SlideShare une entreprise Scribd logo

Layer 7: Fine Grained Authorization for Web Services

CA API Management
CA API Management

This document discusses fine-grained authorization for web services. It begins by explaining the difference between fine-grained and coarse-grained authorization, and the challenges of implementing fine-grained authorization. It then discusses how to leverage existing identity infrastructure and use policy enforcement intermediaries to enforce entitlement policies. The document provides examples of how conditions can be used for fine-grained authorization requests. It also summarizes the Layer 7 SecureSpan solution, which uses a Policy Decision Point and Policy Enforcement Point to intercept requests and make authorization decisions based on policies.

TechnologieBusiness
1  sur  22
Télécharger pour lire hors ligne
Fine grained authorization for Web Services Jonathan Gershater Solution Architect http://www.layer7tech.com
What you will learn in this session? 1. The difference between fine grained and coarse grained authorization 2. The challenge with implementing fine grained authorization in service based architectures 3. How to leverage existing identity infrastructure for entitlements management 4. How to use policy enforcement intermediaries to enforce entitlement preferences March 2008
Traditional enterprise Independent applications with their own access control, mechanisms and authorization policies. March 2008
Traditional enterprise security Protected by •A gate-keeper firewall primarily offering network level TCP/IP protection. •URL only protection using agent based SSO solutions. March 2008
The New Enterprise:SaaS, Web2.0, Legacy The challenge: •Mixed application and integration environment •Diverse credential requirements •Existing SSP and user directories •No centralized policy control and audit. • Services requiring fine grained authorization. March 2008
SaaS, Web2.0, Integrated enterprise March 2008
SaaS, Web2.0, Integrated enterprise March 2008
WebServices authentication: The Many-To-Many Problem Tokens  Transport (HTTP hdr, Request x509, etc…)  Message (UTP, x509,…) Web Services Authentication  LDAP Directory  Proprietary IAM …  Certificate Servers (OCSP, CRLs, etc)  etc…
Complexity grows! Multi-platform, multi-development environment –.NET, J2EE Frameworks, other •Support Mobile users / disconnected applications •Support conditional expressions for authorization *Use existing authentication sources March 2008
Quick review of AAA •Authentication – who are you? •Authorization – what can you do? •Auditing – who did what? March 2008
What is coarse versus fine grained authorization? What is authorization? The difference between coarse grained authorization (static)  By job role  By IT defined role  By group membership and fine grained authorization (dynamic)  By transaction type  By time of day or day of week March 2008
Sample fine grained AZ request Stock quote can be anonymous Stock purchase during trading hours must be: •Authenticated •over SSL •working hours •not from suspect network (user=Name_of_Stockbroker) AND (SSL=TRUE) AND ((hour > 6am) AND (hour < 1pm)) AND (ip_address_segment != 155.154.133.0) March 2008
Solution Policy Decision Point (PDP) that intercepts and examines XML packets at the application layer: • Identifies service endpoint • Authenticates requester with support for diverse credential types • Integration with diverse SSO, Federation and user directories • Performs fine-grained authorization of of an operation within a service • Credential chaining and translation • SAML issuing for downstream consistency March 2008
Policy Decision Points (PDP) March 2008
Also...SAMLP query to Policy Decision Point (PDP) March 2008
Other solutions – an XCAML query Policy EnforcementPoint (PEP) makes an XACML query to a PolicyDecisionPoint (PDP). •PEP executes XACMLAuthzDecisionQuery •PDP returns XACMLAuthzDecisionStatement March 2008
Policy Enforcement Point makes an XCAML query March 2008
Layer 7 solution for fine grained authorization Policy Decision Point (PDP): •Highly available / clustered. • Integrates with several of Web SingleSignOn and PolicyDecisionPoint sources. •Supports any information store: Databases, or SecureTokenServices. • Generates appropriate SAML assertion to make authorization decisions. March 2008
Appliance, software or virtual machine solution Message level intermediary between services and requesters Internal Application Consumers External Application Services Consumers March 2008
Layer 7 SecureSpan Gateway Runtime Governance - Policy Enforcement Point PEP validates policy compliance and applies security decorations Security requirements defined by an administrator. Policies become effective independently of the actual services. Services March 2008
SecureSpan Solution Advantages, Differentiators Sophisticated policy language enables complex governance requirements Available as hardware appliance with XML accelerator or as software Quick deployment, ease of use Extensible through APIs Instant policy application (no service downtime) Standard based Industry leadership March 2008
Thanks and questions Jonathan Gershater jg@layer7tech.com http://www.layer7tech.com http://layer7blog.blogspot.com/ March 2008

