View
436
Download
0
Category
Preview:
Citation preview
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.1
Yet Another Security TalkJUNICHI OKAMURA @ Rakuten Technology Conference 2015 Nov. 21 2015
2
Who am I?
Junichi Okamura
PayPal Integration Manager/Evangelist
Scala/Ruby/Node.js/Python/../Mobile/../pptROCK/BEER/WINE/JOJO/API (& meetup) lover@benzookapijokamura@paypal.com
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
What I want to talk about today
3
Data Security with the keyword, “Delegation”
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
What is “Delegation”?
4
From Printer to RealPrinter
By Wikipedia
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Today’s definition by me
5
Let an expert who has core value
provide it instead of me
By Wikipedia
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
In case of service
6
Printer (delegator) = Service provider
RealPrinter (delegated) = Feature expert
Provider Expert
Printer
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Drill down in real service
7
Provider Expert
Chat
Provider Expert
Account
Provider Expert
Payment
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Actual situation
8
Provider + Expert
Chat
Provider Expert
Account
Provider Expert
Payment
Core value = Expert
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Ideal “Delegation”
9
Focus on your core value as expert,with other ones delegated
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Take a look at security features
10
Provider + Expert
Chat
Provider Expert
Account
Provider Expert
Payment
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Case 1: Account handling in delegation
11
Provider
Expert
Account
Provider
Account
Provider
Account
IDPassword
Token
Token
Token
Authorize
Authorize
Authorize
Security Core
OAuth API
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
If not in delegation…
12
Provider + Expert
Account
Provider + Expert
Account
Provider + Expert
Account
Security Core
IDPassword
ID
Password
IDPassword
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Case 2: Payment handling in delegation
13
Provider
Expert
Payment
Provider
Payment
Provider
Payment
Credit Card
ID
ID
ID
Charge
Carge
Charge
Security Core
Vault API
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
If not in delegation…
14
Provider + Expert
Payment
Provider + Expert
Payment
Provider + Expert
Payment
Security Core
Credit Card
Credit Card
Credit Card
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Under delegation
15
Users:You only have to give your key data to
reliable expert
Providers:You can focus on your core data as
reliable expert
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
That is…
16
Reliable and No duplicated!
By Wikipedia
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Out of delegation
17
Users:You have to give your key data to each
unreliable expert
Providers:You need care about not core data as
unreliable expert
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
That is…
18
By Wikipedia
Unreliable and Duplicated!
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
What is successful delegation cases?
19
Account: OAuth and Open ID,Payment: Vault and Tokenization,Encrypt: SSL and certification,…
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
What is not successful?
20
Identification: Physical address and health,Banking: Account number and pass phrase,Storage: No vender locked and user chosen,…
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.
Why not successful?
21
These are difficult to be standardized and
strongly related to business and have no open/general frameworks
BUT NOT IMPOSSBILE!WE CAN TRY!
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.22
So it is 2015 in JP,
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.23
Government starts “MY NUMBER”
(Social Security and Tax Number System)
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.24
They are going to be a privacy expert
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.25
Do you have a good idea about security design
as a software engineer?
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.26
How do you think of your data security?
© 2015 PayPal Inc. All rights reserved. Confidential and proprietary.27
Thank youJUNICHI OKAMURA @ Rakuten Technology Conference 2015 Nov. 21 2015
Recommended