© 2008 OSIsoft, Inc. | Company Confidential PI System Security Bryan S. Owen PE.

Slides:



Advertisements
Similar presentations
OneBridge Mobile Data Suite Product Positioning. Target Plays IT-driven enterprise mobility initiatives Extensive support for integration into existing.
Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
PI Server Security Bryan S. Owen Omar A. Shafie.
1 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008 PI System Security Taking it to the Next.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 7 HARDENING SERVERS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Identity and Access Management
1 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008 PI System Development Roadmap Jon Peterson.
Understanding Active Directory
Chapter 11: Dial-Up Connectivity in Remote Access Designs
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
© 2008 OSIsoft, Inc. | Company Confidential Windows Integrated Security for the PI Server Hans-Herbert Gimmler Rulik Perla.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.
BMC Software confidential. BMC Performance Manager Will Brown.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Module 11 : Backup and Restore Jong S. Bok
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
9/10/20151 Hyperion Enterprise 6.5 New Features & Functionality Robert Cybulski, CPA Finit Solutions.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Visualization in the Real-Time Enterprise Ken Marsh Service Manager OSI Software Asia Pte Ltd.
© 2008 OSIsoft, Inc. | Company Confidential High Availability Michael Jakob Colin Breck Colin Breck Michael Jakob Colin Breck Colin Breck.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Module 11: Implementing ISA Server 2004 Enterprise Edition.
Identity Solution in Baltic Theory and Practice Viktors Kozlovs Infrastructure Consultant Microsoft Latvia.
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Terminal Services Technical Overview Olav Tvedt TVEDT.info Microsoft Speaker Community
Copyright © 2007 OSIsoft, Inc. All rights reserved. Ad-Hoc Reporting Using The RtReports Web Part Tamara Carbaugh RtReports Product Manager OSIsoft, Inc.
Module 5 : Security I Jong S. Bok
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
Module 10: Windows Firewall and Caching Fundamentals.
Web Services Security Patterns Alex Mackman CM Group Ltd
OSIsoft Thin Clients RtWebParts and RtBaselineServices Jay Lakumb OSIsoft, Inc.
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
OSIsoft Thin Clients RtWebParts and RtBaselineServices Jay Lakumb OSIsoft, Inc.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
BÄTTRE UTBILDNINGSRESULTAT. NÅ HÖGRE MED KUNSKAP.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Productivity Architect Meet Chris Bortlik Author, Blogger, Speaker.
Discover How You Can Increase Collaboration with External Partners While Reducing Your Cost in Managing an Extranet from the Azure Cloud MICROSOFT AZURE.
L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.
Upgrade to Dynamics 365 Online From On Premise
SQL Database Management
Secure Connected Infrastructure
PI System Development Roadmap
Stop Those Prying Eyes Getting to Your Data
SECURING NETWORK TRAFFIC WITH IPSEC
Configuring and Troubleshooting Routing and Remote Access
Module 8: Securing Network Traffic by Using IPSec and Certificates
Common Security Mistakes
Managing Services with VMM and App Controller
Module 8: Securing Network Traffic by Using IPSec and Certificates
06 | SQL Server and the Cloud
Presentation transcript:

© 2008 OSIsoft, Inc. | Company Confidential PI System Security Bryan S. Owen PE

2 © 2008 OSIsoft, Inc. | Company Confidential Web of Trust Classic Examples –Bulk Electric System –Pipelines –Transportation –Supply Chains –Finance Cyber Examples –Internet Service Providers –Name and Time Services –Certificate Authorities –eBay Ratings

3 © 2008 OSIsoft, Inc. | Company Confidential OSIsoft Cyber Security Web of Trust AssociationsAssociations ResearchResearchCommercialCommercial GovernmentGovernment

4 © 2008 OSIsoft, Inc. | Company Confidential

5 Safety and Security Prevention is Best Approach –Risk includes Human Factors Technology Can Help –Auditing, Monitoring and Protection Actively Caring is the Key –Effects all stakeholders

6 © 2008 OSIsoft, Inc. | Company Confidential Mutual Distrust Posture – FERC 706 The term “mutual distrust” is used to denote how “outside world” systems are treated by those inside the control system A mutual distrust posture requires each responsible entity … to protect itself and not trust any communication crossing an electronic security perimeter, regardless of where that communication originates.

7 © 2008 OSIsoft, Inc. | Company Confidential There are only two types of security issues:  Input trust issues  Everything else! Secure Coding Issues Source: Security Development Lifecycle – Microsoft Press, Michael Howard

8 © 2008 OSIsoft, Inc. | Company Confidential What Now? Not allowed to Trust “Outside” Systems… Shouldn’t Trust any Input… –Secure Boundaries –Build-in Security

9 © 2008 OSIsoft, Inc. | Company Confidential Smart Connector PI Archive User Services Data Access Portal Notification Services Smart Clients Data SourceSubscribers PI System Security Boundaries

10 © 2008 OSIsoft, Inc. | Company Confidential Defense-in-Depth Challenges Legacy Technology Loss of Perimeter Implementation Practices Manual Procedures Lack of Visibility Infrastructure Lifecycles Physical Network Host Application Data

11 © 2008 OSIsoft, Inc. | Company Confidential PI Security Boundary Features Isolated Application Stack –Protect Critical Systems Data Only “Conduit” Health Monitoring & Visibility Quick Disconnect –No Data Loss Recovery Physical Network Host Application Data Control Systems Control Systems

12 © 2008 OSIsoft, Inc. | Company Confidential Architecture – Interface Node Simple Resilient Highly Instrumented

