Middleware and Security
NERCOMP SIG
November 2008
Office of Information Technologies Traditional Middleware Drivers
. Services that enable secure access to networks, services, and applications • Identification • Authorization • Authentication • Directories • Audit . Leveraging enterprise identity and access data to enable business processes
2 Security or Middleware?
. How do campuses securely provide access to these applications? • Identity and Access Management systems . How do we detect abuse of these applications? • Audit • Log correlation and data orchestration . Why is this our problem? • Aren’t you the Information security officer? • Who gets the phone call when data leaks?
3 The changing security landscape
. In security we have a continually changing landscape • Network worms aren’t very interesting any more • We can detect and shut off a port scanner in minutes . Vendor patches have solved many of our Operating System problems • Sometimes very slowly . Application vulnerabilities abound • Cataloging which applications we own and/or operate is a daunting task • Securing these applications is more daunting
4 Current threat environment
. We have traditionally focused our security efforts on systems • Managed or unmanaged . The current and emerging threat environment changes some of our focus to data and privilege • Web-based application assessment • Cross-site scripting, SQL injection • Data leakage and extrusion prevention • The risk is in the data, not just the systems • Privilege escalation • Who manages the assignment of privilege?
5 Current threat environment
. I won’t claim that we have solved all of our systems security problem • Otherwise known as job preservation . However, the environment has changed. The focus should be on the behavior that we don’t understand or manage as well • Everyone wants their own application • Those who operate these applications frequently do not have a strong security background • Assignment of privilege is decentralized and often poorly managed
6 Middleware Policy space
. Identity Management • “A set of standards, procedures and technologies that provide electronic credentials to individuals and maintain authoritative information about the holders of those credentials”
. Trust Fabrics • “Federations provide a trust fabric on which Identity Management can be leveraged.”
Both from: http://www.aamc.org/members/gir/campmed06/ribbeck.pdf
7 How do security and middleware intersect?
. We’ve built strong defenses against those outside our organization • And those we don’t trust inside our organization (ResNet, certain Departments) . Data leakage occurs from inside as often as outside • Faculty posting FERPA protected data on public websites • Staff posting financial data publicly . Understanding how privilege is granted and managed is key to defending these data and information services
8 Where do security staff see concerns?
. SQL injection attacks aside, who provisions access to your critical applications? • How secure are those provisioning applications? • Can you locate and parse the logs and audit trails? . All these applications and authentication services generate a lot of logs • Can you correlate across these disparate applications and authentication logs? • Can you further correlate these applications against network-centric data sources?
9 What concerns me about middleware?
. Federations • Seem to be fairly unstoppable • And I argue to strongly support them on my campus • But it means my user base no longer includes only individuals that are directly affiliated with my campus • For web applications • For network access • How do I identify a user from a remote institution • Especially in the environment of a privacy-preserving technology like shibboleth • How do I handle an incident when the offending user belongs to another campus • And I may not even know their username
10 What I like about middleware
. Integrating incident response workflow with institutional IdM infrastructure • Leveraging campus directory services to provide more timely and accurate incident notification • Integrating incident response in the campus workflow applications (Remedy, RT) . Federations • Policy-based management of privilege for intra and inter-institutional applications and resources • Privileges may no longer be provisioned by the grad student in the chemistry department who hasn’t worked here in 5 years. • But there remains a lot of work to get here
11 What I like about middleware
. Log correlation and data orchestration • There are two presentations here today specifically focusing on the value and use cases for managing these data well • And deriving actionable knowledge from them . Audit trails • IdM systems provide a better mechanism of enumerating goodness • For credential provisioning and privilege management . Additive to traditional security mechanisms • These tools and technologies improve operational security awareness
12 What else can we do with middleware
. Asset identification • Knowing what assets you are trying to protect is a precondition to properly securing them • Determining ownership and responsible parties facilitate incident response and remediation • Integrating asset identification with campus identity management lifecycles ensure continuity of responsibility
13 Themes and conclusions
. Security and Middleware staff need to be engaged with IdM design and implementations • Working with them now may both prevent bad things and even facilitate good things • We are probably trying to solve some of the same problems . Educating your user community about realigned middleware drivers is in our collective interest • Preventing data leakage from poorly managed applications and authorizations
14 Themes and conclusions
. Federations need to be understood in the context of operational security needs • How aware are security staff of current federation activities on your campus? • Embracing these technologies may improve our overall security posture . Identity Management is a complementary technology to our security toolkits • Integrating business processes with security requirements • Authentication and authorization are a necessary, but not sufficient, condition for secure applications
15 Themes and conclusions
. Audit and log correlation will allow us to maintain situational awareness • In our increasingly complex environments • Additional abstraction layers is rendering many traditional detective techniques less effective • Orchestrating logs across systems provides visibility that many of us don’t currently have . Privilege management • Assignment of authorizations places more of our data at risk of disclosure • A next step in incident handling
16 Themes and conclusions
. Some institutions have organized information security and identity management under a single management structure • Though this is limited in scope currently, this may be an emerging theme . Business continuity is going to be dependent upon robust IdM infrastructures . Data Security and IdM are intrinsically intertwined • When the data breach occurs, whether the vector was an IdM failure of Infosec failure is irrelevant.
17 Questions?
18