Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Information Systems Engineering (WISE)

Published byἈντιόπη Βαρουξής Modified over 6 years ago

Similar presentations

Presentation on theme: "Web Information Systems Engineering (WISE)"— Presentation transcript:

1 Web Information Systems Engineering (WISE)
Security for Web Information Systems: Towards Compromise-Resilient Architectures Web Information Systems Engineering (WISE) 17/08/1440 confidential

2 Introduction Security services play an important role in assuring the reliability and integrity of any information system The dynamic, distributed nature of Web Information Systems also introduces multiple points of potential security compromise Compromise resilience is as important as compromise resistance 17/08/1440 confidential

3 Basic Model Model Agents access Web information resources
Data Resource Agent Model Agents access Web information resources Resources provide services and process data 17/08/1440 confidential

4 Security Services Authentication: Who are you?
Agent Resource Data Authentication: Who are you? Authorization: What can you do? Data protection: How is the data secured? 17/08/1440 confidential

5 Authentication Approaches Who are you?
Agent Resource Data Agents, resources exchange claims of identity Authentication authority issues credentials, helps validate claims Authentication Authority Agents and resources have authentication credentials associated with their identities 17/08/1440 confidential

6 Authorization Approaches What can you do?
Agent Resource Data Authorization authority supports policy decisions Resources enforce policy Authorization Authority 17/08/1440 confidential

7 Data Protection Approaches How is the data secured?
Agent Resource Stored data is encrypted Key authority manages keys -- which also need access control! Key Authority Agents, resources exchange data through a secure channel 17/08/1440 confidential

8 Typical Security Architecture
Agent Resource Data Authentication Authority Key Authority Authorization Authority Authorities support agents, resources in establishing security 17/08/1440 confidential

9 Potential Security Compromises
Attack Agent Attack Resource Attack Data Attack Authentication Authority Attack Key Authority Compromises happen. What’s the impact? Replicated, mobile nature of system introduces multiple points of compromise Authorization Authority Attack 17/08/1440 confidential

10 Authentication Compromises
Agent Attack Resource Data Authentication Authority Key Authority Authorization Authority Agent can be impersonated to resource 17/08/1440 confidential

11 Authentication Compromises
Agent Attack Resource Data Authentication Authority Key Authority Authorization Authority Resource can be impersonated to agent 17/08/1440 confidential

12 Authentication Compromises
Agent Resource Data Authentication Authority Attack Key Authority Authorization Authority Anyone can be impersonated! Attack the authority, and/or its administrators 17/08/1440 confidential

13 Authorization Compromises
Agent Resource Data Authentication Authority Key Authority Attack Authorization Authority Anyone can be authorized! Attack the authority, and/or its administrators 17/08/1440 confidential

14 Data Protection Compromises
Agent Resource Data Authentication Authority Key Authority Attack Any key can be recovered! But data remains secure unless encrypted data also compromised Authorization Authority 17/08/1440 confidential

15 Data Protection Compromises
Agent Resource Attack Data Authentication Authority Key Authority Authorization Authority Any encrypted data can be recovered! But data remains secure unless keys also compromised 17/08/1440 confidential

16 Compromise Resilience
Attack Agent Attack Resource Attack Data Attack Authentication Authority Attack Key Authority Attack Authorization Authority How do you mitigate the risk? Resilience vs. resistance 17/08/1440 confidential

17 Authentication Compromise Resilience
Agent Resource Data Agent’s credentials should be short-lived and context-specific Home agent supports agent in obtaining them Resource’s credentials can be similarly strengthened Authentication Authority Home Agent 17/08/1440 confidential

18 Authentication Compromise Resilience
Agent Resource Data Authentication authority’s credentials and validation data should be short-lived Master authority manages distribution of data and credentials Authentication Authority Home Agent Master Authentication Authority 17/08/1440 confidential

19 Authentication Compromise Resilience
Agent Resource Data Authentication Authority Home Agent Multi-administrator and multi-authority approaches can also help Master Authentication Authority 17/08/1440 confidential

20 Authorization Compromise Resilience
Agent Resource Data Authorization Authority Authorization authority’s credentials should be short-lived Multi-administrator or -authority also helps Master Authorization Authority 17/08/1440 confidential

21 Data Protection Compromise Resilience
Agent Resource Data Key Authority Key Authority Key Authority Key Authority Secret sharing reduces impact of compromise of one key authority Trusted execution protects keys in field 17/08/1440 confidential

22 Data Protection Compromise Resilience
Agent Resource Data Key Authority Key Authority Key Authority Key Authority Proactive secret sharing maintains resilience by updating shares periodically Distributed cryptography uses keys in split form 17/08/1440 confidential

23 A Resilient Security Architecture Anticipating compromise mitigates risk
Resilience Manager Agent Resource Data Key Authority Key Authority Authentication Authority Key Authority Authorization Authority Home Agent Master Authentication Authority Master Authorization Authority 17/08/1440 confidential

24 Observations Countermeasures such as short-lived, context-specific credentials, secret sharing limit impact of security compromises The distributed nature of Web Information Systems facilitates such countermeasures New components easily introduced into architecture Web Information Systems can lead the industry in compromise resilience 17/08/1440 confidential

25 Conclusion: Two Questions
What do you call an attacker who compromises a Web Information System? Answer : a WISE-Cracker What do you call a Web Information System that is resilient against such compromise? Answer : a Web Information System Engineered with Resilience = WISER 17/08/1440 confidential

26 RSA Security helps organizations and individuals confidently protect identities and digital assets (intellectual property). The company secures more than 15 million user identities, safeguards trillions of business transactions annually and manages the confidentiality of data in tens of thousands of applications worldwide. RSA Security’s reputation is built on a 20-year history of ingenuity, leadership and proven technologies, and our more than 18,000 customers and 1000 technology and integration partners worldwide. 17/08/1440 confidential 26 26

Download ppt "Web Information Systems Engineering (WISE)"

Similar presentations

Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Cryptography and Data Security: Long-Term Challenges Burt Kaliski, RSA Security Northeastern University CCIS Mini Symposium on Information Security November.

Cryptography and Data Security: Long-Term Challenges Burt Kaliski, RSA Security Northeastern University CCIS Mini Symposium on Information Security November.
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.

Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.

Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Slide 1 Using Models Introduced in ISA-d99.00.01 Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.

Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.

Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Security Architecture

Security Architecture

Similar presentations

Ads by Google