NRL Security Architecture: A Web Services-Based Solution

Slides:

Advertisements

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Advertisements

Identity Network Ideals – Heterogeneity & Co-existence

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

The Federation for Identity and Cross-Credentialing Systems (FiXs) FiXs ® - Federated and Secure Identity Management in Operation Implementing.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.

SALSA-NetAuth SALSA-FWNA BoF Kevin Miller Duke University Internet2 Member Meeting May 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.

Identity Management Report By Jean Carreon and Marlon Gonzales.

SAML, XACML & the Terrorism Information Sharing Environment “Interoperable Trust Networks” XML Community of Practice February 16, 2005 Martin Smith Program.

Computer Science and Engineering 1 Service-Oriented Architecture Security 2.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”

E-Authentication: Enabling E-Government Presented to PESC May 2, 2005 The E  Authentication Initiative.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Navigating the Standards Landscape Andrew Owen SEARCH.

Shibboleth: An Introduction

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

MagicNET: Security System for Protection of Mobile Agents.

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

Data Access and Security in Multiple Heterogeneous Databases Afroz Deepti.

Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.

Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.

Secure Systems Research Group - FAU 1 A Trust Model for Web Services Ph.D Dissertation Progess Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

Grid Authorization Landscape and Futures Von Welch NCSA

Towards a Unified Authentication, Authorisation and Accounting Infrastructure Patrick Kirk Chief Technical Officer (YHGfL) Lifelong Learning Infrastructure.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

E-Authentication October Objectives Provide a flexible, easy to implement authentication system that meets the needs of AES and its clients. Ensure.

Interconnecting Autonomous Medical Domains Gritzalis, S.Gritzalis, S. ; Belsis, P. ; Katsikas, S.K. ; Univ. of the Aegean, Samos Belsis, P.Katsikas, S.K.

Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

Presented by: Sonali Pagade Nibha Dhagat paper1.pdf.

F5 APM & Security Assertion Markup Language ‘sam-el’

Access Policy - Federation March 23, 2016

Secure Connected Infrastructure

Stop Those Prying Eyes Getting to Your Data

Law Enforcement Information Sharing Program (LEISP) Federated Identity Management Pilot February 27, 2006.

ClearAvenue, LLC Headquartered in Columbia, Maryland

Case studies on Authentication, Authorization and Audit in SOA Environments Dr. Srini Kankanahalli.

Federation Systems, ADFS, & Shibboleth 2.0

Security Requirements for ChinaGrid Applications - What the current grid security solutions cannot do Hai Jin Huazhong University of Science and Technology.

HMA Identity Management Status

Data and Applications Security Developments and Directions

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Adding Distributed Trust Management to Shibboleth

CompTIA Security+ Study Guide (SY0-401)

Enterprise Single Sign-On

ESA Single Sign On (SSO) and Federated Identity Management

NAAS 2.0 Features and Enhancements

Public Key Infrastructure from the Most Trusted Name in e-Security

Appropriate Access InCommon Identity Assurance Profiles

Presentation transcript:

NRL Security Architecture: A Web Services-Based Solution Anya Kim Naval Research Lab Washington D.C. kim@itd.nrl.navy.mil

NRL Security Architecture Initially developed to support a DoD project WS node WS node identify potential threats with increased speed, timeliness, and accuracy WS node

NRL Security Architecture Security Requirements Information sharing While each node is autonomous, some information may need to be shared with coalition partners, law enforcement community, etc Uses complex sharing rules based on MOA, coalition participation, location, roles, etc Autonomy and survivability Each node should be able to function (even in degraded mode) independent of other nodes Secure data management Data is coming from various sources and security levels Label data based on sources, classification (e.g., levels of trust) Enforce access control based on data labels and requestor credentials Derived from the overview of CMA slide

NRL Security Architecture Architecture Features Uses web services Multiple instances of autonomous web service nodes deployed within a service oriented architecture (SOA) infrastructure Each organization maintains its own users Each organization determines and maintains its own web service access policy Cross organizational access policies will be based on pre-written agreements (MOU, MOA, etc)

NRL Security Architecture Security Features Oracle Label Security Federated A&A Model Authentication Authorization Network security * All data in transit is transmitted across the network in encrypted mode

Oracle Label Security Two aspects of data protection: access mediation to data and data separation Oracle Label Security (OLS) provides mechanisms for data protection via access mediation and has Common Criteria (CC) Evaluation Assurance Level (EAL) 4. By using correctly created data labels we can enforce policies by allowing us to label the data source. It is important to understand that OLS in this system is not used to protect data from different security levels (e.g., Top secret, secret, unclassified). Rather, it is used to protect data from various organizations (e.g., Coast Guard, DoD) within the same security level.

Oracle Label Security (cont.) Use OLS to separate and label data from various organizations and implement label security policy that satisfies data owners’ rules and regulations Regular user application is label unaware, and all data separation and access mediation is performed by the OLS that implements the project’s overall label security policy User applications (i.e., Web services) do not mediate access to data. They pass user information to Oracle and OLS returns data that the user is allowed to read

Federated A&A Based on a service-oriented architecture Users access the data via a series of web services The web apps require the user to authenticate himself before gaining access to the web pages. Additionally, the user’s attributes, such as role and organization are included to provide input to access control decisions Based on OASIS Security Assertion Markup Language (SAML) 2.0, and Access Control Markup Language (XACML)2.0 Peer-to-peer trust relationships rather than multilateral Provides better flexibility

Federated A&A (cont.) SSO/SLO (Single Sign-on, Single Logout) Users need only to authenticate locally, hence required to only know one username/password combo Reduces password associated risks Ease of management Enables each organization to use pre-existing authentication mechanisms independent of others Allows organizations to create authorization policies according to their own policies Simplifies user management in a dynamic environment

NRL Security Architecture Information Flow

Conclusion NRL Security Architecture Uses commercial standards Enables independent nodes to run in degraded mode if necessary (survivability) Provides strong authentication and authorization, while preserving unique security and data sharing requirements of entities Is applicable to other areas where security, information sharing (e.g., need-to-know) and survivability are issues