hvl/nulli secundus 2001 securing e-business enabling growth while managing risk guy huntington,...

HVL/Nulli Secundus 2001

Securing e-Business

Enabling Growth While Managing Risk

Guy Huntington, President HVL

Derek Small, President Nulli Secundus


The High Wire ActManaging corporate growth in an integrated global economy is like a performer doing a high wire act– At the end of the wire are new sales and revenue

opportunities enabled by offering goods and services via integrated systems, portals, wireless technology and and click and mortar retailing

– Also at the end of the wire are large potential gains in efficiencies and profitability via the intranet, extranets and B2B’s


The High Wire Act

On each side of the wire lies high security risks associated with integrating formerly separate internal and external systems


A Wrong StepA wrong step in either direction can be perilous to corporate goals and health– Too much system integration with little security results in the

potential for disastrous damage to a brand or the bottom line if the consumer perceives the company cannot be trusted with their credit and personal information

– Too much security and a company can have the security of Fort Knox at the cost of revenue and market share loss to competitors who innovate with easy to use new technologies, distribution and information systems


Finding the Balance

• Finding the right balance is critical

• Having the right strategy and tools to enable growth while managing risk is what this presentation is about


Build a Bridge Not a Wire

• You want a solid foundation for e-business, not a flimsy wire holding together your disparate systems

• To build the bridge, you need a cohesive glue enabling a flexible framework for your business objectives while managing down risk


The Starting Materials

• These are your many, many systems

• Includes data warehouses, NOS’s, payroll, financial, ERP’s, manufacturing, purchasing, HRIS, benefits, security, facilities, marketing, e-mail, contact management, CAD, portals, intranet, extranet and all the other systems that make up your company


The Starting Materials

• Includes integration with your business partners’ systems

• Also includes interaction with your customers via e-commerce and e-business web sites, loyalty cards and CRM based transaction and decision support systems


Trust is the Foundation

• Trust is the first stage in any business relationship or process

• Without it you have trouble or nothing!

• In e-business, your goal must be to achieve trust and then ensure it’s kept every step of the way between your systems without disturbing your process flows unless you mandate it to do so


Triple A’s Trust is the result of successful processes in:

• Authentication

• Authorization

• Auditing


Knitting Together the

Systems

• You need to use some form of flexible “process glue” that will mold and adjust to your systems, then integrate them to the extent you desire for authentication, authorization and auditing

• The “process glue” must harden so that it is impervious to attacks at any point along the way in your business processes and between systems


The Devil Is In The Details

• Once you drop down from the high level strategic goal of knitting together your systems to tactical deployment, you’ll find reality is made up of the nuances with which each of your systems work underneath the hood


Take Authentication

• Authentication is made up of agreeing on a method or methods of identifying you as you then managing that identity over time

• Your many systems will likely each have their own way of identifying, storing and managing the identity


Authentication Challenge

• Such basics as username and password may be defined differently, allow for different syntax, store the value(s) in different formats and lengths and change the values to proscribed internal procedures

• How are you going to knit them together?


Then There’s Security…

• Since you’re binding together authentication systems, you have to be even more concerned about how identities are stored and then passed between systems

• It’s critical to achieve this in order for single sign on to be achieved


Process Glue for Security

• The tools you use to bind your system must allow for different authentication methods (basic, form, certificate, biometric, smart cards and tokens)

• It must also provide for security between the devices handling authentication and authorization (e.g. using Transport Layer Security “TLS”)


What About Authorization?

• Some of your systems such as the ERP’s will have their own built in authorization logic

• You may need to marry this with other systems such that the logic of one system is recognized in another


More Devilish Details…

• Since each system likely has it’s own authorization rules and logic, how do you bind them together?

• How do you define the logic in the first place so separate systems can agree on an authorization level or approval?


Dynamic vs. Static Content• Another potential challenge is dealing with

authorization applied to content which is being dynamically generated with different http headers (e.g. a sales variance report from an ERP)

• How are your global authentication and authorization systems going to recognize the headers and determine protection required or, that the user already has the required security levels and doesn’t need to reauthenticate?


Then There’s Time…

• Some resources and applications may require time based authentication and authorization procedures

• How do you create a global system that can recognize either the global or local resource time based authentication and authorization requirements?


What About Auditing?

