Chakray enterprise-security-soi-portunoidm-v3.0

  • Published on
    15-Jan-2015

  • View
    47

  • Download
    0

Embed Size (px)

DESCRIPTION

 

Transcript

  • 1. Roger Carhuatocto IT Consultant roger[at] chakray.com +34 629292125Enterprise Security & SOI Identity and Access Management (IAM) in the Organizations with WSO2 IS

2. 1. Enterprise Security Nos referimos como Enterprise Security a los niveles de Seguridad aplicada a todos los niveles de la Organizacin, esto sera: Security Compliance (PCI, SOX, MoReq, ISO, BSI, ) Seguridad Fsica y Lgica Seguridad Perimetral Seguridad Preventiva, Reactiva, Pro-activa. Sin embargo, el eje transversal o pilar de la seguridad a nivel Corporativo es la Gestin del Acceso y de las Identidades (IAM), y se incluye lo siguiente: Gestin del Ciclo de Vida de las Identidades Dar de alta, baja, actualizar, etc. perfiles de usuarios. Modelo jerrquico de Usuarios (Grupos, Roles, etc.) muy relacionado al modelo jerrquico de la Organizacin. Servicios de Autenticacin, Autorizacin y Auditora. Si hay un proyecto de Seguridad TIC que implantar en las Organizaciones, iniciar por Gestin de Accesos e Identidades (IAM). Todos los tipos de Seguridad TIC se sustentan en IAM. IAM dota a toda la Organizacin de capacidad de Auditabilidad y no repudio a los activos de la empresa como: informacin, productos, procesos, individuos, marca, etc.Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 3. Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 4. 2. Qu es un Ecosistemas Empresarial ? Es la agrupacin de Sistemas y Aplicaciones Tecnolgicas que dan soporte al desarrollo de negocio de la Organizacin. Pueden conformarlo: ERP (Enterprise CRM ECM Software Ad-Hoc Correo Electrnico Corporativo Portal Corporativo, Intranet, Extranet Sistemas de Gestin de Contenidos Empresariales Base de Datos Sistemas Legacy Un Ecosistema Empresarial puede ser muy acoplado o desacoplado, en l pueden co-existir Sistemas y Aplicaciones heredadas o bastantes antiguas, que por la criticidad de la informacin que gestionan y su alto costo de actualizacin no pueden ser reemplazados.Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 5. 3. Un ejemplo de Ecosistema Empresarial Service-oriented Infraestructure (SOI) as best practice Portal B2CPresentation LayerPortal B2BAuthentication WebCollaborationPortletsMobileB2BAPIDashboardOpenDataSecurity and Identity ManagementSECURITYAuthorization GOVERNED SERVICESSingle Sign-OnBAM, BI & BigDataSocial LoginEnterprise Service Bus DB, KPI, Logs, DocsFederation of IdentitiesConsolidation of IdentitiesOrchestration Layer CONTROLLERSERVICESUsers ManagementUsers ProvisioningVIEWNew Business Application SystemsExisting Business ApplicationsBPM Applications (Bonita BPM)ERPBPM DesignerCRMWorkflow EngineCMS, ECMPHP, Ruby, Python, JavaBusiness Service LayerBPM PortalMODEL Chakray Consulting provee un Stack completo para abordar Proyectos de Integracin basado en Servicios. En una Arquitectura de Referencia SOA/SOI basado en el stack de productos de WSO2 (free/open source), podemos abordar toda la complejidad de la integracin de Sistemas y Aplicaciones de Negocio existentes en la Organizacin y siempre alineados a los principios arquitectura SOA.Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 6. 4. Aplicando Seguridad a un Ecosistema Empresarial Primera fase: Gestin de Accesos e Identidades (IAM). User credential lifecycle Management Modelo de usuarios Servicio de Autenticacin Servicio de Autorizacin Servicio de SSO Segunda fase: Seguridad de la Informacin PKI, Firma Digital Gestin Centralizada de Documentos Tercera fase: Security Compliance: Gestin de Riesgos de activos de la empresa Continuidad de Negocio Cuarta fase: Auditabilidad y no repudioEnterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 7. 