SlideShare une entreprise Scribd logo

Layer 7: Fine Grained Authorization for Web Services

CA API Management
CA API Management

This document discusses fine-grained authorization for web services. It begins by explaining the difference between fine-grained and coarse-grained authorization, and the challenges of implementing fine-grained authorization. It then discusses how to leverage existing identity infrastructure and use policy enforcement intermediaries to enforce entitlement policies. The document provides examples of how conditions can be used for fine-grained authorization requests. It also summarizes the Layer 7 SecureSpan solution, which uses a Policy Decision Point and Policy Enforcement Point to intercept requests and make authorization decisions based on policies.

TechnologieBusiness
1  sur  22
Télécharger pour lire hors ligne
Fine grained authorization for Web Services Jonathan Gershater Solution Architect http://www.layer7tech.com
What you will learn in this session? 1. The difference between fine grained and coarse grained authorization 2. The challenge with implementing fine grained authorization in service based architectures 3. How to leverage existing identity infrastructure for entitlements management 4. How to use policy enforcement intermediaries to enforce entitlement preferences March 2008
Traditional enterprise Independent applications with their own access control, mechanisms and authorization policies. March 2008
Traditional enterprise security Protected by •A gate-keeper firewall primarily offering network level TCP/IP protection. •URL only protection using agent based SSO solutions. March 2008
The New Enterprise:SaaS, Web2.0, Legacy The challenge: •Mixed application and integration environment •Diverse credential requirements •Existing SSP and user directories •No centralized policy control and audit. • Services requiring fine grained authorization. March 2008
SaaS, Web2.0, Integrated enterprise March 2008
SaaS, Web2.0, Integrated enterprise March 2008
WebServices authentication: The Many-To-Many Problem Tokens  Transport (HTTP hdr, Request x509, etc…)  Message (UTP, x509,…) Web Services Authentication  LDAP Directory  Proprietary IAM …  Certificate Servers (OCSP, CRLs, etc)  etc…
Complexity grows! Multi-platform, multi-development environment –.NET, J2EE Frameworks, other •Support Mobile users / disconnected applications •Support conditional expressions for authorization *Use existing authentication sources March 2008
Quick review of AAA •Authentication – who are you? •Authorization – what can you do? •Auditing – who did what? March 2008
What is coarse versus fine grained authorization? What is authorization? The difference between coarse grained authorization (static)  By job role  By IT defined role  By group membership and fine grained authorization (dynamic)  By transaction type  By time of day or day of week March 2008
Sample fine grained AZ request Stock quote can be anonymous Stock purchase during trading hours must be: •Authenticated •over SSL •working hours •not from suspect network (user=Name_of_Stockbroker) AND (SSL=TRUE) AND ((hour > 6am) AND (hour < 1pm)) AND (ip_address_segment != 155.154.133.0) March 2008
Solution Policy Decision Point (PDP) that intercepts and examines XML packets at the application layer: • Identifies service endpoint • Authenticates requester with support for diverse credential types • Integration with diverse SSO, Federation and user directories • Performs fine-grained authorization of of an operation within a service • Credential chaining and translation • SAML issuing for downstream consistency March 2008
Policy Decision Points (PDP) March 2008
Also...SAMLP query to Policy Decision Point (PDP) March 2008
Other solutions – an XCAML query Policy EnforcementPoint (PEP) makes an XACML query to a PolicyDecisionPoint (PDP). •PEP executes XACMLAuthzDecisionQuery •PDP returns XACMLAuthzDecisionStatement March 2008
Policy Enforcement Point makes an XCAML query March 2008
Layer 7 solution for fine grained authorization Policy Decision Point (PDP): •Highly available / clustered. • Integrates with several of Web SingleSignOn and PolicyDecisionPoint sources. •Supports any information store: Databases, or SecureTokenServices. • Generates appropriate SAML assertion to make authorization decisions. March 2008
Appliance, software or virtual machine solution Message level intermediary between services and requesters Internal Application Consumers External Application Services Consumers March 2008
Layer 7 SecureSpan Gateway Runtime Governance - Policy Enforcement Point PEP validates policy compliance and applies security decorations Security requirements defined by an administrator. Policies become effective independently of the actual services. Services March 2008
SecureSpan Solution Advantages, Differentiators Sophisticated policy language enables complex governance requirements Available as hardware appliance with XML accelerator or as software Quick deployment, ease of use Extensible through APIs Instant policy application (no service downtime) Standard based Industry leadership March 2008
Thanks and questions Jonathan Gershater jg@layer7tech.com http://www.layer7tech.com http://layer7blog.blogspot.com/ March 2008

