Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Security for Distributed Data Management.

Published byWesley Owen Modified over 8 years ago

Similar presentations

Presentation on theme: "Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Security for Distributed Data Management."— Presentation transcript:

1 Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Security for Distributed Data Management February 25, 2011

2 Outline l Distributed Database Systems - Architecture, Data Distribution, Functions l Security Issues - Discretionary Security, Multilevel Security l Secure Heterogeneous and Federated Systems l Single Sign-on and Identity Management l Assumption: Network is secure; focusing on securing the data

3 Distributed Architecture Communication Network Distributed Processor 1 DBMS 1 Data- base 1 Data- base 3 Data- base 2 DBMS 2 DBMS 3 Distributed Processor 2 Distributed Processor 3 Site 1 Site 2 Site 3

4 Data Distribution EMP1 SS#NameSalary 1John20 2Paul30 3James40 4Jill50 60 5Mary 6Jane70 D# 10 20 20 20 10 20 DnameD#MGR 10 30 40 Jane David Peter DEPT1 SITE 1 SITE 2 EMP2 SS#NameSalary 9Mathew 70 D# 50 Dname D#MGR 50 Math John Physics DEPT2 David 80 30 Peter9040 7 8 C. Sci. English French 20 Paul

5 Distributed Database Functions l Distributed Query Processing - Optimization techniques across the databases l Distributed Transaction Management - Techniques for distributed concurrency control and recovery l Distributed Metadata Management - Techniques for managing the distributed metadata l Distributed Security/Integrity Maintenance - Techniques for processing integrity constraints and enforcing access control rules across the databases

6 Secure Distributed Architecture

7 Discretionary Security Mechanism

8 Security Policy Integration

9 Views for Security

10 Secure Distributed Database Functions

11 Architecture for Multilevel Security

12 Multilevel Distributed Data Model

13 MLS/DDBMS Functions

14 Distributed Inference Controller

15 Interoperability of Heterogeneous Database Systems Database System A Database System B Network Database System C (Legacy) Transparent access to heterogeneous databases - both users and application programs; Query, Transaction processing (Relational) (Object- Oriented)

16 Technical Issues on the Interoperability of Heterogeneous Database Systems l Heterogeneity with respect to data models, schema, query processing, query languages, transaction management, semantics, integrity, and security policies l Federated database management - Collection of cooperating, autonomous, and possibly heterogeneous component database systems, each belonging to one or more federations l Interoperability based on client-server architectures

17 Federated Database Management Database System A Database System B Database System C Cooperating database systems yet maintaining some degree of autonomy Federation F1 Federation F2

18 Schema Integration and Transformation in a Federated Environment Adapted from Sheth and Larson, ACM Computing Surveys, September 1990 Component Schema for Component A Component Schema for Component B Component Schema for Component C Generic Schema for Component A Generic Schema for Component B Generic Schema for Component C Export Schema for Component A Export Schema I for Component B Export Schema for Component C Federated Schema for FDS - 1 Federated Schema for FDS - 2 External Schema 1.2Schema 2.1 External Schema 2.2 External Schema 1.1 Export Schema II for Component B External

19 Client-Server Architecture: Example Network Client from Vendor A Client from Vendor B Server from Vendor C Server from Vendor D Database

20 Security Issues l Transforming secure data models l Secure architectures: Heterogeneous and federated data management l Security impact on schema/data/policy integration l Incomparable/Overlapping security levels l Inference Control l Secure client-server computing

21 Transforming Secure Data Models EMP: Level = Secret SS#EnameSalary D# 1John20K10 2Paul30K20 3Mary40K20 l Class EMP is Secret l It has 3 instances: l John, Paul and Mary DEPT D#DnameMgr 10 Math Smith U 20PhysicsJones C Level l Class DEPT is Unclassified l It has 2 instances Math and Physics l Math is Unclassified l Physics is Confidential

