Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Portal Security from A to Z As Developed for Shands Healthcare at The University of Florida Copyright Ward Wilson 2003. This work is the intellectual.

Similar presentations

Presentation on theme: "Web Portal Security from A to Z As Developed for Shands Healthcare at The University of Florida Copyright Ward Wilson 2003. This work is the intellectual."— Presentation transcript:

1 Web Portal Security from A to Z As Developed for Shands Healthcare at The University of Florida Copyright Ward Wilson 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 The Agenda zAbout us zWhat is a Web Portal zWeb Security Specifics ysingle signon ysession state management ycontext sharing yrole based application security (RBAC) zSpeakers yWard Wilson yAlan Cook

3 About us  Shands Healthcare is a multi facility non-profit hospital organization that includes both teaching and community hospitals zShands UF and Shands Jax are the teaching hospitals for UF

4 About us zShands primary computing environment is an IBM mainframe OS/390 environment zour major sources of data are in mainframe DB2 databases and our major HIS application is a mainframe CICS product from Siemens

5 About us zso our portal and our portal development environment are mainframe OS/390 based as well  EAGLE is a patented application development environment written here at UF and it runs in CICS on the mainframe OS/390

6 OS/390 CICS EAGLE DB2 Web Server Unix/Win JAVA SERVLET Web Device HTML/XML/EDI Third party The EAGLE Environment Legacy Data SERVLET RACF


8 EAGLE zEAGLE is now installed at several institutions zsee Illinois State presentation for EAGLE and JASIG portal integration  to find out more about EAGLE look for several EAGLE presentations over the course of this week

9 What is a Web Portal?  a portal pushes business applications to users over the internet (our model) zone portal for users must integrate many products and applications  target devices include traditional browsers, handheld devices, tablets, and cell phones  application access (what gets pushed) is controlled by roles


11 FRAME PIC Hidden Frame Contexts Menu WELL








19 It’s all about security  Authentication and single signon  Session state management  Context sharing zApplication security

20 Web Security  Authentication and single signon

21 Authentication and single signon zbeyond IP: getting beyond IP restriction to user-based authentication is a must zsingle signon: authenticating once and accessing applications from many vendors is critical for user acceptance


23 OS/390 CICS EAGLE RACF Web Server Unix/Win JAVA SERVLET Web Device Encrypted EDI HTML/XML/EDI Third party Authentication - beyond IP DB2 Siemens HIS Widget


25 - myMedIC (locked) Portal - most secure; manages state gateway from public to private acts as firewall Level of security needed for patient applications - gift shop, online payment, online pharmacy, consult a physician - public, anonymous, unrestricted access - MedIC (unlocked) secure/private, limited by IP restriction, lacks consistent security methodology, functions as a content server APPS1 - stores databases Single signon to many products CitrixOthers A user’s ‘needs’ for access spans many applications and vendor products. SiemensIDX

26 Single signon - work with vendors zDone ySiemens: GSM, IDE, our pages or yours yCitrix: save the id and password yIDX: super id, XML queries, portal yMagic: super id, SQL queries, portal yChris: trusted partner id handoff yMSO: super id, SQL queries, portal zTo do yPeoplesoft: accept our signon pass user id yStentor: tbd

27 OS/390 CICS EAGLE Siemens Single signon - Siemens example DB2 GSM Role of Health care provider keys GSM process RACF Siemens HIS



30 FRAME PIC Hidden Frame Contexts WELL Menu








38 Single signon summary zrequires a multi-talented team, working with vendors, and a willingness to pay fees to get things done (don’t take no as an answer) zstoring encrypted ids and passwords is an alternative - use it when you have to but it too has a cost

39 Web Security zSession state management

40 Session state management zA session is a sequence of service requests by a single user using a single client to access a server. The information maintained in the session across requests is called session state. Session state may include both information visible to the user (shopping cart contents, for example) and invisible application control information (such as user preferences) JAVA SUN.COM

41 Session state management zmethodologies for the web client ycookies yembedded session key yURL re-write yother (see JAVA SUN, Microsoft etc.) zsharing session with other products ycustom yccow yother?

