of the data being communicated between trusted subsystem and downstream services. Besides application data and application plumbing data, such as the identity claims of the original user, must also be protected so that no man-in-the-middle can modify the identity information that is in transit.
57 Solution 2 Contd. Trusted Subsystem - Identity Flows ● Trusted subsystem generated identity tokens / Self-issued ○ When downstream services trust the trusted subsystem to assert the original caller's identity, without requiring additional evidence from other parties. ● Third party generated identity tokens / Self-contained ○ When the downstream services trust the trusted subsystem to assert claims regarding the original caller in conjunction with third party evidence that satisfies an additional set of security requirements. ● User self-signed tokens ○ When the trusted subsystem is authorized to perform a set of application functions and when there must be evidence from the original caller that the caller initiated the request. ● Identity/Credential Mapping ○ Special function of the trusted subsystem role, where the goal is to transform an identity to another related identity for the purpose of gaining access to downstream resources that only recognize the transformed identity.
15. Security Gateway 58
59
60
61 Audit Interceptor Requirement ● Log security incidents to trace system abuse: ○ Failed login attempts ○ Unauthorized access attempts to services Solution ● All messages flow through the a gateway of the system. ● Necessary auditing is done by the logging at the gateway.
62 Data Origin Authentication Requirement ● Non-repudiation Solution ● Digital Signature Data Confidentiality Requirement Protect sensitive personal data during transmission from: ● Tampering ● unauthorized access Solution ● Digital Encryption
63 Message Screening Requirement Mitigate damages to the system from messages with malicious content ● SQL injection ● X-Doc attacks Solution ● XML Schema validation. ● Regular expression validation to avoid SQL injections contained in strings. ● An application of Perimeter Security
64 Replay Mitigation/DoS Safety Requirement Prevent denial of service attacks caused by replaying valid messages. Solution ● Apply throttling rules at the entry point. ● Validate message freshness by WS-Security mechanisms (Timestamp/Nonce). ● An application of Perimeter Security.
65 Exception Shielding Requirement Avoid exposing sensitive data through exceptions. ● Legacy application code might throw exceptions containing sensitive information. ● Need to filter those exceptions when system is exposed to external parties. Solution ● Sanitize unsafe exception data by replacing it with non-harmful exception message and give the right level of detail to the user.
66 References [1] https://msdn.microsoft.com/en-us/library/ [2] http://soapatterns.org/ [3] https://medium.facilelogin.com/thirty-solution-patterns-with-the-wso2-identity-server- 16f9fd0c0389#.1f3slrjnt [4] http://wso2.com/library/blog-post/2014/10/blog-post-identity-anti-patterns-federation-silos- and-spaghetti-identity/ [5] http://wso2.com/library/webinars/identity-server/ [6] M. Schumacher, E. Fernandez-Buglioni and D. Hybertson, Security Patterns: Integrating Security and Systems Engineering. 2005.
67 Q & A
Ad

Recommended

SSO introduction
SSO introductionSSO introduction
SSO introduction
Aidy Tificate
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
Frank Victory
 
Introduction to GCP (Google Cloud Platform)
Introduction to GCP (Google Cloud Platform)Introduction to GCP (Google Cloud Platform)
Introduction to GCP (Google Cloud Platform)
Pulkit Gupta
 
Cryptography based chat system
Cryptography based chat systemCryptography based chat system
Cryptography based chat system
Jagsir Singh
 
online blogging system
online blogging systemonline blogging system
online blogging system
001vaibhav
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security Strategy
Capgemini
 
Project report on blogs
Project report on blogsProject report on blogs
Project report on blogs
Kritika Chauhan
 
Cloud operating system
Cloud operating systemCloud operating system
Cloud operating system
sadak pramodh
 
AWS PPT.pptx
AWS PPT.pptxAWS PPT.pptx
AWS PPT.pptx
GauravSharma164138
 
Student result mamagement
Student result mamagementStudent result mamagement
Student result mamagement
Mickey
 
Cloud computing and its job opportunities
Cloud computing and its job opportunities Cloud computing and its job opportunities
Cloud computing and its job opportunities
Ramya SK
 