• Auditing is important not only to ensure trust but also to use in some instances for marketing or usability processes to see if a resource, application or web page is optimized for usage and by whom it’s being used

• It’s critical for security to go back and conduct an audit trail on a potential security lapse or breach


Auditing• Your “process glue” needs to give

you the flexibility to audit extensively for some resources and applications, while using more general audit procedures for others

• The audit information needs to be integrate-able with other audit information from say the NOS’s, firewalls, etc.


Granularity

• Some resources and applications will require very unique and stringent authentication, authorization and auditing requirements (e.g. accessing the formula for Coke or Pepsi)

• Others may require allowing only specific individuals or groups to view, access or modify a resource (e.g. car dealers on an automotive extranet can only view their own information)


Granularity• The “process glue” must allow you to

match authentication, authorization and auditing requirements to global or specific resource levels

• Your many systems must have ways of agreeing to this or being passed enough information from one system to act on their own without causing reauthentication and reauthorization unless desired


Management• Managing potentially millions, hundreds

of thousands or thousands of users is not trivial

• It requires the ability to delegate portions of the identity and authorization administration down to whatever level makes sense (including potential end user self management if desired)

• Your “process glue” must give you a delegate-able management system


Scalability

• It’s also just as important the “process glue” you use to bind your systems and build your bridge can scale quickly and easily with no loss of performance

• It needs to work with disparate systems and competing vendors in NOS’s, directories, portals and other system platforms


So What’s This “Process Glue”?

• Without the right tool, integrating and building trust building between your disparate systems can be a very trying, expensive and time consuming exercise

• Building their own tool is not something most enterprises can, want or have the expertise to do on their own


Oblix NetPoint & Publisher!

• Oblix manufactures infrastructure software providing the “process glue” you need to secure your e-business

• It enables your bridge of trust to be built, maintained and scaled between disparate systems


NetPoint & Authentication

• Allows you to use and choose whatever authentication schemes you desire (basic, certificate, form, tokens, smart cards, biometric and two factor authentication)

• Provides built in plugins for common NOS’s


NetPoint and Identities

• Oblix is LDAP aware• This means it works with directories

to provide a standard interface for identity management between your disparate systems

• Allows you to control view, modify and notify privileges for each identity attribute


Oblix and Identities

• NetPoint identity management provides you with the tools to delegate identity management to whatever level(s) you deem appropriate

• Publisher enables you to display org charts and use it for identity based lookups on your intranet and extranets


NetPoint and Single Sign On

• NetPoint provides you with the tools to create SSO within a domain, across domains and applications

• Provides the tools to choose a variety of post authentication and/or post authorization actions for passing on information between disparate systems

• Works with portals, NOS’s and ERP’s


NetPoint & Authorization• Authorization can be done within

NetPoint using directory based rules, groups, roles or specific individuals

• Gives you the tools to pass or take authorization from other systems such as the ERP or HRIS

• Can delegate authorization management to whatever level(s) you deem appropriate


NetPoint and Granularity

• Gives you the tools to mix and match authentication, authorization and auditing granularity levels

• Easy to define exceptions for specific resources and applications while using larger granularity rules for general access


NetPoint & Time Based Access

• Easy to define time based access for certain resources and applications

• Use GMT or local server time for defining access requirements


NetPoint & Auditing

• Provides flexible auditing rule definitions

• Offers detailed auditing actions for specific resources and applications while using more generic auditing rules for others

• Integrate audit files with other applications


NetPoint & Security

• Flexible security allows you to choose Transport Layer Security and Cert Modes

• Uses hashes and encryption of cookies where cookies are used

• Store hashes of passwords in the directory


NetPoint & Lost Passwords

• Lost passwords represent a large operating cost for help desks

• Oblix provides lost password management functions to significantly reduce operating overhead and lost productivity time for the end user


NetPoint & Scalability

• Interface with a variety of NOS, web, directory, portal and ERP applications servers

• Built for fast authentication and authorization performance with little impact on your business processes

• Provides replication and failover schemes

• Scales quickly


Profits and Risk

• Oblix provides the flexibility you need to maneuver in the marketplace while at the same time optimizing and integrating your internal and B2B systems

• It allows you to maximize opportunity while minimizing risk

• Can be deployed quickly with scalability and easy to use interfaces


The Benefits of Oblix

Enable growthReduce riskIncrease profitabilityManage large number of usersMove quickly with confidence


I’d Like To Learn More About How to Use Oblix to Secure My E-Business!

Guy Huntington, HVL:[email protected]

Derek Small, Nulli [email protected]

hvl/nulli secundus 2001 securing e-business enabling growth while managing risk guy huntington,...

Documents