information security and webfocus

Information Security and

WebFOCUS

Penny J Lester

SVP Delivery Services

August 22, 2008

Authentication

• “Authentication (from Greek αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. “

Authorization

• “Authorization (deciding whether to grant access) is a separate concept to authentication (verifying identity), and usually dependent on it.”

www.google.com/a/security

• Google surveyed 575 IT professionals

•

•

Information Security

• A layered approach to authentication and authorization (auth/auth)– Physical– Network– Operating System (OS)– RDBMS– Application

Physical Security

• Secure the hardware– Active Reports

• Secure the server room

• Secure your passwords– Do not share it– Do not write it down

Network Security

Network Security

• Implement a single sign on (SSO) in a Windows network– Update the client odin.cfg

Network Security

• Implement a single sign on (SSO) in a Windows network– Update site.wfs

Network Security

• Implement a single sign on (SSO) in a Windows network– site.wfs

(cont.)

Operating System Security


• Five authentication options

– OPSYS– PTH– DBMS– LDAP – OFF


• OPSYS – Authentication against OS– Authorization based on OS IDs

• Administrators have full access to web console• OS ID impersonated to run reports


• OPSYS – PLester57 is not an Administrator


• OPSYS – Penny is the Administrator


• OPSYS – authenticate ID to OS, not an Administrator


• OPSYS – authenticate ID to OS, is an Administrator


• OPSYS – authenticate ID to OS, is invalid


• PTH – Authentication against admin.cfg – Authorization

• if ID is in admin.cfg can access WebFOCUS Web Console and run reports

• if not can only run reports


• PTH – Configured 1 administrator


• PTH – Penny is administrator ID


• PTH – ID “admin” is not administrator


• PTH – ID “Penny” unrestricted access

• PTH – ID “admin” restricted access


• DBMS – Authentication against Database vs. the OS– Authorization

• if ID is in the DBMS can run reports • if ID is not in the DBMS cannot run reports

Note: the ID’s must be set up in the DBMS to use SQL authentication vs. Windows authentication


• DBMS – RDBMS must be up!


• DBMS – Notice no IWA


• DBMS Authentication – Penny

• Windows


• DBMS Penny IWA


• DBMS Authentication – SQLUser

• SQL Server


• DBMS SQLUser SQL Server


• LDAP– Authentication against LDAP file– Authorization

• if ID is in the LDAP file(s) can run reports • if ID is not in the LDAP file(s) cannot run reports


• LDAP


• LDAP – Microsoft Active Directory


• OFF – Danger!!

• “badID” can do anything the administrator ID that started the server can do!!

Database Security

• DBMS can be used for Authentication

Database Security

• Data Adapter – Explicit

Database Security

• Data Adapter – Explicit, invalid ID/pwd

Database Security

• Data Adapter – Password Passthru

Database Security

• Data Adapter – Trusted

Application Security

• Managed Reporting Environment


• Managed Reporting Environment– Authentication


• Managed Reporting Environment– Authorization


• Managed Reporting Environment– Analytical User


• Managed Reporting Environment– Content Manager

Summary

• A layered approach to authentication and authorization (auth/auth)– Physical– Network– Operating System (OS)– RDBMS– Application

• WebFOCUS hits four out of five!

Questions?

Thank you!!

information security and webfocus

Documents

web consoleos id

sql authentication

single sign

os idsadministrators

windows networkupdate

cfgnetwork securityimplement

ldap files

server roomsecure