Introduction to GCP presentation
Introduction to GCP presentationIntroduction to GCP presentation
Introduction to GCP presentation
Mohit Kachhwani
 
Graphical Password Authenticationimp.docx2
Graphical Password Authenticationimp.docx2Graphical Password Authenticationimp.docx2
Graphical Password Authenticationimp.docx2
Raghu Vamsy Sirasala
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security Presentation
Ajay p
 
A Tour of Google Cloud Platform
A Tour of Google Cloud PlatformA Tour of Google Cloud Platform
A Tour of Google Cloud Platform
Colin Su
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Attribute Based Access Control
Attribute Based Access ControlAttribute Based Access Control
Attribute Based Access Control
Chandra Sharma
 
Pgp
PgpPgp
Pgp
precy02
 
Single sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancySingle sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancy
Devam Shah
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
E learning project report (Yashraj Nigam)
E learning project report (Yashraj Nigam)E learning project report (Yashraj Nigam)
E learning project report (Yashraj Nigam)
Yashraj Nigam
 
AWS Cloud Watch
AWS Cloud WatchAWS Cloud Watch
AWS Cloud Watch
zekeLabs Technologies
 
Platform as a Service (PaaS)
Platform as a Service (PaaS)Platform as a Service (PaaS)
Platform as a Service (PaaS)
Halil Burak Cetinkaya
 
Software engineering project(srs)!!
Software engineering project(srs)!!Software engineering project(srs)!!
Software engineering project(srs)!!
sourav verma
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
Mike Schwartz
 
Online student management system
Online student management systemOnline student management system
Online student management system
Mumbai Academisc
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESB
WSO2
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
Vladimir Jirasek
 
Ad

More Related Content

What's hot (20)

AWS PPT.pptx
AWS PPT.pptxAWS PPT.pptx
AWS PPT.pptx
GauravSharma164138
 
Student result mamagement
Student result mamagementStudent result mamagement
Student result mamagement
Mickey
 
Cloud computing and its job opportunities
Cloud computing and its job opportunities Cloud computing and its job opportunities
Cloud computing and its job opportunities
Ramya SK
 
Introduction to GCP presentation
Introduction to GCP presentationIntroduction to GCP presentation
Introduction to GCP presentation
Mohit Kachhwani
 
Graphical Password Authenticationimp.docx2
Graphical Password Authenticationimp.docx2Graphical Password Authenticationimp.docx2
Graphical Password Authenticationimp.docx2
Raghu Vamsy Sirasala
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security Presentation
Ajay p
 
A Tour of Google Cloud Platform
A Tour of Google Cloud PlatformA Tour of Google Cloud Platform
A Tour of Google Cloud Platform
Colin Su
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Attribute Based Access Control
Attribute Based Access ControlAttribute Based Access Control
Attribute Based Access Control
Chandra Sharma
 
Pgp
PgpPgp
Pgp
precy02
 
Single sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancySingle sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancy
Devam Shah
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
E learning project report (Yashraj Nigam)
E learning project report (Yashraj Nigam)E learning project report (Yashraj Nigam)
E learning project report (Yashraj Nigam)
Yashraj Nigam
 
AWS Cloud Watch
AWS Cloud WatchAWS Cloud Watch
AWS Cloud Watch
zekeLabs Technologies
 
Platform as a Service (PaaS)
Platform as a Service (PaaS)Platform as a Service (PaaS)
Platform as a Service (PaaS)
Halil Burak Cetinkaya
 
Software engineering project(srs)!!
Software engineering project(srs)!!Software engineering project(srs)!!
Software engineering project(srs)!!
sourav verma
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
Mike Schwartz
 
Online student management system
Online student management systemOnline student management system
Online student management system
Mumbai Academisc
 
AWS PPT.pptx
AWS PPT.pptxAWS PPT.pptx
AWS PPT.pptx
GauravSharma164138
 
Student result mamagement
Student result mamagementStudent result mamagement
Student result mamagement
Mickey
 
