2 What is Security? se·cu·ri·ty 1. The quality or state of being secure: Pronunciation: \si-kyu̇r-ə-tē\Function: nounDate: 15th century1. The quality or state of being secure:a) freedom from danger : safetyb) freedom from fear or anxietyc) freedom from the prospect of being laid offSecurity is a mindset, a way of thinking. Not an absolute state or destination. It’s also about value. Security must serve business needs.Source: Webster’s Online Dictionary
3 PI Infrastructure Helps Information as a Survival ToolCompete using a real-time data infrastructureCollaborate across disparate systemsCritical Infrastructure ProtectionDefense in Depth for your systemsZoneNetwork DepthSoftware Depth4ExternalNetwork3CorporateOperating System2InternalApplication1CriticalData4Application and data layers are a core part of the PI Infrastructure and software defense in depth. Likewise, system components are designed to operate even when distributed across network security boundaries. In combination with good practices, the PI infrastructure is capable of providing best available protection for critical cyber infrastructure.321
4 What’s New in PI Server? Enhanced Security Less Maintenance Increased Control and FlexibilityLess MaintenanceSecurity FeaturesStabilityBetter ManageabilitySystem Management Tools (SMT)Backward CompatibleLifecycle Support64bit and Windows 2008 (incl. Server Core)The features are not mutually exclusive – all are part of a security focused theme. The PI Server is certified for Windows 2008 including Server Core. Windows Server 2008 raises the security bar for best practices through secure by default configuration, Read Only Domain Controllers (RODC), Advanced Firewall, and easier IPSEC deployment. Stronger memory protection in x64 platforms raises the bar even higher.
5 Security Feature Map Confidentiality Integrity Availability AuthenticationAuthorizationAssetVersioningDistributed ArchitectureApplication LayerCentricWindows SSPIPI FirewallAnnotation & Event FlagsHA Collectives & InterfacesPI TrustSecurity PoliciesService Level IndicatorsManaged PIThe 3 foundational pillars of security are Confidentiality, Integrity, and Availability (C-I-A).Features in the PI infrastructure help enable security, especially in the data and application layers.Today we will address just a few topics related to the PI server.Explicit LoginDatabase SecurityAudit TrailData BufferingCentricDataConnection StringsSecure Data ObjectsRead Only ArchivesOnline Backups
6 Security Feature Topics ConfidentialityIntegrityAvailabilityAuthenticationAuthorizationAssetVersioningDistributed ArchitectureApplication LayerCentricWindows SSPIPI FirewallAnnotation & Event FlagsHA Collectives & InterfacesPI TrustSecurity PoliciesService Level IndicatorsManaged PIToday we will address just a few topics related to changes coming in the next PI server version.Explicit LoginDatabase SecurityAudit TrailData BufferingCentricDataConnection StringsSecure Data ObjectsRead Only ArchivesOnline Backups
7 X Authentication Single Sign On – Windows Security (Kerberos) One time mapping for Active Directory Groups…Just 5 mouse clicksXNo need to maintain PI Users & Groups. No passwords stored in PI server.Explicit login still available as a last resort.
8 Authentication Policy Policies to Allow and Prioritize MethodsWindows SSPIPI TrustExplicit LoginGranular ScopeServerClientEach IdentityPiadmin User1994-----20??1992-----2009Anonymous world access is retired (DefaultUserAccess timeout parameter no longer possible). No access for unauthenticated connections. Cannot be enabled. Leverage Windows password policies (age, complexity, etc..). Can now require non-blank password for explicit login accounts.Anonymous User
9 Authentication PathConnection initiated from a client to a PI Server will request Windows authentication by default (applications using PI SDK 1.3.6). As before, only a single network destination port on the PI Server is required. Authentication using Windows Security Support Provider Interface (SSPI) does not require additional inbound firewall exceptions. If not cached, will SSPI locate a domain controller (DC) and initiate the outbound query using Kerberos or NTML. For best security, a dedicated DC should be in the same security zone as the PI Server.
10 Authentication Summary Most Secure if PI Server is a Domain MemberNot requiredManage Users and GroupsCentrally in WindowsOne time association in PIExplicit Login and TrustYou have controlPlease DISABLE EXPLICIT LOGIN OR AT LEAST SET PASSWORDS ON FACTORY ACCOUNTSSSPI is a Foundation…for Federated Identity Management
11 [-10400] No Read Access - Secure Object AUTHORIZATION[-10400] No Read Access - Secure ObjectAuthorization is the process of granting access to resources such as tags and modules represent the bulk of secure objects in a PI server.
