Presentation is loading. Please wait.

Presentation is loading. Please wait.

Server to Server Group Requirements Simplifying key management between multiple vendor implementations.

Published byDoreen Strickland Modified over 8 years ago

Similar presentations

Presentation on theme: "Server to Server Group Requirements Simplifying key management between multiple vendor implementations."— Presentation transcript:

1 Server to Server Group Requirements Simplifying key management between multiple vendor implementations

2 (Re)Defining a Group What a group should be – A collection of common entities, objects or other groups Should not be more than two or possibly three groups deep (complexity) A group should not be – A container for multiple types of entities and objects If a group contains other groups it cannot contain entities or objects – e.g. Homogeneity Group 1 Group 3Group 2 Group 4

3 Groups as Containers Group of Entities – Contains one or more like entities that use a common set of objects Like = same attributes, crypto capability, etc… (Read as homogenous) Group of Objects (keys, certificates, etc…) – A set of like objects that can then be bound to or accessed by a – Consideration of a Policy object for server to server may be needed if messaging isn’t enough (use case anyone?) Group of Groups – A group that contains one or more groups Including one or more entity groups, objects & users – How deep groups can go needs to be seriously looked at Group within a group, within a bigger group, ad infinitum Group of Users – Access control for users when external authentication is used in multivendor environments – Defined by KMIP? This would be an example of a potential “other” group category that would not be extended from one vendor server to another other than in a system that uses role based management – Bob L.’s personal opinion is no…

4 Group Purposes Access Control – Using two levels allows one or more group of entities to map to one or more groups of objects – Provides a common definition between vendors for server to server access control implementation without restricting a vendor’s capabilities to perform access control Ownership – A primary group owns one or more entities, objects or “other” All entities will have a single primary group All objects will have two groups, a group for the individual object and a group of common objects (e.g. AES256 keys, certificates, etc…) – Takes ownership away from devices that can be temporary or long lived but that may not live as long as the keys they access and use Destroying entities doesn’t impact objects if they don’t own the objects to begin with

5 Questions to Consider Do clients care about Groups? – Is there a reason or use case? Does it make sense to have more than two layers of groups? – Is there a use case where a common set of keys are accessed by different device types that would require this – What kind of access control issues arise with more than two layers of groups – If not two what is a good limit that can be set for server to server instances Is there a good reason to go beyond three layers? Do groups play a part in a global namespace for server to server? – A question to be asked if a model such as URI is used for global key naming How do you resolve policy conflict between server implementations? – Should we stay away from it and let the vendor handle it who makes the call on policy for a given instance? Are there any looming conflicts?

Download ppt "Server to Server Group Requirements Simplifying key management between multiple vendor implementations."

Similar presentations

January 30, 2014 Copyright Jim Farley Beyond JDBC: Java Object- Relational Mappings Jim Farley e-Commerce Program Manager GE Research and Development

January 30, 2014 Copyright Jim Farley Beyond JDBC: Java Object- Relational Mappings Jim Farley e-Commerce Program Manager GE Research and Development
Naming, Addressing, & Discovery

Naming, Addressing, & Discovery
Www.thales-esecurity.com Common Identifiers Providing Globally Unique Identifiers for UUID and Application IDs of keys and other objects.

Common Identifiers Providing Globally Unique Identifiers for UUID and Application IDs of keys and other objects.
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
SCENARIO Suppose the presenter wants the students to access a file Supply Credenti -als Grant Access Is it efficient? How can we make this negotiation.

SCENARIO Suppose the presenter wants the students to access a file Supply Credenti -als Grant Access Is it efficient? How can we make this negotiation.
Access Control Methodologies

Access Control Methodologies
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
KMIP Vendor Extension Management KMIP supports ‘extensions’ but provides no mechanism for coordination of values between clients and servers or between.

KMIP Vendor Extension Management KMIP supports ‘extensions’ but provides no mechanism for coordination of values between clients and servers or between.
Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.

PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.
System Concepts and Architecture Rose-Hulman Institute of Technology Curt Clifton.

System Concepts and Architecture Rose-Hulman Institute of Technology Curt Clifton.
CS603 Active Directory February 1, 2001.

CS603 Active Directory February 1, 2001.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Principles of Information Systems, Sixth Edition 1 Systems Investigation and Analysis Chapter 12.

Principles of Information Systems, Sixth Edition 1 Systems Investigation and Analysis Chapter 12.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 DISTRIBUTED SYSTEMS.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS

ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS

Similar presentations

Ads by Google