Recommandé

BSA
BSABSA
BSABladelogic Server Automation Training
 
Federated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloudrsnarayanan
 
Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2David Linthicum
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperRoger Chien
 
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical DesignsvBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical DesignsLarus Hjartarson
 
So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.Microsoft TechNet - Belgium and Luxembourg
 
Enterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEEnterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEFast Lane Consulting and Education, Inc.
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012gaborvodics
 

Recommandé

BSA
BSABSA
BSABladelogic Server Automation Training
 
Federated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloudrsnarayanan
 
Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2David Linthicum
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperRoger Chien
 
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical DesignsvBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical DesignsLarus Hjartarson
 
So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.Microsoft TechNet - Belgium and Luxembourg
 
Enterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEEnterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEFast Lane Consulting and Education, Inc.
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012gaborvodics
 
Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningMike Reams
 
Services @ vfm
Services @ vfmServices @ vfm
Services @ vfmvfmindia
 
Sem cis ise
Sem cis iseSem cis ise
Sem cis iseLino Quivén
 
G6 independent certification for CSP v3
G6 independent certification for CSP v3G6 independent certification for CSP v3
G6 independent certification for CSP v3Ummey Humayra
 
S102 cics the future is closer abridged
S102 cics the future is closer abridgedS102 cics the future is closer abridged
S102 cics the future is closer abridgednick_garrod
 
1251 service visibility and management with wsrr
1251 service visibility and management with wsrr1251 service visibility and management with wsrr
1251 service visibility and management with wsrrNick Butler
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBWSO2
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikalafloridawusergroup
 
Service Delivery Network
Service Delivery NetworkService Delivery Network
Service Delivery NetworkFrancesco Chicchiriccò
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 
1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - final1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - finalsmithson.martin
 
Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM DatapowerSigortam.net
 
Building Event Driven Systems
Building Event Driven SystemsBuilding Event Driven Systems
Building Event Driven SystemsWSO2
 
Compliance
ComplianceCompliance
ComplianceNetBR
 
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...goodfriday
 
Service Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresService Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresF5 Networks
 
CISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuideCISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuidePCCW GLOBAL
 
Gigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX DeploymentsGigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX DeploymentsAngel Villar Garea
 
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortEduardo Castro
 
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortEduardo Castro
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalMauricio Godoy
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2Anne Starr
 

Contenu connexe

Tendances

Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningMike Reams
 
Services @ vfm
Services @ vfmServices @ vfm
Services @ vfmvfmindia
 
G6 independent certification for CSP v3
G6 independent certification for CSP v3G6 independent certification for CSP v3
G6 independent certification for CSP v3Ummey Humayra
 
S102 cics the future is closer abridged
S102 cics the future is closer abridgedS102 cics the future is closer abridged
S102 cics the future is closer abridgednick_garrod
 
1251 service visibility and management with wsrr
1251 service visibility and management with wsrr1251 service visibility and management with wsrr
1251 service visibility and management with wsrrNick Butler
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBWSO2
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikalafloridawusergroup
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 
1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - final1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - finalsmithson.martin
 
Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM DatapowerSigortam.net
 
Building Event Driven Systems
Building Event Driven SystemsBuilding Event Driven Systems
Building Event Driven SystemsWSO2
 
Compliance
ComplianceCompliance
ComplianceNetBR
 
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...goodfriday
 
Service Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresService Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresF5 Networks
 
CISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuideCISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuidePCCW GLOBAL
 
Gigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX DeploymentsGigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX DeploymentsAngel Villar Garea
 

Tendances (18)

Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity Provisioning
 
Services @ vfm
Services @ vfmServices @ vfm
Services @ vfm
 
Sem cis ise
Sem cis iseSem cis ise
Sem cis ise
 
G6 independent certification for CSP v3
G6 independent certification for CSP v3G6 independent certification for CSP v3
G6 independent certification for CSP v3
 
S102 cics the future is closer abridged
S102 cics the future is closer abridgedS102 cics the future is closer abridged
S102 cics the future is closer abridged
 
1251 service visibility and management with wsrr
1251 service visibility and management with wsrr1251 service visibility and management with wsrr
1251 service visibility and management with wsrr
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESB
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikala
 
Service Delivery Network
Service Delivery NetworkService Delivery Network
Service Delivery Network
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
 
1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - final1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - final
 
Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM Datapower
 
Building Event Driven Systems
Building Event Driven SystemsBuilding Event Driven Systems
Building Event Driven Systems
 
Compliance
ComplianceCompliance
Compliance
 
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
 
Service Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresService Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen Infrastructures
 
CISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuideCISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration Guide
 
Gigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX DeploymentsGigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX Deployments
 

Similaire à Layer 7: Fine Grained Authorization for Web Services

Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortEduardo Castro
 
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortEduardo Castro
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalMauricio Godoy
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2Anne Starr
 
Iam suite introduction
Iam suite introductionIam suite introduction
Iam suite introductionwardell henley
 
Blockchain solution architecture deliverable
Blockchain solution architecture deliverableBlockchain solution architecture deliverable
Blockchain solution architecture deliverableSarmad Ibrahim
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE Mahzad Zahedi
 
PayPal Decision Management Architecture
PayPal Decision Management ArchitecturePayPal Decision Management Architecture
PayPal Decision Management ArchitecturePradeep Ballal
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and MobileGovernance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and MobileCA API Management
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
 
Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Sectricity
 
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Zeeve
 
Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Oracle Developers
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle Developers
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?mbmobile
 

Similaire à Layer 7: Fine Grained Authorization for Web Services (20)

Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview Short
 
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview Short
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_final
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2
 
ClearPass Policy Model - An Introduction
ClearPass Policy Model - An IntroductionClearPass Policy Model - An Introduction
ClearPass Policy Model - An Introduction
 
Iam suite introduction
Iam suite introductionIam suite introduction
Iam suite introduction
 
Blockchain solution architecture deliverable
Blockchain solution architecture deliverableBlockchain solution architecture deliverable
Blockchain solution architecture deliverable
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE
 
PayPal Decision Management Architecture
PayPal Decision Management ArchitecturePayPal Decision Management Architecture
PayPal Decision Management Architecture
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and MobileGovernance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
 
652.ppt
652.ppt652.ppt
652.ppt
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
 
Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)
 
OCS LIA
OCS LIAOCS LIA
OCS LIA
 
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
 
Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?
 

