Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in application integration Kari Nordström.

Published byCathleen Simon Modified over 8 years ago

Similar presentations

Presentation on theme: "Security in application integration Kari Nordström."— Presentation transcript:

1 Security in application integration Kari Nordström

2 09.08.2005 Security in application integration – Kari Nordström 2 Topics Objectives Application integration – Enterprise Application Integration – EAI – Business-to-Business integration – B2Bi Information security – Basic concepts & ideas – Network security – Segmented networks – Security of application integration systems Results

3 09.08.2005 Security in application integration – Kari Nordström 3 Background and objectives of the thesis Find out the current level of security in the application integration systems of a certain company – Conduct security reviews with a panel of experts Make suggestions on improving the security level based on findings Implement improvements if possible Supervisor: Docent Timo O. Korhonen

4 09.08.2005 Security in application integration – Kari Nordström 4 Application Integration Integrating various applications enables information sharing between applications and organisations, not between people (System-to-System connections) Internal and external integration – EAI & B2Bi Traditionally integration has dealt with sharing business data and documents – B2Bi is usually used for exchanging business documents – EAI integrates applications to work together, data can be gathered from various sources (applications) before processing

5 09.08.2005 Security in application integration – Kari Nordström 5 Application integration platforms in the company

6 09.08.2005 Security in application integration – Kari Nordström 6 Enterprise Application Integration (1/2) Integration within a single enterprise A centralised integration solution – Error handling, monitoring, cost savings over time

7 09.08.2005 Security in application integration – Kari Nordström 7 Enterprise Application Integration (2/2) Integrating diverse applications requires transformations between formats Processing and / or enrichment of data is also required in some integrations (defined in the workflow)

8 09.08.2005 Security in application integration – Kari Nordström 8 Business-to-business integration Integration between separate enterprises (partner integration) – Business data, demand / supply planning … B2Bi relies on standards, otherwise it would be very cumbersome to connect to other companies, each using their own data formats and processes Two B2Bi platforms used in the company: – EDI, Electronic Data Interchange – RosettaNet

9 09.08.2005 Security in application integration – Kari Nordström 9 Electronic Data Interchange (1/3) EDI is the “granddaddy” of all B2Bi systems – Designed to automate exchanging business documents  a quicker and cheaper way Dates back all the way to the 1960’s, in active use since the 1980’s Two main standards in use – EDIFACT (EDI For Administration, Commerce and Transport) – ANSI X12

10 09.08.2005 Security in application integration – Kari Nordström 10 VAN-based EDI (2/3) VAN (Value Added Network) operators used to relay messages – “An electronic post office”

11 09.08.2005 Security in application integration – Kari Nordström 11 Internet EDI (3/3) EDI-INT has been thought up to eliminate VAN costs to companies Standards used: – AS1 (SMTP) – AS2 (HTTP) – AS3 (FTP) The basic idea: sending EDI messages directly to trading partners over the Internet

12 09.08.2005 Security in application integration – Kari Nordström 12 RosettaNet (1/2) XML-based integration standard – Developed and maintained by the RosettaNet Consortium, a non-profit organisation of more than 500 corporations Integrations are based on Partner Interface Processes (PIP), which define how data is processed and the sequence of transactions between trading partners RosettaNet Implementation Framework (RNIF) describes the basic architecture (RNIF 1.1 & 2.0) Document Type Definition (DTD) describes the format of messages and data

13 09.08.2005 Security in application integration – Kari Nordström 13 RosettaNet (2/2) RosettaNet aims in integrating the whole supply chain, not just passing business documents Marketed as more flexible and easier to implement than EDI – Using VANs actually makes EDI more simple than RosettaNet where companies need to implement all connections themselves

14 09.08.2005 Security in application integration – Kari Nordström 14 Information security Traditional way to model information security: CIA

15 09.08.2005 Security in application integration – Kari Nordström 15 General security concepts Authentication – Making sure the user is who she claims to be Authorisation – Giving an authenticated user the right to do something Accounting – All operations performed by users are logged Non-repudiation – If a user performs a task, she can’t later deny having done so, the system also can’t later deny the user’s action Antivirus protection – Protecting computers and network elements against malicious software Cryptography – Scrambling information in a way that only the correct recipient can decipher it

