SlideShare una empresa de Scribd logo

Fine grained authorization for Web Services

CA API Management
CA API Management

This document discusses fine-grained authorization for web services. It begins by explaining the difference between fine-grained and coarse-grained authorization, and the challenges of implementing fine-grained authorization. It then discusses how to leverage existing identity infrastructure and use policy enforcement intermediaries to enforce entitlement policies. The document provides examples of how conditions can be used for fine-grained authorization requests. It also summarizes the Layer 7 SecureSpan solution, which uses a Policy Decision Point and Policy Enforcement Point to intercept requests and make authorization decisions based on policies.

TecnologíaEmpresariales
1 de 22
Descargar para leer sin conexión
Fine grained authorization for Web Services Jonathan Gershater Solution Architect http://www.layer7tech.com
What you will learn in this session? 1. The difference between fine grained and coarse grained authorization 2. The challenge with implementing fine grained authorization in service based architectures 3. How to leverage existing identity infrastructure for entitlements management 4. How to use policy enforcement intermediaries to enforce entitlement preferences March 2008
Traditional enterprise Independent applications with their own access control, mechanisms and authorization policies. March 2008
Traditional enterprise security Protected by •A gate-keeper firewall primarily offering network level TCP/IP protection. •URL only protection using agent based SSO solutions. March 2008
The New Enterprise:SaaS, Web2.0, Legacy The challenge: •Mixed application and integration environment •Diverse credential requirements •Existing SSP and user directories •No centralized policy control and audit. • Services requiring fine grained authorization. March 2008
SaaS, Web2.0, Integrated enterprise March 2008
SaaS, Web2.0, Integrated enterprise March 2008
WebServices authentication: The Many-To-Many Problem Tokens  Transport (HTTP hdr, Request x509, etc…)  Message (UTP, x509,…) Web Services Authentication  LDAP Directory  Proprietary IAM …  Certificate Servers (OCSP, CRLs, etc)  etc…
Complexity grows! Multi-platform, multi-development environment –.NET, J2EE Frameworks, other •Support Mobile users / disconnected applications •Support conditional expressions for authorization *Use existing authentication sources March 2008
Quick review of AAA •Authentication – who are you? •Authorization – what can you do? •Auditing – who did what? March 2008
What is coarse versus fine grained authorization? What is authorization? The difference between coarse grained authorization (static)  By job role  By IT defined role  By group membership and fine grained authorization (dynamic)  By transaction type  By time of day or day of week March 2008
Sample fine grained AZ request Stock quote can be anonymous Stock purchase during trading hours must be: •Authenticated •over SSL •working hours •not from suspect network (user=Name_of_Stockbroker) AND (SSL=TRUE) AND ((hour > 6am) AND (hour < 1pm)) AND (ip_address_segment != 155.154.133.0) March 2008
Solution Policy Decision Point (PDP) that intercepts and examines XML packets at the application layer: • Identifies service endpoint • Authenticates requester with support for diverse credential types • Integration with diverse SSO, Federation and user directories • Performs fine-grained authorization of of an operation within a service • Credential chaining and translation • SAML issuing for downstream consistency March 2008
Policy Decision Points (PDP) March 2008
Also...SAMLP query to Policy Decision Point (PDP) March 2008
Other solutions – an XCAML query Policy EnforcementPoint (PEP) makes an XACML query to a PolicyDecisionPoint (PDP). •PEP executes XACMLAuthzDecisionQuery •PDP returns XACMLAuthzDecisionStatement March 2008
Policy Enforcement Point makes an XCAML query March 2008
Layer 7 solution for fine grained authorization Policy Decision Point (PDP): •Highly available / clustered. • Integrates with several of Web SingleSignOn and PolicyDecisionPoint sources. •Supports any information store: Databases, or SecureTokenServices. • Generates appropriate SAML assertion to make authorization decisions. March 2008
Appliance, software or virtual machine solution Message level intermediary between services and requesters Internal Application Consumers External Application Services Consumers March 2008
Layer 7 SecureSpan Gateway Runtime Governance - Policy Enforcement Point PEP validates policy compliance and applies security decorations Security requirements defined by an administrator. Policies become effective independently of the actual services. Services March 2008
SecureSpan Solution Advantages, Differentiators Sophisticated policy language enables complex governance requirements Available as hardware appliance with XML accelerator or as software Quick deployment, ease of use Extensible through APIs Instant policy application (no service downtime) Standard based Industry leadership March 2008
Thanks and questions Jonathan Gershater jg@layer7tech.com http://www.layer7tech.com http://layer7blog.blogspot.com/ March 2008

Recomendados

BSA
BSABSA
BSABladelogic Server Automation Training
 
Federated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloudrsnarayanan
 
Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2David Linthicum
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperRoger Chien
 
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical DesignsvBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical DesignsLarus Hjartarson
 
So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.Microsoft TechNet - Belgium and Luxembourg
 
Enterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEEnterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEFast Lane Consulting and Education, Inc.
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012gaborvodics
 

Recomendados

BSA
BSABSA
BSABladelogic Server Automation Training
 
Federated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloudrsnarayanan
 
Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2David Linthicum
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperRoger Chien
 