13 © 2008 OSIsoft, Inc. | Company Confidential Architecture: High Availability

14 © 2008 OSIsoft, Inc. | Company Confidential Integrating Windows Security into PI RtWebParts –Microsoft Office Sharepoint Services PI AF –.Net Framework and MS SQL Server PI Server –Windows 2008 Logo Certification (including Server Core) –Modern Hardware Support (Memory Protection, TPM, x64) –Integrated Authentication and Authorization

15 © 2008 OSIsoft, Inc. | Company Confidential Authentication and Authorization Customer SIG Requests and Objectives: 1.Leverage Windows for account administration 2.Single sign-on (no PI Server login required) 3.Secure authentication methods 4.Extended access control …more than Owner, Group, World …e.g. Groups of Groups

16 © 2008 OSIsoft, Inc. | Company Confidential Architectural Overview Our Current Security Model –Choice of access rights: read, write –A single owner (per object) –A single group association –And then everyone else... “world” The New Model –Support for Active Directory and Windows Local Users/Groups –Mapping of authenticated Windows principals to “PI Identities” –Access Control Lists for points, etc.

17 © 2008 OSIsoft, Inc. | Company Confidential WIS in a Nutshell Windows PI Server Active Directory Active Directory Security Principals Security Principals Authentication Identity Mapping PI Identities Access Control Lists Authorization PI Secure Objects PI Secure Objects

18 © 2008 OSIsoft, Inc. | Company Confidential User Authentication Until Now –Explicit Login: validation against internal user database –Trust Login: validation of user’s Security Identifier (SID) PI Server “380” Release –Strong Authentication using SSPI – “Negotiate” (Microsoft Security Support Provider Interface) –Principals from Active Directory –Principals from Local Server –Backward Compatible Authentication (Configurable)

19 © 2008 OSIsoft, Inc. | Company Confidential Demo: Protocol Selection

20 © 2008 OSIsoft, Inc. | Company Confidential PI Identities Custom Labels for PI Security Authorization –Replace and Extend “Owner”, “Group” and “World” New Default PI Identities: –PIWorld, PIEngineers, PIOperators, PISupervisors –Legacy PI users and groups also become identities Change as needed for Role and Category –Add / Rename / Disable using PI-SMT

21 © 2008 OSIsoft, Inc. | Company Confidential PI Identity Mapping Links a Windows group (or user) to a PI Identity –Example: Server\AuthenticatedUsers to PIWorld Multiple mappings allowed per PI Identity –Suggestion: Manage complex mapping through nested membership in Windows Groups Legacy PI Trusts map to a single Identity only

22 © 2008 OSIsoft, Inc. | Company Confidential Demo: Configuring a PI Identity

23 © 2008 OSIsoft, Inc. | Company Confidential PI Secure Objects: Authorization Main objects: Points and Modules –New “Security” attribute supersedes legacy settings PtSecurity instead of PtAccess, PtGroup, PtOwner Access Control Lists –New Syntax for “Security” ACL string: “ID1: A(r,w) | ID2: A(r,w) | ID3: A(r,w) | …” Compatibility Mode –Configure 3 identities: PIUser, 1PIGroup, and PIWorld (any order) –Existing behavior preserved in “o: g: r:” attributes

24 © 2008 OSIsoft, Inc. | Company Confidential PI Security Configuration Server <= Attributes Owner, Creator, Changer are PIUsers Group is PIGroup Access as String ACL Syntax “o:rw g:rw w:r” Server >= Attributes New Security attribute as ACL Creator and Changer are PIIdentities or Principals (Windows users) Incompatible case: –Owner = PIUserIncompatible –Group = PIGroupIncompatible –Access = “o: g: w: ” ACL Syntax “ID1: A(r,w) | ID2: A(r,w) | ID3: A(r) | …” IDn = PIIdentity

25 © 2008 OSIsoft, Inc. | Company Confidential Demo: Comparing ACLs – Old v. New 1.Using Tag Configurator, show existing security attributes (dataowner, datagroup, dataaccess) alongside new attribute (datasecurity). 2.In datasecurity, change piworld: A(r,w) to piworld: A(). Export and import. Point out that change is reflected in dataaccess. 3.In datasecurity, delete “| piworld: A()”. Export and import. Point out “incompatible” state of dataaccess, datagroup, and dataowner 4.Explain why data* attributes are in the “incompatible” state and why it matters. 5.Optional: Restore “| piworld: A(r,w)” to datasecurity, export, and import. Point out that data* attributes are once again compatible.

26 © 2008 OSIsoft, Inc. | Company Confidential Making the Transition Existing security still supported –On upgrade: no loss of configuration, no migration –Downgrade only by restoring from backup Existing SDK applications –Preserve existing behavior Can still connect via explicit logins or trusts –Single sign-on after SDK and server upgrade No configuration or code changes to client applications!

27 © 2008 OSIsoft, Inc. | Company Confidential Summary Windows Integrated Security is the next milestone for the PI Server –Flexible Configuration –Less Maintenance –Investment Preserved Security Development Lifecycle is Ongoing –Features that are Secure –Security Enhancing Features –Good Practice Advice and Security Tools –Actively Caring about Security

28 © 2008 OSIsoft, Inc. | Company Confidential Security is about Trust Trusted Partner Trusted Network Trusted Operating System Trusted Application Trusted Data Physical Network Host Application Data Control System Control System

29 © 2008 OSIsoft, Inc. | Company Confidential Thank You