Cloud computing and its job opportunities
Cloud computing and its job opportunities Cloud computing and its job opportunities
Cloud computing and its job opportunities
Ramya SK
 
Introduction to GCP presentation
Introduction to GCP presentationIntroduction to GCP presentation
Introduction to GCP presentation
Mohit Kachhwani
 
Graphical Password Authenticationimp.docx2
Graphical Password Authenticationimp.docx2Graphical Password Authenticationimp.docx2
Graphical Password Authenticationimp.docx2
Raghu Vamsy Sirasala
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security Presentation
Ajay p
 
A Tour of Google Cloud Platform
A Tour of Google Cloud PlatformA Tour of Google Cloud Platform
A Tour of Google Cloud Platform
Colin Su
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Attribute Based Access Control
Attribute Based Access ControlAttribute Based Access Control
Attribute Based Access Control
Chandra Sharma
 
Pgp
PgpPgp
Pgp
precy02
 
Single sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancySingle sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancy
Devam Shah
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
E learning project report (Yashraj Nigam)
E learning project report (Yashraj Nigam)E learning project report (Yashraj Nigam)
E learning project report (Yashraj Nigam)
Yashraj Nigam
 
AWS Cloud Watch
AWS Cloud WatchAWS Cloud Watch
AWS Cloud Watch
zekeLabs Technologies
 
Platform as a Service (PaaS)
Platform as a Service (PaaS)Platform as a Service (PaaS)
Platform as a Service (PaaS)
Halil Burak Cetinkaya
 
Software engineering project(srs)!!
Software engineering project(srs)!!Software engineering project(srs)!!
Software engineering project(srs)!!
sourav verma
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
Mike Schwartz
 
Online student management system
Online student management systemOnline student management system
Online student management system
Mumbai Academisc
 

Viewers also liked (20)

Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESB
WSO2
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
Vladimir Jirasek
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
John Arnold
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Kris Kimmerle
 
Security Design Patterns
Security Design PatternsSecurity Design Patterns
Security Design Patterns
Aung Khant
 
Web Security Patterns - Jazoon 2010 - Zurich
Web Security Patterns - Jazoon 2010 - ZurichWeb Security Patterns - Jazoon 2010 - Zurich
Web Security Patterns - Jazoon 2010 - Zurich
javagroup2006
 
Introducing Msd
Introducing MsdIntroducing Msd
Introducing Msd
Aung Khant
 
How to Secure Your Enterprise Services with WSO2 ESB
How to Secure Your Enterprise Services with WSO2 ESBHow to Secure Your Enterprise Services with WSO2 ESB
How to Secure Your Enterprise Services with WSO2 ESB
WSO2
 
Security patterns and model driven architecture
Security patterns and model driven architectureSecurity patterns and model driven architecture
Security patterns and model driven architecture
bdemchak
 
DWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, AtosDWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, Atos
IDATE DigiWorld
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
CA API Management
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?
Antonio Fontes
 
IoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The InternetIoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The Internet
Paul Brody
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
WSO2
 
The End of the Fortress: The new Approach to Cybersecurity
The End of the Fortress: The new Approach to CybersecurityThe End of the Fortress: The new Approach to Cybersecurity
The End of the Fortress: The new Approach to Cybersecurity
Marc Nader
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summary
SABSAcourses
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
Rahul Mohandas
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
Tripwire
 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecture
narenvivek
 
Improving web application security, part ii
Improving web application security, part iiImproving web application security, part ii
Improving web application security, part ii
Kangkan Goswami
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESB
WSO2
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
Vladimir Jirasek
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
John Arnold
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Kris Kimmerle
 
Security Design Patterns
Security Design PatternsSecurity Design Patterns
Security Design Patterns
Aung Khant
 
Web Security Patterns - Jazoon 2010 - Zurich
Web Security Patterns - Jazoon 2010 - ZurichWeb Security Patterns - Jazoon 2010 - Zurich
Web Security Patterns - Jazoon 2010 - Zurich
javagroup2006
 