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical DesignsvBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical DesignsLarus Hjartarson
 
So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.Microsoft TechNet - Belgium and Luxembourg
 
Enterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEEnterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEFast Lane Consulting and Education, Inc.
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012gaborvodics
 
Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningMike Reams
 
Services @ vfm
Services @ vfmServices @ vfm
Services @ vfmvfmindia
 
Sem cis ise
Sem cis iseSem cis ise
Sem cis iseLino Quivén
 
G6 independent certification for CSP v3
G6 independent certification for CSP v3G6 independent certification for CSP v3
G6 independent certification for CSP v3Ummey Humayra
 
S102 cics the future is closer abridged
S102 cics the future is closer abridgedS102 cics the future is closer abridged
S102 cics the future is closer abridgednick_garrod
 
1251 service visibility and management with wsrr
1251 service visibility and management with wsrr1251 service visibility and management with wsrr
1251 service visibility and management with wsrrNick Butler
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBWSO2
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikalafloridawusergroup
 
Service Delivery Network
Service Delivery NetworkService Delivery Network
Service Delivery NetworkFrancesco Chicchiriccò
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 
1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - final1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - finalsmithson.martin
 
Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM DatapowerSigortam.net
 
Building Event Driven Systems
Building Event Driven SystemsBuilding Event Driven Systems
Building Event Driven SystemsWSO2
 
Compliance
ComplianceCompliance
ComplianceNetBR
 
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...goodfriday
 
Service Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresService Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresF5 Networks
 
CISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuideCISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuidePCCW GLOBAL
 
Gigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX DeploymentsGigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX DeploymentsAngel Villar Garea
 
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortEduardo Castro
 
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortEduardo Castro
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalMauricio Godoy
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2Anne Starr
 

Más contenido relacionado

La actualidad más candente

Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningMike Reams
 
Services @ vfm
Services @ vfmServices @ vfm
Services @ vfmvfmindia
 
G6 independent certification for CSP v3
G6 independent certification for CSP v3G6 independent certification for CSP v3
G6 independent certification for CSP v3Ummey Humayra
 
S102 cics the future is closer abridged
S102 cics the future is closer abridgedS102 cics the future is closer abridged
S102 cics the future is closer abridgednick_garrod
 
1251 service visibility and management with wsrr
1251 service visibility and management with wsrr1251 service visibility and management with wsrr
1251 service visibility and management with wsrrNick Butler
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBWSO2
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikalafloridawusergroup
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 
1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - final1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - finalsmithson.martin
 
Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM DatapowerSigortam.net
 
Building Event Driven Systems
Building Event Driven SystemsBuilding Event Driven Systems
Building Event Driven SystemsWSO2
 
Compliance
ComplianceCompliance
ComplianceNetBR
 
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...goodfriday
 
Service Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresService Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresF5 Networks
 
CISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuideCISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuidePCCW GLOBAL
 
Gigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX DeploymentsGigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX DeploymentsAngel Villar Garea
 

La actualidad más candente (18)

Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity Provisioning
 
Services @ vfm
Services @ vfmServices @ vfm
Services @ vfm
 
Sem cis ise
Sem cis iseSem cis ise
Sem cis ise
 
G6 independent certification for CSP v3
G6 independent certification for CSP v3G6 independent certification for CSP v3
G6 independent certification for CSP v3
 
S102 cics the future is closer abridged
S102 cics the future is closer abridgedS102 cics the future is closer abridged
S102 cics the future is closer abridged
 
1251 service visibility and management with wsrr
1251 service visibility and management with wsrr1251 service visibility and management with wsrr
1251 service visibility and management with wsrr
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESB
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikala
 
Service Delivery Network
Service Delivery NetworkService Delivery Network
Service Delivery Network
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
 
1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - final1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - final
 
Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM Datapower
 
Building Event Driven Systems
Building Event Driven SystemsBuilding Event Driven Systems
Building Event Driven Systems
 
Compliance
ComplianceCompliance
Compliance
 
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
 
Service Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresService Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen Infrastructures
 
CISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuideCISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration Guide
 
Gigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX DeploymentsGigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX Deployments
 

Similar a Fine grained authorization for Web Services

Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortEduardo Castro
 
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortEduardo Castro
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalMauricio Godoy
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2Anne Starr
 
Iam suite introduction
Iam suite introductionIam suite introduction
Iam suite introductionwardell henley
 
Blockchain solution architecture deliverable
Blockchain solution architecture deliverableBlockchain solution architecture deliverable
Blockchain solution architecture deliverableSarmad Ibrahim
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE Mahzad Zahedi
 
PayPal Decision Management Architecture
PayPal Decision Management ArchitecturePayPal Decision Management Architecture
PayPal Decision Management ArchitecturePradeep Ballal
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and MobileGovernance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and MobileCA API Management
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
 
Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Sectricity
 
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Zeeve
 
Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Oracle Developers
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle Developers
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?mbmobile
 

Similar a Fine grained authorization for Web Services (20)

Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview Short
 
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview Short
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_final
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2
 
ClearPass Policy Model - An Introduction
ClearPass Policy Model - An IntroductionClearPass Policy Model - An Introduction
ClearPass Policy Model - An Introduction
 
Iam suite introduction
Iam suite introductionIam suite introduction
Iam suite introduction
 
Blockchain solution architecture deliverable
Blockchain solution architecture deliverableBlockchain solution architecture deliverable
Blockchain solution architecture deliverable
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE
 
PayPal Decision Management Architecture
PayPal Decision Management ArchitecturePayPal Decision Management Architecture
PayPal Decision Management Architecture
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and MobileGovernance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
 
652.ppt
652.ppt652.ppt
652.ppt
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
 
Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)
 
OCS LIA
OCS LIAOCS LIA
OCS LIA
 
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
 
Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?
 