42 Hidden Frame WELL Menu EMBEDED SESSION KEY …..

43 OS/390 CICS EAGLE Web Server Unix/Win JAVA SERVLET Encrypted session key embedded in web form, XML or custom EDI Patented session state management SYMQ application data Global session data

44 Session state management zthe basics: session state info posted back to EAGLE, checked for validity ymatched encrypted key ycheck timeout xfriendly: just ask for password and continue xunfriendly: lose data sign in again ycheck other embedded values xhandle the back button on browser

45 Session state management zpluses: yscalability, server side resources are minimized (no active process) yubiquitous, works even if cookies are disabled ysecure, critical data never sent to browser

46 Session state management zchallenges: ykeeping partner sessions alive (tickling the GSM) ysharing key information (context sharing) yhandling the back button

47 Session state management zlimitations: yfat client or non participating browser activity may not keep session alive (ccow) yother products may use cookies so you will have to deal with them

48 Session state management summary zIf you are integrating many products you must provide it or use a vendor provided solution such as ccow yeach solution has its positives and negatives choose based upon your business requirements and ability to control browser client ysharing session state and context with multiple products will be very important

49 Web Security zContext sharing

50 Context sharing zsimply put it is sharing keys between applications; for example passing the student id ywithin your applications yacross applications  across vendor products and applications



53 Context sharing ztypical implementations ywithin applications: add key data to the posted web data or save as session data ywithin application or across applications: include key data in the url (the get method)  across applications: pass key data through a shared data store or common application (ccow)

54 Context sharing zsurprising complexities ykey data is application specific xdon’t pass student id to payroll application xreestablish last student id on student screens and payroll id in payroll screens xEAGLE key stack ysave as session data xkeys can get quite large xprotecting key data

55 Web Security zRole based access control (RBAC)

56 Role based access control (RBAC)  a roles database is a mechanism used to assign a user access to data or applications zaccess control information for an enterprise should be hosted centrally, and made available to remote applications as needed

57 access rightsusers transactions resources Role based access control (RBAC)

58 zSecurity administrative costs continue to increase zNeed for distributed security administration, but with central control zThe audit group is unable to verify consistent security to meet HIPAA regs Role based access control (RBAC)

59 Users RolePermission User Group Role Group Role Perm Group Role The UF Shands data model. Role based access control (RBAC)

60 z a role defines a functional entity– e.g., “Health care provider”. Role based access control (RBAC) ROLE

61 z a group defines an organizational entity or facility– e.g., “Shands at AGH ”. Role based access control (RBAC) Group

62 zA group and role are combined to provide very granular security across a distributed enterprise Role based access control (RBAC) Group ROLE Group ROLE

63 Role based access control (RBAC) za person can be assigned to one or more group roles. zchanges to a group role are distributed to all individuals assigned to it. zaudibility requires retaining the link between users and group roles



66 zThe Group Role Permissions table stores access control rules Group ROLE Perm Role based access control (RBAC)

67 zPermissions group and roles enforce corporate security policy zpermissions are connected to group roles zit is possible to implement group role hierarchies. Role based access control (RBAC)




71 zchallenges yidentifying group roles ycentralized control ydecentralized administration yautomate as much as possible xHR feeds xfeeds from other sources xfeedback loop for exceptions Role based access control (RBAC)

72 Summary: It’s all about security zAuthentication and single signon ya must, critical for user acceptance zSession state management ymany ways, choose based on business needs  Context sharing yincreasing importance zApplication security yrbac

73 Questions?

Download ppt "Web Portal Security from A to Z As Developed for Shands Healthcare at The University of Florida Copyright Ward Wilson 2003. This work is the intellectual."

Similar presentations

Ads by Google