Introducing Msd
Introducing MsdIntroducing Msd
Introducing Msd
Aung Khant
 
How to Secure Your Enterprise Services with WSO2 ESB
How to Secure Your Enterprise Services with WSO2 ESBHow to Secure Your Enterprise Services with WSO2 ESB
How to Secure Your Enterprise Services with WSO2 ESB
WSO2
 
Security patterns and model driven architecture
Security patterns and model driven architectureSecurity patterns and model driven architecture
Security patterns and model driven architecture
bdemchak
 
DWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, AtosDWS16 - Smart city forum - Niels De Schutter, Atos
DWS16 - Smart city forum - Niels De Schutter, Atos
IDATE DigiWorld
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
CA API Management
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?
Antonio Fontes
 
IoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The InternetIoT And Inevitable Decentralization of The Internet
IoT And Inevitable Decentralization of The Internet
Paul Brody
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
WSO2
 
The End of the Fortress: The new Approach to Cybersecurity
The End of the Fortress: The new Approach to CybersecurityThe End of the Fortress: The new Approach to Cybersecurity
The End of the Fortress: The new Approach to Cybersecurity
Marc Nader
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summary
SABSAcourses
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
Rahul Mohandas
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
Tripwire
 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecture
narenvivek
 
Improving web application security, part ii
Improving web application security, part iiImproving web application security, part ii
Improving web application security, part ii
Kangkan Goswami
 
Ad

Similar to Patterns and Antipatterns in Enterprise Security (20)

Identity Federation Patterns with WSO2 Identity Server​
Identity Federation Patterns with WSO2 Identity Server​Identity Federation Patterns with WSO2 Identity Server​
Identity Federation Patterns with WSO2 Identity Server​
WSO2
 
Architecting a cloud scale identity fabric
Architecting a cloud scale identity fabricArchitecting a cloud scale identity fabric
Architecting a cloud scale identity fabric
Mário Almeida
 
Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04
Synacts
 
Securing the Power Platform - What are my options
Securing the Power Platform - What are my optionsSecuring the Power Platform - What are my options
Securing the Power Platform - What are my options
Juan Carlos Gonzalez
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
inovia
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issues
Aleem Mohammed
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
Pyingkodi Maran
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions www.ijeijournal.com
 
Troubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptxTroubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptx
Yury Leonychev
 
Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...
LeMeniz Infotech
 
Security Management in the Cloud
Security Management in the CloudSecurity Management in the Cloud
Security Management in the Cloud
GaryArdito
 
Advanced mechanism for single sign on for distributed computer networks
Advanced mechanism for single sign on for distributed computer networksAdvanced mechanism for single sign on for distributed computer networks
Advanced mechanism for single sign on for distributed computer networks
eSAT Journals
 
Cloud security
Cloud securityCloud security
Cloud security
Adeel Javaid
 
Federated identity management is mainly used by security leaders. It.pdf
Federated identity management is mainly used by security leaders. It.pdfFederated identity management is mainly used by security leaders. It.pdf
Federated identity management is mainly used by security leaders. It.pdf
apexjaipur
 
NAC_p3.pptx
NAC_p3.pptxNAC_p3.pptx
NAC_p3.pptx
Saurabh846965
 
ppt
pptppt
ppt
Videoguy
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
Juan Vicente Herrera Ruiz de Alejo
 
Benefits of Using Open Source IAM
Benefits of Using Open Source IAMBenefits of Using Open Source IAM
Benefits of Using Open Source IAM
WSO2
 
Real world blockchain solutions - DevDays Asia 2018 - Taipei
Real world blockchain solutions - DevDays Asia 2018 - TaipeiReal world blockchain solutions - DevDays Asia 2018 - Taipei
Real world blockchain solutions - DevDays Asia 2018 - Taipei
Michael Chi
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access Control
Fernando Lopez Aguilar
 
Identity Federation Patterns with WSO2 Identity Server​
Identity Federation Patterns with WSO2 Identity Server​Identity Federation Patterns with WSO2 Identity Server​
Identity Federation Patterns with WSO2 Identity Server​
WSO2
 
