Presentation is loading. Please wait.

Presentation is loading. Please wait.

PI Server Security Bryan S. Owen Omar A. Shafie.

Published byAdolfo Rule Modified over 9 years ago

Similar presentations

Presentation on theme: "PI Server Security Bryan S. Owen Omar A. Shafie."— Presentation transcript:

1 PI Server Security Bryan S. Owen Omar A. Shafie

2 What is Security? se·cu·ri·ty 1. The quality or state of being secure:
Pronunciation: \si-kyu̇r-ə-tē\ Function: noun Date: 15th century 1. The quality or state of being secure: a) freedom from danger : safety b) freedom from fear or anxiety c) freedom from the prospect of being laid off Security is a mindset, a way of thinking. Not an absolute state or destination. It’s also about value. Security must serve business needs. Source: Webster’s Online Dictionary

3 PI Infrastructure Helps
Information as a Survival Tool Compete using a real-time data infrastructure Collaborate across disparate systems Critical Infrastructure Protection Defense in Depth for your systems Zone Network Depth Software Depth 4 External Network 3 Corporate Operating System 2 Internal Application 1 Critical Data 4 Application and data layers are a core part of the PI Infrastructure and software defense in depth. Likewise, system components are designed to operate even when distributed across network security boundaries. In combination with good practices, the PI infrastructure is capable of providing best available protection for critical cyber infrastructure. 3 2 1

4 What’s New in PI Server? Enhanced Security Less Maintenance
Increased Control and Flexibility Less Maintenance Security Features Stability Better Manageability System Management Tools (SMT) Backward Compatible Lifecycle Support 64bit and Windows 2008 (incl. Server Core) The features are not mutually exclusive – all are part of a security focused theme. The PI Server is certified for Windows 2008 including Server Core. Windows Server 2008 raises the security bar for best practices through secure by default configuration, Read Only Domain Controllers (RODC), Advanced Firewall, and easier IPSEC deployment. Stronger memory protection in x64 platforms raises the bar even higher.

5 Security Feature Map Confidentiality Integrity Availability
Authentication Authorization Asset Versioning Distributed Architecture Application Layer Centric Windows SSPI PI Firewall Annotation & Event Flags HA Collectives & Interfaces PI Trust Security Policies Service Level Indicators Managed PI The 3 foundational pillars of security are Confidentiality, Integrity, and Availability (C-I-A). Features in the PI infrastructure help enable security, especially in the data and application layers. Today we will address just a few topics related to the PI server. Explicit Login Database Security Audit Trail Data Buffering Centric Data Connection Strings Secure Data Objects Read Only Archives Online Backups

6 Security Feature Topics
Confidentiality Integrity Availability Authentication Authorization Asset Versioning Distributed Architecture Application Layer Centric Windows SSPI PI Firewall Annotation & Event Flags HA Collectives & Interfaces PI Trust Security Policies Service Level Indicators Managed PI Today we will address just a few topics related to changes coming in the next PI server version. Explicit Login Database Security Audit Trail Data Buffering Centric Data Connection Strings Secure Data Objects Read Only Archives Online Backups

7 X Authentication Single Sign On – Windows Security (Kerberos)
One time mapping for Active Directory Groups …Just 5 mouse clicks X No need to maintain PI Users & Groups. No passwords stored in PI server. Explicit login still available as a last resort.

8 Authentication Policy
Policies to Allow and Prioritize Methods Windows SSPI PI Trust Explicit Login Granular Scope Server Client Each Identity Piadmin User 1994 ----- 20?? 1992 ----- 2009 Anonymous world access is retired (DefaultUserAccess timeout parameter no longer possible). No access for unauthenticated connections. Cannot be enabled. Leverage Windows password policies (age, complexity, etc..). Can now require non-blank password for explicit login accounts. Anonymous User

9 Authentication Path Connection initiated from a client to a PI Server will request Windows authentication by default (applications using PI SDK 1.3.6). As before, only a single network destination port on the PI Server is required. Authentication using Windows Security Support Provider Interface (SSPI) does not require additional inbound firewall exceptions. If not cached, will SSPI locate a domain controller (DC) and initiate the outbound query using Kerberos or NTML. For best security, a dedicated DC should be in the same security zone as the PI Server.

10 Authentication Summary
Most Secure if PI Server is a Domain Member Not required Manage Users and Groups Centrally in Windows One time association in PI Explicit Login and Trust You have control Please DISABLE EXPLICIT LOGIN OR AT LEAST SET PASSWORDS ON FACTORY ACCOUNTS SSPI is a Foundation…for Federated Identity Management

11 [-10400] No Read Access - Secure Object
AUTHORIZATION [-10400] No Read Access - Secure Object Authorization is the process of granting access to resources such as tags and modules represent the bulk of secure objects in a PI server.