12 Is Your Data Protected? Maybe… You MUST make changes! Access is ALWAYS granted with piadminFactory setting allows world read accessYou MUST make changes!Default permission is configurablePoints: inherit from PIPOINT DBSecurityModules: inherit from parentSurvey: How many people are only using pidemo and piadmin? Does your system have a password for Piadmin?Piadmin is a loaded gun with no safety…you cannot deny access.
13 Standard Data Protection Example ISO/IEC27000 mapped to G8 Traffic Light ProtocolIdentity MappingCustomers decide how to protect their data. Standards can be used as a guideline.
14 History of Authorization Settings PI 2Security by DisplaySet permission level for each user and application (0-255)Rights divided into 3 sub rangesSecurity by Client Node (Read, Write, Login Policy)PI 3Security by PointPtOwner, PtGroup, PtAccessDataOwner, DataGroup, DataAccessPurpose of this slide is to show, security moving closer to the data and trend toward fewer ‘moving’ parts.Incidentally, display security is an important part of data protection. Best available technology is to draw displays on demand. Document libraries are a good alternative and a natural fit when using MOSS with PI WebParts.
15 2 In 2009… How many configuration attributes per point? PointSecurity grants who can access a tag and view settings such as span. DataSecurity grants who can access the actual archive data for a point.The “A” following each identity indicates permissions in the following list are allowed. Multiple Access Control Entries (ACE) are concatenated using a pipe “|”. The ACE syntax has been designed so additional permissions and access verbs (eg. Deny) can be added in future versions.Access Control List (ACL) can be as long or short as neededDataSecurity: Green: A (r)PtSecurity: Antarctica: A (r,w)D: (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)| Americas: A (r)| Asia-Pacific: A (r)| Europe: A (r)
17 What else in 2009? PI Network Manager Message Log Subsystem Stability and hardened stackPerformanceEnhanced SMT plug-inMessage Log SubsystemFilter by severityCritical, Error, Warning, Informational, DebugAudit TrailWindows user preservedThe PI network manager service is the heart of data flow in the PI Server architecture and has been from inception. Hardening the network manager code base and communication stack is central to security, reliability, and performance. Changes in pinetmgr will enable new functionality and optimizations in future products.
18 Also coming… Backup Performs incremental backup Checks integrity Maintains “Last Known Good”New SMT plug-inOn demand copy backupViewing backup historyLike safety, a preventative posture is the right approach to security. But security threats continually evolve and breaches – intentional or not, will occur. Reliable backups are an important part of the recovery procedure. New integrity checks are now part of the backup logic to help restore to a last known good state. PI Server backups should be routinely scheduled. On demand copy backups are for special circumstances.
19 Our Commitment to You Ongoing focus of Security Development Lifecycle Help you with Best PracticesReduce effort and improve usabilityEliminate Weakest CodeCumulative QA effort with every releaseCollaborate with Security ExpertsIndustry, Government, Academia, CustomersDigitalbond, Idaho National Lab, and Microsoft are leaders in trustworthy computing and critical infrastructure protection. OSIsoft is an active participant in security activities across many industry groups, standards associations, researchers, regulatory bodies, and commercial partners. Most important is active partnership with our customers; some are world class leaders on security best practices.
20 Call To Action Protect our Critical Infrastructure 4Protect our Critical InfrastructureUse PI for Defense in DepthWe are all stakeholdersPatch management is importantVulnerability in PI Network Manager (18175OSI8)See for yourself how security is easier than ever beforeCome try SMT with the PI Server betaPlan your upgrade today!321Critical infrastructure binds us all together. Clean water, efficient transportation, reliable energy, safe food and drugs…Security is central now and for future generations. Patching and upgrading are essential to maintaining security. Consider a high availability (HA) architecture to maximize flexibility in scheduling planned outages.
21 Being Secure Is… More than regulations and features Technology can helpA state of mind, knowingYour systemsWhat to doWho you trustOSIsoft wants to earn your trustYour business is under many pressures, security is just one. PI Infrastructure for the Enterprise helps deliver good security performance now and over time.