Architecting a cloud scale identity fabric
Architecting a cloud scale identity fabricArchitecting a cloud scale identity fabric
Architecting a cloud scale identity fabric
Mário Almeida
 
Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04
Synacts
 
Securing the Power Platform - What are my options
Securing the Power Platform - What are my optionsSecuring the Power Platform - What are my options
Securing the Power Platform - What are my options
Juan Carlos Gonzalez
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
inovia
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issues
Aleem Mohammed
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
Pyingkodi Maran
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions www.ijeijournal.com
 
Troubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptxTroubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptx
Yury Leonychev
 
Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...
LeMeniz Infotech
 
Security Management in the Cloud
Security Management in the CloudSecurity Management in the Cloud
Security Management in the Cloud
GaryArdito
 
Advanced mechanism for single sign on for distributed computer networks
Advanced mechanism for single sign on for distributed computer networksAdvanced mechanism for single sign on for distributed computer networks
Advanced mechanism for single sign on for distributed computer networks
eSAT Journals
 
Cloud security
Cloud securityCloud security
Cloud security
Adeel Javaid
 
Federated identity management is mainly used by security leaders. It.pdf
Federated identity management is mainly used by security leaders. It.pdfFederated identity management is mainly used by security leaders. It.pdf
Federated identity management is mainly used by security leaders. It.pdf
apexjaipur
 
NAC_p3.pptx
NAC_p3.pptxNAC_p3.pptx
NAC_p3.pptx
Saurabh846965
 
ppt
pptppt
ppt
Videoguy
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
Juan Vicente Herrera Ruiz de Alejo
 
Benefits of Using Open Source IAM
Benefits of Using Open Source IAMBenefits of Using Open Source IAM
Benefits of Using Open Source IAM
WSO2
 
Real world blockchain solutions - DevDays Asia 2018 - Taipei
Real world blockchain solutions - DevDays Asia 2018 - TaipeiReal world blockchain solutions - DevDays Asia 2018 - Taipei
Real world blockchain solutions - DevDays Asia 2018 - Taipei
Michael Chi
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access Control
Fernando Lopez Aguilar
 
Ad

More from WSO2 (20)

Platformless Modernization with Choreo.pdf
Platformless Modernization with Choreo.pdfPlatformless Modernization with Choreo.pdf
Platformless Modernization with Choreo.pdf
WSO2
 
Application Modernization with Choreo for the BFSI Sector
Application Modernization with Choreo for the BFSI SectorApplication Modernization with Choreo for the BFSI Sector
Application Modernization with Choreo for the BFSI Sector
WSO2
 
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
Choreo - The AI-Native Internal Developer Platform as a Service: OverviewChoreo - The AI-Native Internal Developer Platform as a Service: Overview
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2Con 2025 - Building Secure Customer Experience AppsWSO2Con 2025 - Building Secure Customer Experience Apps
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on CodeWSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2Con 2025 - Architecting Cloud-Native ApplicationsWSO2Con 2025 - Architecting Cloud-Native Applications
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
Mastering Intelligent Digital Experiences with Platformless Modernization
Mastering Intelligent Digital Experiences with Platformless ModernizationMastering Intelligent Digital Experiences with Platformless Modernization
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
WSO2
 
Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
WSO2
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2
 
Platformless Modernization with Choreo.pdf
Platformless Modernization with Choreo.pdfPlatformless Modernization with Choreo.pdf
Platformless Modernization with Choreo.pdf
WSO2
 
Application Modernization with Choreo for the BFSI Sector
Application Modernization with Choreo for the BFSI SectorApplication Modernization with Choreo for the BFSI Sector
Application Modernization with Choreo for the BFSI Sector
WSO2
 
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
Choreo - The AI-Native Internal Developer Platform as a Service: OverviewChoreo - The AI-Native Internal Developer Platform as a Service: Overview
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2Con 2025 - Building Secure Customer Experience AppsWSO2Con 2025 - Building Secure Customer Experience Apps
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on CodeWSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2Con 2025 - Architecting Cloud-Native ApplicationsWSO2Con 2025 - Architecting Cloud-Native Applications
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
Mastering Intelligent Digital Experiences with Platformless Modernization
Mastering Intelligent Digital Experiences with Platformless ModernizationMastering Intelligent Digital Experiences with Platformless Modernization
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
WSO2
 
Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
WSO2
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2
 

Recently uploaded (20)

2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 

Patterns and Antipatterns in Enterprise Security

  • 1. Patterns and Antipatterns in Enterprise Security Johann Nallathamby Malithi Edirisinghe 1
  • 2. For whom? ● Looking to learn about Identity and Access Management Patterns to solve real world business problems. ● Some experience with Identity and Access Management Technologies. E.g. Directories, SAML2, OAuth2 which are some of the most commonly used data standards / protocols for transporting Identity and Access Management data. ● Main focus is on Identity and Access Management Patterns. ○ NOT Network Security ○ NOT OS Security 2
  • 3. 1. Identity Integration / Virtual Directory 3
  • 4. Problem ● Users to the system can come from multiple sources ● A single user’s attributes can come from multiple sources ● User credentials and attributes can come from separate sources Solution ● Mount multiple user stores for user management and make the number and type of user stores transparent to the application ● Connect the credential stores and identity stores to the system and provide a unified view of the user's’ identity hiding away the complexity in aggregating those data 4
  • 6. Problem Users will work with multiple applications in an enterprise. They will have to use specific credentials for each. ● Disjointed User Experience ● Complicated user and account management ● Security Threats Solution Delegate authentication to a trusted identity provider - Brokered Identity 6
  • 7. Benefits ● Single Sign On ● Separate user authentication from application code ● Hides user credentials from applications ● Removes administrative overhead from applications ● Improves user experience Limitations ● Authentication can be a single point of failure. ● Introduce a single point where the security of the entire system can be breached 7
  • 9. Problem Users will use applications across enterprise borders and cloud. Solution Multiple trust domains with multiple Identity Providers. Federated authentication based on the trust relationship 9
  • 10. Benefits ● Single Sign On ● No need of managing accounts in the on premise userstore ● Reduce administration overhead Limitations Security of the system can be compromised if any of the Identity Provider that your Identity Provider trusts are breached. 10
  • 11. 3.1. Identity Federation Variation -1 Inter-Domain Token Exchange 11
  • 12. Problem A consumer who is living in a trust domain needs to interact with a service that is developed in a federated trust domain Solution Establish a trust relationship between the two Identity Providers residing in each trust domain. IdP-A IdP-B Consumer Service Trust Trust Trust Trust Domain A Trust Domain B 12
  • 13. Benefits ● Flexible in maintaining trust domains ● Facilitates federated interactions between consumers and services across trust domains ● Same model can be extended to address more complex federation scenarios Limitations Introduces certain level of dependency between the consumer and the Identity Provider in the other trust domain 13
  • 14. 3.2. Identity Federation Variation -2 Intra-Domain Token Exchange 14
  • 15. Problem A consumer who is living in a trust domain needs to interact with a service that is developed in a federated trust domain, without any dependencies to entities in the other trust domain Solution Consumer presents the token to the service in the other trust domain. Service will validate the token with its Identity Provider. IdP-A IdP-B Consumer Service Trust Trust Trust Trust Domain A Trust Domain B 15
  • 16. Benefits ● Removes dependencies between consumers and service in different trust domains ● Can handle different token claim representations Limitations ● Adds complexity to the mechanism used to model the trust relationship with the Identity Provider in the other trust domain ● Makes the services to accept messages that are not issued by the Identity Provider that they trusts 16
  • 17. 3.3. Identity Federation Variation -3 Third Party Trust Establisher 17
  • 18. Problem Creation of trust between Identity Providers can be complex. Ex: Cannot establish direct trust relationship as some identity information cannot be shared with partner company. Solution Establish the trust relationship with a third party Identity Provider, that act as a bridge between other Identity Providers IdP-A IdP-B Consumer Service Trust Trust Trust Trust Domain A Trust Domain BIdP-C Trust Trust 18