Más de CA API Management

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarCA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataCA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...CA API Management
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...CA API Management
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...CA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceCA API Management
 

Más de CA API Management (20)

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 

Último

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Último (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Fine grained authorization for Web Services

  • 1. Fine grained authorization for Web Services Jonathan Gershater Solution Architect http://www.layer7tech.com
  • 2. What you will learn in this session? 1. The difference between fine grained and coarse grained authorization 2. The challenge with implementing fine grained authorization in service based architectures 3. How to leverage existing identity infrastructure for entitlements management 4. How to use policy enforcement intermediaries to enforce entitlement preferences March 2008
  • 3. Traditional enterprise Independent applications with their own access control, mechanisms and authorization policies. March 2008
  • 4. Traditional enterprise security Protected by •A gate-keeper firewall primarily offering network level TCP/IP protection. •URL only protection using agent based SSO solutions. March 2008
  • 5. The New Enterprise:SaaS, Web2.0, Legacy The challenge: •Mixed application and integration environment •Diverse credential requirements •Existing SSP and user directories •No centralized policy control and audit. • Services requiring fine grained authorization. March 2008
  • 6. SaaS, Web2.0, Integrated enterprise March 2008
  • 7. SaaS, Web2.0, Integrated enterprise March 2008
  • 8. WebServices authentication: The Many-To-Many Problem Tokens  Transport (HTTP hdr, Request x509, etc…)  Message (UTP, x509,…) Web Services Authentication  LDAP Directory  Proprietary IAM …  Certificate Servers (OCSP, CRLs, etc)  etc…
  • 9. Complexity grows! Multi-platform, multi-development environment –.NET, J2EE Frameworks, other •Support Mobile users / disconnected applications •Support conditional expressions for authorization *Use existing authentication sources March 2008
  • 10. Quick review of AAA •Authentication – who are you? •Authorization – what can you do? •Auditing – who did what? March 2008
  • 11. What is coarse versus fine grained authorization? What is authorization? The difference between coarse grained authorization (static)  By job role  By IT defined role  By group membership and fine grained authorization (dynamic)  By transaction type  By time of day or day of week March 2008
  • 12. Sample fine grained AZ request Stock quote can be anonymous Stock purchase during trading hours must be: •Authenticated •over SSL •working hours •not from suspect network (user=Name_of_Stockbroker) AND (SSL=TRUE) AND ((hour > 6am) AND (hour < 1pm)) AND (ip_address_segment != 155.154.133.0) March 2008
  • 13. Solution Policy Decision Point (PDP) that intercepts and examines XML packets at the application layer: • Identifies service endpoint • Authenticates requester with support for diverse credential types • Integration with diverse SSO, Federation and user directories • Performs fine-grained authorization of of an operation within a service • Credential chaining and translation • SAML issuing for downstream consistency March 2008
  • 14. Policy Decision Points (PDP) March 2008
  • 15. Also...SAMLP query to Policy Decision Point (PDP) March 2008
  • 16. Other solutions – an XCAML query Policy EnforcementPoint (PEP) makes an XACML query to a PolicyDecisionPoint (PDP). •PEP executes XACMLAuthzDecisionQuery •PDP returns XACMLAuthzDecisionStatement March 2008
  • 17. Policy Enforcement Point makes an XCAML query March 2008
  • 18. Layer 7 solution for fine grained authorization Policy Decision Point (PDP): •Highly available / clustered. • Integrates with several of Web SingleSignOn and PolicyDecisionPoint sources. •Supports any information store: Databases, or SecureTokenServices. • Generates appropriate SAML assertion to make authorization decisions. March 2008
  • 19. Appliance, software or virtual machine solution Message level intermediary between services and requesters Internal Application Consumers External Application Services Consumers March 2008
  • 20. Layer 7 SecureSpan Gateway Runtime Governance - Policy Enforcement Point PEP validates policy compliance and applies security decorations Security requirements defined by an administrator. Policies become effective independently of the actual services. Services March 2008
  • 21. SecureSpan Solution Advantages, Differentiators Sophisticated policy language enables complex governance requirements Available as hardware appliance with XML accelerator or as software Quick deployment, ease of use Extensible through APIs Instant policy application (no service downtime) Standard based Industry leadership March 2008
  • 22. Thanks and questions Jonathan Gershater jg@layer7tech.com http://www.layer7tech.com http://layer7blog.blogspot.com/ March 2008