Securing Insecure Prabath Siriwardena, WSO2 Twitter

Slides:



Advertisements
Similar presentations
Attie Naude 14 May 2013 Windows Azure Mobile Services.
Advertisements

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
Virtualization and Cloud Computing
WSO2 Identity Server Road Map
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Patterns & practices Symposium 2013 Windows Azure Active Directory Vittorio
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Confidential FullArmor Corp Platform for SaaS and mobile apps to remotely access, migrate, and sync Active Directory resources with the cloud ADanywhere.
Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Fraser Technical Solutions, LLC
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.
Active Directory Lecture 3 – Domain Services Primer.
OAuth option for mHealth Brief Profile Proposal for 2013/14 presented to the IT Infrastructure Planning Committee R Horn (Agfa Healthcare)
Cross Platform Mobile Backend with Mobile Services James
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
First Look Clinic: What’s New for IT Professionals in Microsoft® SharePoint® Server 2013 Sayed Ali (MCTS, MCITP, MCT, MCSA, MCSE )
Quarterly Customer Meeting Active Directory Federation Services (ADFS) April 2015.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
Copyright ©2012 Ping Identity Corporation. All rights reserved.1.
Chad La Joie Shibboleth’s Future.
Authentication Proxy for the VistA Hospital Information System William Majurski Information Technology Laboratory.
Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
All Rights Reserved 2014 © CMG Consulting LLC Federated Identity Management and Access Andres Carvallo Dwight Moore CMG Consulting, LLC October
Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
Get identities to the cloud Mix on-premises and cloud identity for improved PC, mobile, and web productivity Cloud identities help you run your business.
Introduction to Active Directory
Windows 8 Application Microsoft Word with an app for Office Internal O365 SharePoint Site Windows Azure Web Sites Windows Azure Workflow Service.
Copyright 2007, Information Builders. Slide 1 iWay Web Services and WebFOCUS Consumption Michael Florkowski Information Builders.
WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.
1 Server Business Logic & OAuth Beta Overview October 4, 2010 Alan Hantke Product Development Server Business Logic Intuit Partner Platform Diane Weiss.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Prabath Siriwardena, Director of Security, WSO2 Twitter
Short Customer Presentation September The Company  Storgrid delivers a secure software platform for creating secure file sync and sharing solutions.
Connected Identity & the role of the Identity Bus Prabath Siriwardena Director of Security Architecture WSO2.
WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
11 | Managing User Info Jeremy Foster Michael Palermo
4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Azure Active Directory - Business 2 Consumer
Open standard based Identity Provisioning for Cloud
Azure Active Directory voor Developers
Data and Applications Security Developments and Directions
The power of common identity across any cloud
CAS-002 Dumps PDF CompTIA Advanced Security Practitioner (CASP) CAS-002 Dumps CompTIA.
Windows Azure AppFabric
BOMGAR REMOTE SUPPORT Karl Lankford
Cloud Connect Seamlessly
Cloud system.
11/14/ :30 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Access and Information Protection Product Overview October 2013
Office 365 Identity Management
Matthew Levy Azure AD B2B vs B2C Matthew Levy
SharePoint Online Authentication Patterns
Token-based Authentication
System Center Marketing
Microsoft Ignite NZ October 2016 SKYCITY, Auckland.
07 | Introduction to Authentication
InfiNET Solutions 5/21/
Presentation transcript:

Securing Insecure Prabath Siriwardena, WSO2 Twitter

About the presenter 7+ years at WSO2 Member of OASIS Identity Metasystem Interoperability (IMI) TC,OASIS eXtensible Access Control Markup Language (XACML) TC, OASIS Security Services (SAML) TC, OASIS Identity in the Cloud TC and OASIS Cloud Authorization (CloudAuthZ) TC Blog: Books:

Perception

Correctness

C-I- A ConfidentialityIntegrityAvailability Correctness

The Weakest Link

Insider Attacks

Defense In Depth

Threat Modeling

Pattern 01 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application passes logged in user’s identifier to the backend APIs and retrieves data related to the user.

Pattern 02 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application needs to access the backend APIs on behalf of the logged in user.

Pattern 03 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.

Pattern 04 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user. All the users are in a Windows domain and once they are logged into their workstations – they should not be asked to provide credentials at any point for any other application.

Pattern 05 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees as well as employees from trusted partners via multiple web applications. All the internal user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.

Pattern 06 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to an OpenID Connect Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.

Pattern 07 Problem Statement A medium-scale enterprise in the finance industry needs to expose an API to its customers through a mobile application. One major requirement is that all the API calls should support non-repudiation.

Pattern 08 Problem Statement A medium-scale enterprise that sells bottled water has a RESTful API (Water API), which can be used to update the amount of water consumed by a registered user. These APIs should be accessed by any registered user via any client application - could be an android app, an iOS app or even a web application. The company only provides APIs and anyone can develop client applications to consume those. All the user data are stored in an Active Directory. Client applications should not be able to access the API directly and query about users. Only registered users can access the API – and they also should not be able to see other users information. At the same time for each update by the user – the Water API must also update user’s health care record maintained at the MyHealth.org. The user also has a user record at MyHealth.org and it too exposes an API (MyHealth API). The Water API has to call MyHealth API to update user record, on be half of the user.

Pattern 09 Problem Statement A large-scale enterprise has a set of RESTful APIs. The APIs are hosted in different departments and each department runs its own OAuth authorization server due to vendor incompatibilities in different deployments. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall – irrespective of the department they belong to. All the user data are stored in a centralized Active Directory and all the web applications are connected to a centralized OAuth Authorization Server (also supports OpenID Connect) to authenticate users. The web applications need to access backend APIs on behalf of the logged in user. These APIs may come from different departments – having their own authorization servers. The company also has a centralized OAuth authorization server and an employee having an access token from the centralized authorization server must be able to access any API hosted in any department.

Pattern 10 Problem Statement A global organization has APIs and API clients distributed across different regions. Each region operates independent from each other. Currently both the clients and the APIs are non-secured. Need to secure the APIs without doing any changes either at the API end or at the client end.

Pattern 11 Problem Statement A company wants to expose an API to its own employees. But the user credentials must not ever go over the wire.

Pattern 12 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application needs to access the backend APIs on behalf of the logged in user. The backend API must authorize the user.

Contact us !

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.