  • 19. Benefits Isolates the complexities of the federated environment from different trust domains Limitations Introduces a new component that needs to maintained 19
  • 21. Problem ● Increasing no of Service Providers and Identity Providers ● Each Service Provider has to trust Each Identity Provider Not scalable Hard to manage Source : http://blog.facilelogin.com/2014/10/identity-federation-patterns-with-wso2. html Spaghetti 21
  • 22. Solution One Identity Broker trusted by relying parties and federated parties acting as a hub 22
  • 24. Problem ● Multiple Identity Federation Protocols SAML, OpenID Connect, WS-Federation etc. ● But federation systems relies on only one protocol Ex: Silo of SAML Federation Silo of OpenID Connect Federation Source : http://blog.facilelogin.com/2014/10/identity-federation-patterns-with-wso2. html Federation Silos 24
  • 25. Solution ● Bridge between protocols. SAML with OpenID Connect 25
  • 26. Benefits ● Single Sign On across heterogeneous protocols ● Identity federation between Service Providers and Identity Providers with heterogeneous federation protocols ● Scalability Limitations ● Authentication can be a single point of failure. ● Introduce a single point where the security of the entire system can be breached 26
  • 28. Problem Service Providers may not be able to understand claims or roles of the subject, in the format issued by Identity Providers and vise versa. Solution Convert incoming claims to the expected format Benefits ● Process claims in a single point reducing the complexity of enforcing brokered trust ● Can be used with legacy systems 28
  • 30. Problem Digital identity fraud is still on the rise Needs “strong” user authentication Solution Use two or more authentication factors ● Something known to only the user (Knowledge based) password, shared secret, PIN ● Something held only by the user (Possession based) security token, smart card, mobile device ● Something inherent only to the user (Biometric) facial recognition, fingerprint, voice recognition 30
  • 32. Problem Multiple domains essentially isolated due to lack of mutual inbound or outbound trust relationships. Service Providers opt for different login options Solution Multiple login options are presented to the user as per the Service Provider application. 32
  • 34. Problem Needs “strong” user authentication, if and only if there is an actual risk. Solution Provide additional authentication steps, if and only if the risk profile (derived from a matrix of variables) is high. Enhance user experience 34
  • 36. 36 MAC vs. DAC ● Mandatory Access Control (MAC) ○ Centralized security policy ○ Users do not have the ability to override the policy ● Discretionary Access Control (DAC) ○ Governs the ability of subjects to access objects ○ Allows users the ability to make policy decisions and/or assign security attributes. ○ The traditional Unix system of users, groups, and read-write- execute permissions is an example of DAC.
  • 37. 37 Access Control Patterns ● Access Matrix / Access Control Table / Access Control List ● Role Based Access Control (RBAC) ● Group Based Access Control ● Claim Based Access Control ● Policy Based ● Hierarchical Authorization ○ Hierarchical Tenants ○ Hierarchical Groups/Roles ○ Hierarchical Resources ● Multilevel Access Control
  • 41. 11. SSO with Delegated Access Control 41
  • 42. Problem Consumers need to access back-end APIs on behalf of the logged in user. 42 Solution Should adhere to some access delegation protocol Ex: OAuth Exchange the authentication token to some access token SAML token, JSON Web Token (JWT)
  • 43. 43
  • 44. 44
  • 46. 46
  • 47. 47
  • 48. 48
  • 49. 49
  • 50. 13. JIT Provisioning / Shadow Accounts 50
  • 51. Requirements ● Transient Name IDs ● Persistent Name IDs ● Identity Protection ● Identity Mapping ● Identity Collision 51
  • 53. 53 Problem Securing a n-tier application ● Securing only the top most layer ● Expansion in the number and kinds of users ● Heterogeneous devices ● Unlimited connections ● Who should be allowed to access the data? ● Cannot protect from an attack originating from the local area network within the company. ● Who has already accessed the data? Source : http://blog.facilelogin.com/2014/10/identity-federation-patterns-with-w html