Recommandé

BSA
BSABSA
BSABladelogic Server Automation Training
 
Federated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloudrsnarayanan
 
Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2David Linthicum
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperRoger Chien
 
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical DesignsvBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical DesignsLarus Hjartarson
 
So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.Microsoft TechNet - Belgium and Luxembourg
 
Enterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEEnterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEFast Lane Consulting and Education, Inc.
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012gaborvodics
 

Recommandé

BSA
BSABSA
BSABladelogic Server Automation Training
 
Federated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloudrsnarayanan
 
Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2David Linthicum
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperRoger Chien
 
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical DesignsvBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical DesignsLarus Hjartarson
 
So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.Microsoft TechNet - Belgium and Luxembourg
 
Enterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEEnterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEFast Lane Consulting and Education, Inc.
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012gaborvodics
 
Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningMike Reams
 
Services @ vfm
Services @ vfmServices @ vfm
Services @ vfmvfmindia
 
Sem cis ise
Sem cis iseSem cis ise
Sem cis iseLino Quivén
 
G6 independent certification for CSP v3
G6 independent certification for CSP v3G6 independent certification for CSP v3
G6 independent certification for CSP v3Ummey Humayra
 
S102 cics the future is closer abridged
S102 cics the future is closer abridgedS102 cics the future is closer abridged
S102 cics the future is closer abridgednick_garrod
 
1251 service visibility and management with wsrr
1251 service visibility and management with wsrr1251 service visibility and management with wsrr
1251 service visibility and management with wsrrNick Butler
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBWSO2
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikalafloridawusergroup
 
Service Delivery Network
Service Delivery NetworkService Delivery Network
Service Delivery NetworkFrancesco Chicchiriccò
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 
1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - final1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - finalsmithson.martin
 
Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM DatapowerSigortam.net
 
Building Event Driven Systems
Building Event Driven SystemsBuilding Event Driven Systems
Building Event Driven SystemsWSO2
 
Compliance
ComplianceCompliance
ComplianceNetBR
 
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...goodfriday
 
Service Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresService Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresF5 Networks
 
CISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuideCISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuidePCCW GLOBAL
 
Gigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX DeploymentsGigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX DeploymentsAngel Villar Garea
 
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortEduardo Castro
 
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortEduardo Castro
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalMauricio Godoy
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2Anne Starr
 

Contenu connexe

Tendances

Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningMike Reams
 
Services @ vfm
Services @ vfmServices @ vfm
Services @ vfmvfmindia
 
G6 independent certification for CSP v3
G6 independent certification for CSP v3G6 independent certification for CSP v3
G6 independent certification for CSP v3Ummey Humayra
 
S102 cics the future is closer abridged
S102 cics the future is closer abridgedS102 cics the future is closer abridged
S102 cics the future is closer abridgednick_garrod
 
1251 service visibility and management with wsrr
1251 service visibility and management with wsrr1251 service visibility and management with wsrr
1251 service visibility and management with wsrrNick Butler
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBWSO2
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikalafloridawusergroup
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 
1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - final1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - finalsmithson.martin
 
Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM DatapowerSigortam.net
 
Building Event Driven Systems
Building Event Driven SystemsBuilding Event Driven Systems
Building Event Driven SystemsWSO2
 