22 Security Architecture: Heterogeneous data management

23 Security Architecture: Federated data management

24 Federated Data and Policy Management Export Data/Policy Component Data/Policy for Agency A Data/Policy for Federation Export Data/Policy Component Data/Policy for Agency C Component Data/Policy for Agency B Export Data/Policy

25 Incomparable Security Levels

26 Overlapping Security Levels

27 Inference Control

28 Secure Client-Server Computing

29 Comments l Techniques for centralize data management have to be extended for a distributed/heterogeneous/federated environment l Access control enforced across databases l Inference control across databases l Web will continue to impact the development of secure distributed data managers l Network security is critical

30 Single Sign-On l Single sign-on (SSO) is a method of access control that enables a user to log in once and gain access to the resources of multiple software systems without being prompted to log in again.access controllog in l Single sign-off is the reverse process whereby a single action of signing out terminates access to multiple software systems. l As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication

31 Single Sign-On l Kerberos based l Initial sign-on prompts the user for credentials, and gets a Kerberos ticket-granting ticket (TGT.) Kerberos l Additional software applications requiring authentication, such as email clients, wikis, revision control systems, etc, use the ticket-granting ticket to acquire service tickets, proving the user's identity to the mailserver / wiki server / etc. without prompting the user to re-enter credentials.email clientswikisrevision control systems l Windows environment - Windows login fetches TGT. Active directory-aware apps fetch service tickets, so user is not prompted to re-authenticate. WindowsActive directory l UNIX/Linux environment - Login via Kerberos PAM modules fetches TGT. Kerberized client applications such as Evolution, Firefox, and SVN use service tickets, so user is not prompted to re-authenticate. UNIXLinuxPAM EvolutionFirefoxSVN

32 Single Sign-On l Smart card based: Initial sign on prompts the user for smart card. Additional software applications also use the smart card, without prompting the user to re-enter credentials. Smart card-based single sign-on can either use certificates or passwords stored on the smart cardsmart card l Client Certificate Based: Shared Authentication Schemes which are not Single Sign-On - Single sign on requires that users literally sign in once to establish their credentials. Systems which require the user to log in multiple times to the same identity are inherently not single sign on. For example, an environment where users are prompted to log in to their desktop, then log in to their email using the same credentials, is not single sign on. Shared authentication schemes like OpenID, which require additional sign-on for each web site, are also not single sign on.OpenID

33 Single Sign-On l Enterprise Single Sign-On - Enterprise single sign-on (E-SSO) systems are designed to minimize the number of times that a user must type their ID and password to sign into multiple applications. - The E-SSO solution automatically logs users in, and acts as a password filler where automatic login is not possible. Each client is typically given a token that handles the authentication, on other E-SSO solutions each client has E-SSO software stored on their computer to handle the authentication. On the server side is usually an E-SSO authentication server that is implemented into the enterprise network.

34 Federated Identity Management l Federated identity, or the ‘federation’ of identity, describes the technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. l The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Identity federation comes in many flavors, including ‘user-controlled’ or ‘user-centric’ scenarios, as well as enterprise controlled or B2B scenarios.B2B

35 Federated Identity Management l Federation is enabled through the use of open industry standards and/or openly published specifications, such that multiple parties can achieve interoperability for common use cases. l Typical use-cases involve things such as cross-domain, web- based single sign-on, cross-domain user account provisioning, cross-domain entitlement management and cross-domain user attribute exchange.single sign-on

36 Federated Identity Management l Use of identity federation standards can reduce cost by eliminating the need to scale one-off or proprietary solutions. l It can increase security and lower risk by enabling an organization to identify and authenticate a user once, and then use that identity information across multiple systems, including external partner websites. l It can improve privacy compliance by allowing the user to control what information is shared, or by limiting the amount of information shared. l It can drastically improve the end-user experience by eliminating the need for new account registration through automatic ‘federated provisioning’ or the need to redundantly login through cross-domain single sign-on.