Plus de CA API Management

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarCA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataCA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...CA API Management
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...CA API Management
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...CA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceCA API Management
 

Plus de CA API Management (20)

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 

Dernier

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 

Dernier (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

Layer 7: Fine Grained Authorization for Web Services

  • 1. Fine grained authorization for Web Services Jonathan Gershater Solution Architect http://www.layer7tech.com
  • 2. What you will learn in this session? 1. The difference between fine grained and coarse grained authorization 2. The challenge with implementing fine grained authorization in service based architectures 3. How to leverage existing identity infrastructure for entitlements management 4. How to use policy enforcement intermediaries to enforce entitlement preferences March 2008
  • 3. Traditional enterprise Independent applications with their own access control, mechanisms and authorization policies. March 2008
  • 4. Traditional enterprise security Protected by •A gate-keeper firewall primarily offering network level TCP/IP protection. •URL only protection using agent based SSO solutions. March 2008
  • 5. The New Enterprise:SaaS, Web2.0, Legacy The challenge: •Mixed application and integration environment •Diverse credential requirements •Existing SSP and user directories •No centralized policy control and audit. • Services requiring fine grained authorization. March 2008
  • 6. SaaS, Web2.0, Integrated enterprise March 2008
  • 7. SaaS, Web2.0, Integrated enterprise March 2008
  • 8. WebServices authentication: The Many-To-Many Problem Tokens  Transport (HTTP hdr, Request x509, etc…)  Message (UTP, x509,…) Web Services Authentication  LDAP Directory  Proprietary IAM …  Certificate Servers (OCSP, CRLs, etc)  etc…
  • 9. Complexity grows! Multi-platform, multi-development environment –.NET, J2EE Frameworks, other •Support Mobile users / disconnected applications •Support conditional expressions for authorization *Use existing authentication sources March 2008
  • 10. Quick review of AAA •Authentication – who are you? •Authorization – what can you do? •Auditing – who did what? March 2008
  • 11. What is coarse versus fine grained authorization? What is authorization? The difference between coarse grained authorization (static)  By job role  By IT defined role  By group membership and fine grained authorization (dynamic)  By transaction type  By time of day or day of week March 2008
  • 12. Sample fine grained AZ request Stock quote can be anonymous Stock purchase during trading hours must be: •Authenticated •over SSL •working hours •not from suspect network (user=Name_of_Stockbroker) AND (SSL=TRUE) AND ((hour > 6am) AND (hour < 1pm)) AND (ip_address_segment != 155.154.133.0) March 2008
  • 13. Solution Policy Decision Point (PDP) that intercepts and examines XML packets at the application layer: • Identifies service endpoint • Authenticates requester with support for diverse credential types • Integration with diverse SSO, Federation and user directories • Performs fine-grained authorization of of an operation within a service • Credential chaining and translation • SAML issuing for downstream consistency March 2008
  • 14. Policy Decision Points (PDP) March 2008
  • 15. Also...SAMLP query to Policy Decision Point (PDP) March 2008
  • 16. Other solutions – an XCAML query Policy EnforcementPoint (PEP) makes an XACML query to a PolicyDecisionPoint (PDP). •PEP executes XACMLAuthzDecisionQuery •PDP returns XACMLAuthzDecisionStatement March 2008
  • 17. Policy Enforcement Point makes an XCAML query March 2008
  • 18. Layer 7 solution for fine grained authorization Policy Decision Point (PDP): •Highly available / clustered. • Integrates with several of Web SingleSignOn and PolicyDecisionPoint sources. •Supports any information store: Databases, or SecureTokenServices. • Generates appropriate SAML assertion to make authorization decisions. March 2008
  • 19. Appliance, software or virtual machine solution Message level intermediary between services and requesters Internal Application Consumers External Application Services Consumers March 2008
  • 20. Layer 7 SecureSpan Gateway Runtime Governance - Policy Enforcement Point PEP validates policy compliance and applies security decorations Security requirements defined by an administrator. Policies become effective independently of the actual services. Services March 2008
  • 21. SecureSpan Solution Advantages, Differentiators Sophisticated policy language enables complex governance requirements Available as hardware appliance with XML accelerator or as software Quick deployment, ease of use Extensible through APIs Instant policy application (no service downtime) Standard based Industry leadership March 2008
  • 22. Thanks and questions Jonathan Gershater jg@layer7tech.com http://www.layer7tech.com http://layer7blog.blogspot.com/ March 2008