Compliance
ComplianceCompliance
ComplianceNetBR
 
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...goodfriday
 
Service Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresService Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresF5 Networks
 
CISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuideCISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuidePCCW GLOBAL
 
Gigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX DeploymentsGigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX DeploymentsAngel Villar Garea
 

Tendances (18)

Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity Provisioning
 
Services @ vfm
Services @ vfmServices @ vfm
Services @ vfm
 
Sem cis ise
Sem cis iseSem cis ise
Sem cis ise
 
G6 independent certification for CSP v3
G6 independent certification for CSP v3G6 independent certification for CSP v3
G6 independent certification for CSP v3
 
S102 cics the future is closer abridged
S102 cics the future is closer abridgedS102 cics the future is closer abridged
S102 cics the future is closer abridged
 
1251 service visibility and management with wsrr
1251 service visibility and management with wsrr1251 service visibility and management with wsrr
1251 service visibility and management with wsrr
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESB
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikala
 
Service Delivery Network
Service Delivery NetworkService Delivery Network
Service Delivery Network
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
 
1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - final1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - final
 
Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM Datapower
 
Building Event Driven Systems
Building Event Driven SystemsBuilding Event Driven Systems
Building Event Driven Systems
 
Compliance
ComplianceCompliance
Compliance
 
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
 
Service Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresService Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen Infrastructures
 
CISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuideCISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration Guide
 
Gigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX DeploymentsGigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX Deployments
 

Similaire à Layer 7: Fine Grained Authorization for Web Services

Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortEduardo Castro
 
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortEduardo Castro
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalMauricio Godoy
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2Anne Starr
 
Iam suite introduction
Iam suite introductionIam suite introduction
Iam suite introductionwardell henley
 
Blockchain solution architecture deliverable
Blockchain solution architecture deliverableBlockchain solution architecture deliverable
Blockchain solution architecture deliverableSarmad Ibrahim
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE Mahzad Zahedi
 
PayPal Decision Management Architecture
PayPal Decision Management ArchitecturePayPal Decision Management Architecture
PayPal Decision Management ArchitecturePradeep Ballal
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and MobileGovernance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and MobileCA API Management
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
 
Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Sectricity
 
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Zeeve
 
Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Oracle Developers
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle Developers
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?mbmobile
 

Similaire à Layer 7: Fine Grained Authorization for Web Services (20)

Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview Short
 
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview Short
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_final
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2
 
ClearPass Policy Model - An Introduction
ClearPass Policy Model - An IntroductionClearPass Policy Model - An Introduction
ClearPass Policy Model - An Introduction
 
Iam suite introduction
Iam suite introductionIam suite introduction
Iam suite introduction
 
Blockchain solution architecture deliverable
Blockchain solution architecture deliverableBlockchain solution architecture deliverable
Blockchain solution architecture deliverable
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE
 
PayPal Decision Management Architecture
PayPal Decision Management ArchitecturePayPal Decision Management Architecture
PayPal Decision Management Architecture
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and MobileGovernance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
 
652.ppt
652.ppt652.ppt
652.ppt
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
 
Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)
 
OCS LIA
OCS LIAOCS LIA
OCS LIA
 
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
 
Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?
 

Plus de CA API Management

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarCA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataCA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...CA API Management
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...CA API Management
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...CA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceCA API Management
 

Plus de CA API Management (20)

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 

Dernier

Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Paige Cruz
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfSrushith Repakula
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Hiroshi SHIBATA
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxjbellis
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfalexjohnson7307
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 

Dernier (20)

Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 

Layer 7: Fine Grained Authorization for Web Services

  • 1. Fine grained authorization for Web Services Jonathan Gershater Solution Architect http://www.layer7tech.com
  • 2. What you will learn in this session? 1. The difference between fine grained and coarse grained authorization 2. The challenge with implementing fine grained authorization in service based architectures 3. How to leverage existing identity infrastructure for entitlements management 4. How to use policy enforcement intermediaries to enforce entitlement preferences March 2008
  • 3. Traditional enterprise Independent applications with their own access control, mechanisms and authorization policies. March 2008
  • 4. Traditional enterprise security Protected by •A gate-keeper firewall primarily offering network level TCP/IP protection. •URL only protection using agent based SSO solutions. March 2008
  • 5. The New Enterprise:SaaS, Web2.0, Legacy The challenge: •Mixed application and integration environment •Diverse credential requirements •Existing SSP and user directories •No centralized policy control and audit. • Services requiring fine grained authorization. March 2008
  • 6. SaaS, Web2.0, Integrated enterprise March 2008
  • 7. SaaS, Web2.0, Integrated enterprise March 2008
  • 8. WebServices authentication: The Many-To-Many Problem Tokens  Transport (HTTP hdr, Request x509, etc…)  Message (UTP, x509,…) Web Services Authentication  LDAP Directory  Proprietary IAM …  Certificate Servers (OCSP, CRLs, etc)  etc…
  • 9. Complexity grows! Multi-platform, multi-development environment –.NET, J2EE Frameworks, other •Support Mobile users / disconnected applications •Support conditional expressions for authorization *Use existing authentication sources March 2008
  • 10. Quick review of AAA •Authentication – who are you? •Authorization – what can you do? •Auditing – who did what? March 2008
  • 11. What is coarse versus fine grained authorization? What is authorization? The difference between coarse grained authorization (static)  By job role  By IT defined role  By group membership and fine grained authorization (dynamic)  By transaction type  By time of day or day of week March 2008
  • 12. Sample fine grained AZ request Stock quote can be anonymous Stock purchase during trading hours must be: •Authenticated •over SSL •working hours •not from suspect network (user=Name_of_Stockbroker) AND (SSL=TRUE) AND ((hour > 6am) AND (hour < 1pm)) AND (ip_address_segment != 155.154.133.0) March 2008
  • 13. Solution Policy Decision Point (PDP) that intercepts and examines XML packets at the application layer: • Identifies service endpoint • Authenticates requester with support for diverse credential types • Integration with diverse SSO, Federation and user directories • Performs fine-grained authorization of of an operation within a service • Credential chaining and translation • SAML issuing for downstream consistency March 2008
  • 14. Policy Decision Points (PDP) March 2008
  • 15. Also...SAMLP query to Policy Decision Point (PDP) March 2008
  • 16. Other solutions – an XCAML query Policy EnforcementPoint (PEP) makes an XACML query to a PolicyDecisionPoint (PDP). •PEP executes XACMLAuthzDecisionQuery •PDP returns XACMLAuthzDecisionStatement March 2008
  • 17. Policy Enforcement Point makes an XCAML query March 2008
  • 18. Layer 7 solution for fine grained authorization Policy Decision Point (PDP): •Highly available / clustered. • Integrates with several of Web SingleSignOn and PolicyDecisionPoint sources. •Supports any information store: Databases, or SecureTokenServices. • Generates appropriate SAML assertion to make authorization decisions. March 2008
  • 19. Appliance, software or virtual machine solution Message level intermediary between services and requesters Internal Application Consumers External Application Services Consumers March 2008
  • 20. Layer 7 SecureSpan Gateway Runtime Governance - Policy Enforcement Point PEP validates policy compliance and applies security decorations Security requirements defined by an administrator. Policies become effective independently of the actual services. Services March 2008
  • 21. SecureSpan Solution Advantages, Differentiators Sophisticated policy language enables complex governance requirements Available as hardware appliance with XML accelerator or as software Quick deployment, ease of use Extensible through APIs Instant policy application (no service downtime) Standard based Industry leadership March 2008
  • 22. Thanks and questions Jonathan Gershater jg@layer7tech.com http://www.layer7tech.com http://layer7blog.blogspot.com/ March 2008