37 Federated Identity Management l Leading enterprises around the world have deployed identity federation to get closer with partners, improve customer service, accelerate execution of business partnerships and alliances, cut cost and complexity of integrating outsourced services, and free themselves from vendor lock-in. l End-users and consumer focused web sites are now beginning to engage in identity federation through the adoption of OpenID, which is an open source specification for enabling federation use-cases.OpenID

38 Federated Identity Management l The notion of identity federation is extremely broad, and also evolving. It could involve user-to-user, user-to-application as well as application-to-application use-case scenarios at both the browser tier as well as the web services or SOA (service- oriented architecture) tier.service- oriented architecture l It can involve high-trust, high-security scenarios as well as low-trust, low security scenarios. The levels of identity assurance that may be required for a given scenario are also being standardized through a common and open Identity Assurance Framework.Identity Assurance Framework l It can involve user-centric use-cases, as well as enterprise- centric use-cases. The term ‘identity federation’ is by design, a generic term, and is not bound to any one specific protocol, technology, implementation or company.

39 Federated Identity Management l One thing that is consistent, however, is the fact that ‘federation’ does describe methods of identity portability which are achieved in an open, often standards-based manner – meaning anyone adhering to the open specification or standard can achieve the full spectrum of use-cases and interoperability. l Identity federation can be accomplished any number of ways, some of which involve the use of formal Internet standards, such as the OASIS SAML specification, and some of which may involve open source technologies and/or other openly published specifications, (e.g. Information Cards, OpenID, the Higgins trust framework or Novell’s Bandit project).OASISSAMLInformation CardsOpenIDHiggins trust frameworkBandit project

Download ppt "Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Security for Distributed Data Management."

Similar presentations

Identity Network Ideals – Heterogeneity & Co-existence

Identity Network Ideals – Heterogeneity & Co-existence
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Securing Insecure Prabath Siriwardena, WSO2 Twitter

Securing Insecure Prabath Siriwardena, WSO2 Twitter
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.

6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.
Overview Distributed vs. decentralized Why distributed databases

Overview Distributed vs. decentralized Why distributed databases
The Architecture of Transaction Processing Systems

The Architecture of Transaction Processing Systems
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.
Building Trustworthy Semantic Webs Dr. Bhavani Thuraisingham The University of Texas at Dallas Semantic web technologies for secure interoperability and.

Building Trustworthy Semantic Webs Dr. Bhavani Thuraisingham The University of Texas at Dallas Semantic web technologies for secure interoperability and.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
AL-MAAREFA COLLEGE FOR SCIENCE AND TECHNOLOGY INFO 232: DATABASE SYSTEMS CHAPTER 1 DATABASE SYSTEMS (Cont’d) Instructor Ms. Arwa Binsaleh.

AL-MAAREFA COLLEGE FOR SCIENCE AND TECHNOLOGY INFO 232: DATABASE SYSTEMS CHAPTER 1 DATABASE SYSTEMS (Cont’d) Instructor Ms. Arwa Binsaleh.
Integrating the Healthcare Enterprise Enterprise User Authentication and Consistent Time Glen Marshall Co-Chair, IHE IT Infrastructure Planning Committee.

Integrating the Healthcare Enterprise Enterprise User Authentication and Consistent Time Glen Marshall Co-Chair, IHE IT Infrastructure Planning Committee.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Evaluation and Testbed Development Bhavani Thuraisingham The University of Texas at Dallas Jim Massaro and Ravi Sandhu.

Evaluation and Testbed Development Bhavani Thuraisingham The University of Texas at Dallas Jim Massaro and Ravi Sandhu.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
Introduction to Data, Information and Knowledge Management Dr. Bhavani Thuraisingham The University of Texas at Dallas Data, Information and Knowledge.

Introduction to Data, Information and Knowledge Management Dr. Bhavani Thuraisingham The University of Texas at Dallas Data, Information and Knowledge.

Similar presentations

Ads by Google