16 09.08.2005 Security in application integration – Kari Nordström 16 Network security Host security vs. network security Systems are protected on the network level by controlling network traffic – More cost-effective than host security Typical misconception: network security = firewalls – Firewalls are a central part of network security, but there are numerous other things to consider (understanding the network architecture is key)

17 09.08.2005 Security in application integration – Kari Nordström 17 A few key security strategies Use multiple, diverse layers of security Give the lowest possible rights to users Deny everything that’s not explicitly allowed Use choke points to monitor traffic “KISS – Keep It Simple, Stupid” Make users aware of security issues! – The human factor is often the weakest link in security

18 09.08.2005 Security in application integration – Kari Nordström 18 Network segmentation A new network architecture in the company that divides an internal network into smaller parts called cells Naturally also affects AI systems In practice: more firewalls

19 09.08.2005 Security in application integration – Kari Nordström 19 Security requirements for application integration systems An AI system is central and crucial in any network that has one Connected to many other systems  attacker could gain access to virtually the whole network if e.g. the EAI system is hacked Availability requirements are very high – Many other systems are dependant on integration systems

20 09.08.2005 Security in application integration – Kari Nordström 20 Results of the security reviews Risk level is high for all three systems Security implementations do not match the current requirements – Requirements have changed significantly from the 1990’s RosettaNet was found more secure than EAI and EDI – Age, standardisation, segmented network EDI’s problem is the number of unknown factors – VAN operator responsible for most of the implementation EAI’s biggest problem is the lack of security standards

21 09.08.2005 Security in application integration – Kari Nordström 21 EAI security improvements User management (no super-users)  access control Certain authentication issues have been addressed – A component was not authenticating connections properly Client software used (fewer vulnerabilities) The migration to new architecture will bring major advancements in the security of the system – Border security Hosts have been hardened

22 09.08.2005 Security in application integration – Kari Nordström 22 B2Bi security improvements It’s hard to fundamentally change security implementations in standardised systems User management has been improved vastly in EDI EDI will also be migrated into new architecture (RosettaNet has already been migrated) RNIF specifies many security features, such as various forms of encryption, digital certificates and checksums – They just weren’t always used in the company  new policy

23 09.08.2005 Security in application integration – Kari Nordström 23 Any questions or comments? If not, thank you!

Download ppt "Security in application integration Kari Nordström."

Similar presentations

B2B standards REGNET INTEGRATION EAI B2B EAI ? A2A ? IAI ? B2B ? Set of processes and technologies dealing with the structural integration of software.

B2B standards REGNET INTEGRATION EAI B2B EAI ? A2A ? IAI ? B2B ? Set of processes and technologies dealing with the structural integration of software.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.

Chapter 12 Network Security.
An Introduction to Information Systems in Organizations

An Introduction to Information Systems in Organizations
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Asper School of Business University of Manitoba Systems Analysis & Design Instructor: Bob Travica System interfaces Updated: November 2014.

Asper School of Business University of Manitoba Systems Analysis & Design Instructor: Bob Travica System interfaces Updated: November 2014.
1 Chapter 5 Electronic Commerce, Intranets, and Extranets Information Systems Today Leonard Jessup and Joseph Valacich.

1 Chapter 5 Electronic Commerce, Intranets, and Extranets Information Systems Today Leonard Jessup and Joseph Valacich.
B2B e-commerce standards for document exchange In350: week 13: Nov. 19,2001 Judith A. Molka-Danielsen.

B2B e-commerce standards for document exchange In350: week 13: Nov. 19,2001 Judith A. Molka-Danielsen.
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
E-Business: Intra-Business E-Commerce

E-Business: Intra-Business E-Commerce
Electronic Data Interchange (EDI)

Electronic Data Interchange (EDI)
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
QAD Pitch Report QAD EDI. Introduction to EDI … the transfer of structured data, by agreed messaging standards, from one computer system to another without.

QAD Pitch Report QAD EDI. Introduction to EDI … the transfer of structured data, by agreed messaging standards, from one computer system to another without.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

Similar presentations

Ads by Google