PI Server Security Bryan S. Owen Omar A. Shafie
What is Security? se·cu·ri·ty 1. The quality or state of being secure: Pronunciation: \si-kyu̇r-ə-tē\ Function: noun Date: 15th century 1. The quality or state of being secure: a) freedom from danger : safety b) freedom from fear or anxiety c) freedom from the prospect of being laid off Security is a mindset, a way of thinking. Not an absolute state or destination. It’s also about value. Security must serve business needs. Source: Webster’s Online Dictionary
PI Infrastructure Helps Information as a Survival Tool Compete using a real-time data infrastructure Collaborate across disparate systems Critical Infrastructure Protection Defense in Depth for your systems Zone Network Depth Software Depth 4 External Network 3 Corporate Operating System 2 Internal Application 1 Critical Data 4 Application and data layers are a core part of the PI Infrastructure and software defense in depth. Likewise, system components are designed to operate even when distributed across network security boundaries. In combination with good practices, the PI infrastructure is capable of providing best available protection for critical cyber infrastructure. 3 2 1
What’s New in PI Server? Enhanced Security Less Maintenance Increased Control and Flexibility Less Maintenance Security Features Stability Better Manageability System Management Tools (SMT) Backward Compatible Lifecycle Support 64bit and Windows 2008 (incl. Server Core) The features are not mutually exclusive – all are part of a security focused theme. The PI Server is certified for Windows 2008 including Server Core. Windows Server 2008 raises the security bar for best practices through secure by default configuration, Read Only Domain Controllers (RODC), Advanced Firewall, and easier IPSEC deployment. Stronger memory protection in x64 platforms raises the bar even higher.
Security Feature Map Confidentiality Integrity Availability Authentication Authorization Asset Versioning Distributed Architecture Application Layer Centric Windows SSPI PI Firewall Annotation & Event Flags HA Collectives & Interfaces PI Trust Security Policies Service Level Indicators Managed PI The 3 foundational pillars of security are Confidentiality, Integrity, and Availability (C-I-A). Features in the PI infrastructure help enable security, especially in the data and application layers. Today we will address just a few topics related to the PI server. Explicit Login Database Security Audit Trail Data Buffering Centric Data Connection Strings Secure Data Objects Read Only Archives Online Backups
Security Feature Topics Confidentiality Integrity Availability Authentication Authorization Asset Versioning Distributed Architecture Application Layer Centric Windows SSPI PI Firewall Annotation & Event Flags HA Collectives & Interfaces PI Trust Security Policies Service Level Indicators Managed PI Today we will address just a few topics related to changes coming in the next PI server version. Explicit Login Database Security Audit Trail Data Buffering Centric Data Connection Strings Secure Data Objects Read Only Archives Online Backups
X Authentication Single Sign On – Windows Security (Kerberos) One time mapping for Active Directory Groups …Just 5 mouse clicks X No need to maintain PI Users & Groups. No passwords stored in PI server. Explicit login still available as a last resort.
Authentication Policy Policies to Allow and Prioritize Methods Windows SSPI PI Trust Explicit Login Granular Scope Server Client Each Identity Piadmin User 1994 ----- 20?? 1992 ----- 2009 Anonymous world access is retired (DefaultUserAccess timeout parameter no longer possible). No access for unauthenticated connections. Cannot be enabled. Leverage Windows password policies (age, complexity, etc..). Can now require non-blank password for explicit login accounts. Anonymous User
Authentication Path Connection initiated from a client to a PI Server will request Windows authentication by default (applications using PI SDK 1.3.6). As before, only a single network destination port on the PI Server is required. Authentication using Windows Security Support Provider Interface (SSPI) does not require additional inbound firewall exceptions. If not cached, will SSPI locate a domain controller (DC) and initiate the outbound query using Kerberos or NTML. For best security, a dedicated DC should be in the same security zone as the PI Server.
Authentication Summary Most Secure if PI Server is a Domain Member Not required Manage Users and Groups Centrally in Windows One time association in PI Explicit Login and Trust You have control Please DISABLE EXPLICIT LOGIN OR AT LEAST SET PASSWORDS ON FACTORY ACCOUNTS SSPI is a Foundation…for Federated Identity Management
[-10400] No Read Access - Secure Object AUTHORIZATION [-10400] No Read Access - Secure Object Authorization is the process of granting access to resources such as tags and modules represent the bulk of secure objects in a PI server.