12 Is Your Data Protected? Maybe… You MUST make changes!
Access is ALWAYS granted with piadmin Factory setting allows world read access You MUST make changes! Default permission is configurable Points: inherit from PIPOINT DBSecurity Modules: inherit from parent Survey: How many people are only using pidemo and piadmin? Does your system have a password for Piadmin? Piadmin is a loaded gun with no safety…you cannot deny access.

13 Standard Data Protection Example
ISO/IEC27000 mapped to G8 Traffic Light Protocol Identity Mapping Customers decide how to protect their data. Standards can be used as a guideline.

14 History of Authorization Settings
PI 2 Security by Display Set permission level for each user and application (0-255) Rights divided into 3 sub ranges Security by Client Node (Read, Write, Login Policy) PI 3 Security by Point PtOwner, PtGroup, PtAccess DataOwner, DataGroup, DataAccess Purpose of this slide is to show, security moving closer to the data and trend toward fewer ‘moving’ parts. Incidentally, display security is an important part of data protection. Best available technology is to draw displays on demand. Document libraries are a good alternative and a natural fit when using MOSS with PI WebParts.

15 2 In 2009… How many configuration attributes per point?
PointSecurity grants who can access a tag and view settings such as span. DataSecurity grants who can access the actual archive data for a point. The “A” following each identity indicates permissions in the following list are allowed. Multiple Access Control Entries (ACE) are concatenated using a pipe “|”. The ACE syntax has been designed so additional permissions and access verbs (eg. Deny) can be added in future versions. Access Control List (ACL) can be as long or short as needed DataSecurity: Green: A (r) PtSecurity: Antarctica: A (r,w) D: (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY) | Americas: A (r) | Asia-Pacific: A (r) | Europe: A (r)

16 SMT 3.3 Point Builder – Security Dialog

17 What else in 2009? PI Network Manager Message Log Subsystem
Stability and hardened stack Performance Enhanced SMT plug-in Message Log Subsystem Filter by severity Critical, Error, Warning, Informational, Debug Audit Trail Windows user preserved The PI network manager service is the heart of data flow in the PI Server architecture and has been from inception. Hardening the network manager code base and communication stack is central to security, reliability, and performance. Changes in pinetmgr will enable new functionality and optimizations in future products.

18 Also coming… Backup Performs incremental backup Checks integrity
Maintains “Last Known Good” New SMT plug-in On demand copy backup Viewing backup history Like safety, a preventative posture is the right approach to security. But security threats continually evolve and breaches – intentional or not, will occur. Reliable backups are an important part of the recovery procedure. New integrity checks are now part of the backup logic to help restore to a last known good state. PI Server backups should be routinely scheduled. On demand copy backups are for special circumstances.

19 Our Commitment to You Ongoing focus of Security Development Lifecycle
Help you with Best Practices Reduce effort and improve usability Eliminate Weakest Code Cumulative QA effort with every release Collaborate with Security Experts Industry, Government, Academia, Customers Digitalbond, Idaho National Lab, and Microsoft are leaders in trustworthy computing and critical infrastructure protection. OSIsoft is an active participant in security activities across many industry groups, standards associations, researchers, regulatory bodies, and commercial partners. Most important is active partnership with our customers; some are world class leaders on security best practices.

20 Call To Action Protect our Critical Infrastructure
4 Protect our Critical Infrastructure Use PI for Defense in Depth We are all stakeholders Patch management is important Vulnerability in PI Network Manager (18175OSI8) See for yourself how security is easier than ever before Come try SMT with the PI Server beta Plan your upgrade today! 3 2 1 Critical infrastructure binds us all together. Clean water, efficient transportation, reliable energy, safe food and drugs…Security is central now and for future generations. Patching and upgrading are essential to maintaining security. Consider a high availability (HA) architecture to maximize flexibility in scheduling planned outages.

21 Being Secure Is… More than regulations and features
Technology can help A state of mind, knowing Your systems What to do Who you trust OSIsoft wants to earn your trust Your business is under many pressures, security is just one. PI Infrastructure for the Enterprise helps deliver good security performance now and over time.

Download ppt "PI Server Security Bryan S. Owen Omar A. Shafie."

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.

Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
© 2008 OSIsoft, Inc. | Company Confidential PI System Security Bryan S. Owen PE.

© 2008 OSIsoft, Inc. | Company Confidential PI System Security Bryan S. Owen PE.
1 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008 PI System Security Taking it to the Next.

1 OCEANIA TECHNOLOGY SEMINAR 2008 © 2008 OSIsoft, Inc. | Company Confidential OCEANIA TECHNOLOGY SEMINAR 2008 PI System Security Taking it to the Next.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 4: Configuring File and Share Access

Lesson 4: Configuring File and Share Access
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Similar presentations

Ads by Google