  • 54. 54 Solution 1 Impersonation and Delegation ● Delegation is the process of allowing another party to act on behalf of an identity. ● This process bestows upon a party the rights and privileges of another party to perform a set of tasks. ● Impersonation can be viewed as the most relaxed form of delegation, such that one identity is assigned the complete set of permissions of the impersonated identity.
  • 55. 55 Solution 2 Trusted Subsystem ● Trusted subsystem model implies that application services are trusted to perform a specific set of application tasks. ● Frequently, downstream services need to make application authorization decisions. ● To do so, the service must know the identity of the end user. ● While the ability to flow the identity of the end user is an inherent property of the delegation model, it is not so for the trusted subsystem model and special efforts must be made to include this feature. Source : https://msdn.microsoft.com/en-us/library/aa905320. aspx#trstsubsysdes_topic6
  • 56. 56 Solution 2 Contd. Trusted Subsystem ● Authenticate and verify the identity of the upstream or downstream service they are communicating with. ● Decide if the identified service is a trusted subsystem for a specific set of application functions, including propagating identity claims. ● Protect the integrity of the data being communicated between trusted subsystem and downstream services. Besides application data and application plumbing data, such as the identity claims of the original user, must also be protected so that no man-in-the-middle can modify the identity information that is in transit.
  • 57. 57 Solution 2 Contd. Trusted Subsystem - Identity Flows ● Trusted subsystem generated identity tokens / Self-issued ○ When downstream services trust the trusted subsystem to assert the original caller's identity, without requiring additional evidence from other parties. ● Third party generated identity tokens / Self-contained ○ When the downstream services trust the trusted subsystem to assert claims regarding the original caller in conjunction with third party evidence that satisfies an additional set of security requirements. ● User self-signed tokens ○ When the trusted subsystem is authorized to perform a set of application functions and when there must be evidence from the original caller that the caller initiated the request. ● Identity/Credential Mapping ○ Special function of the trusted subsystem role, where the goal is to transform an identity to another related identity for the purpose of gaining access to downstream resources that only recognize the transformed identity.
  • 59. 59
  • 60. 60
  • 61. 61 Audit Interceptor Requirement ● Log security incidents to trace system abuse: ○ Failed login attempts ○ Unauthorized access attempts to services Solution ● All messages flow through the a gateway of the system. ● Necessary auditing is done by the logging at the gateway.
  • 62. 62 Data Origin Authentication Requirement ● Non-repudiation Solution ● Digital Signature Data Confidentiality Requirement Protect sensitive personal data during transmission from: ● Tampering ● unauthorized access Solution ● Digital Encryption
  • 63. 63 Message Screening Requirement Mitigate damages to the system from messages with malicious content ● SQL injection ● X-Doc attacks Solution ● XML Schema validation. ● Regular expression validation to avoid SQL injections contained in strings. ● An application of Perimeter Security
  • 64. 64 Replay Mitigation/DoS Safety Requirement Prevent denial of service attacks caused by replaying valid messages. Solution ● Apply throttling rules at the entry point. ● Validate message freshness by WS-Security mechanisms (Timestamp/Nonce). ● An application of Perimeter Security.
  • 65. 65 Exception Shielding Requirement Avoid exposing sensitive data through exceptions. ● Legacy application code might throw exceptions containing sensitive information. ● Need to filter those exceptions when system is exposed to external parties. Solution ● Sanitize unsafe exception data by replacing it with non-harmful exception message and give the right level of detail to the user.
  • 66. 66 References [1] https://msdn.microsoft.com/en-us/library/ [2] http://soapatterns.org/ [3] https://medium.facilelogin.com/thirty-solution-patterns-with-the-wso2-identity-server- 16f9fd0c0389#.1f3slrjnt [4] http://wso2.com/library/blog-post/2014/10/blog-post-identity-anti-patterns-federation-silos- and-spaghetti-identity/ [5] http://wso2.com/library/webinars/identity-server/ [6] M. Schumacher, E. Fernandez-Buglioni and D. Hybertson, Security Patterns: Integrating Security and Systems Engineering. 2005.