Is Your Data Protected? Maybe… You MUST make changes! Access is ALWAYS granted with piadmin Factory setting allows world read access You MUST make changes! Default permission is configurable Points: inherit from PIPOINT DBSecurity Modules: inherit from parent Survey: How many people are only using pidemo and piadmin? Does your system have a password for Piadmin? Piadmin is a loaded gun with no safety…you cannot deny access.
Standard Data Protection Example ISO/IEC27000 mapped to G8 Traffic Light Protocol Identity Mapping Customers decide how to protect their data. Standards can be used as a guideline.
History of Authorization Settings PI 2 Security by Display Set permission level for each user and application (0-255) Rights divided into 3 sub ranges Security by Client Node (Read, Write, Login Policy) PI 3 Security by Point PtOwner, PtGroup, PtAccess DataOwner, DataGroup, DataAccess Purpose of this slide is to show, security moving closer to the data and trend toward fewer ‘moving’ parts. Incidentally, display security is an important part of data protection. Best available technology is to draw displays on demand. Document libraries are a good alternative and a natural fit when using MOSS with PI WebParts.
2 In 2009… How many configuration attributes per point? PointSecurity grants who can access a tag and view settings such as span. DataSecurity grants who can access the actual archive data for a point. The “A” following each identity indicates permissions in the following list are allowed. Multiple Access Control Entries (ACE) are concatenated using a pipe “|”. The ACE syntax has been designed so additional permissions and access verbs (eg. Deny) can be added in future versions. Access Control List (ACL) can be as long or short as needed DataSecurity: Green: A (r) PtSecurity: Antarctica: A (r,w) D: (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY) | Americas: A (r) | Asia-Pacific: A (r) | Europe: A (r)
SMT 3.3 Point Builder – Security Dialog
What else in 2009? PI Network Manager Message Log Subsystem Stability and hardened stack Performance Enhanced SMT plug-in Message Log Subsystem Filter by severity Critical, Error, Warning, Informational, Debug Audit Trail Windows user preserved The PI network manager service is the heart of data flow in the PI Server architecture and has been from inception. Hardening the network manager code base and communication stack is central to security, reliability, and performance. Changes in pinetmgr will enable new functionality and optimizations in future products.
Also coming… Backup Performs incremental backup Checks integrity Maintains “Last Known Good” New SMT plug-in On demand copy backup Viewing backup history Like safety, a preventative posture is the right approach to security. But security threats continually evolve and breaches – intentional or not, will occur. Reliable backups are an important part of the recovery procedure. New integrity checks are now part of the backup logic to help restore to a last known good state. PI Server backups should be routinely scheduled. On demand copy backups are for special circumstances.
Our Commitment to You Ongoing focus of Security Development Lifecycle Help you with Best Practices Reduce effort and improve usability Eliminate Weakest Code Cumulative QA effort with every release Collaborate with Security Experts Industry, Government, Academia, Customers Digitalbond, Idaho National Lab, and Microsoft are leaders in trustworthy computing and critical infrastructure protection. OSIsoft is an active participant in security activities across many industry groups, standards associations, researchers, regulatory bodies, and commercial partners. Most important is active partnership with our customers; some are world class leaders on security best practices.
Call To Action Protect our Critical Infrastructure 4 Protect our Critical Infrastructure Use PI for Defense in Depth We are all stakeholders Patch management is important Vulnerability in PI Network Manager (18175OSI8) See for yourself how security is easier than ever before Come try SMT with the PI Server beta Plan your upgrade today! 3 2 1 Critical infrastructure binds us all together. Clean water, efficient transportation, reliable energy, safe food and drugs…Security is central now and for future generations. Patching and upgrading are essential to maintaining security. Consider a high availability (HA) architecture to maximize flexibility in scheduling planned outages.
Being Secure Is… More than regulations and features Technology can help A state of mind, knowing Your systems What to do Who you trust OSIsoft wants to earn your trust Your business is under many pressures, security is just one. PI Infrastructure for the Enterprise helps deliver good security performance now and over time.