5. Desplegando IAM en la Organizacin (1/2) Service-oriented Infraestructure (SOI) e IAM Identity Management (WSO2 IS)Portal B2C (Liferay Portal) WebCollaborationPortletsPortal B2B (WSO2 UES, BAM, AM, ES) MobileB2BAuthentication, AuthorizationAPIDashboardVIEWGOVERNED SERVICESSingle Sign-OnBAM, BI & BigDataSocial LoginSECURITYOpenDataPresentation LayerEnterprise Service Bus (WSO2 ESB)User Management(WSO2 SS, BAM, CEP)Orchestration Layer CONTROLLERSERVICESFederated User Management (Penrose Virtual Directory)BPM Applications (Bonita BPM)Openbravo ERPBonita Studio Bonita Workflow EngineAlfresco ECMPHP, Ruby, Python, JavaExisting Business ApplicationsOpenia CRMConsolidation of IdentitiesNew Business Application SystemsBonita UX PortalBusiness Service Layer MODEL La implantacin o el desarrollo de un proyecto de IAM en la Organizacin se aborda como un Proyecto de Integracin siguiendo los Principios SOA/SOI.Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 8. 5. Desplegando IAM en la Organizacin Identificando Productos y Tecnologa para IAM 910Identity Management * * * * * * * * *(WSO2 IS)*SECURITY9Portal B2C (Liferay Portal)Portal B2B (WSO2 UES, BAM, AM, ES)Web, Collab, Mobile, PortletsB2BAPIDashboardOpenDataPresentation Layer VIEWGOVERNED SERVICESBAM, BI & BigData 8(WSO2 ESB)1(WSO2 SS, BAM, CEP)Orchestration Layer CONTROLLERSERVICESExisting Business ApplicationsNew Business Application Systems(Penrose Virtual Directory) Federated User ManagementPHP, Ruby, Python, Java 2BPM Applications (Bonita BPM) 5Bonita StudioBusiness Service Layer3 6 Bonita Workflow Engine 4MODEL7 Bonita UX Portal9Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 9. 6. IAM - uses cases 1. User Credentials Management WSO2 Identity Server: Multiples User Storages. User Storage using LDAP embeded, LDAP external and external DB. Authentication, Authorization and SSO. Exposes complete API to user management. Provisioning via SCIM. Policies Penrose Virtual Directory Can integrated existing LDAP and DB storing user credentials. Exposes a LDAP interface that can be used as external LDAP for WSO2 IS. Bidirectional sync (LDAP in read/write mode)Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 10. 6. IAM - uses cases 2. AuthN and AuthZ for Ad-hoc Applications WSO2 Identity Server exposes API to user management. Recovery. Change password. Update profile. WSO2 IS exposes AutheN/AuthZ Services using serveral strategies/protocols: OpenID, SAML, OAuth, XACML, RBAC, etc.Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 11. 6. IAM - uses cases 3. AuthN and AuthZ for existing ERP and ECM Centralized User Management. Openia CRM is a module for Openbravo ERP. Openbravo ERP already have functionalities to user management, then Openbravo should be configurated pointing to the embeded LDAP of WSO2 IS or Penrose Virtual Directory. In similar way, Alfresco ECM should be configures with this LDAP. Authentication and Authorization. It is not necessary if you extend ERP or ECM because user credentials and roles are in LDAP storage. Calling Services of Openbravo ERP or Alfresco ECM requires HTTP Basic Authentication. Try it using HTTP over SSL.Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 12. 6. IAM - uses cases 5. AuthN and AuthZ for Bonita BPM Any BPM Suite has 3 components: Designer (Bonita Studio) In time of processes modeling, obtain representation of hierarchy of users, groups, roles is a great help for business process expert. Bonita Studio is based in Eclipse IDE and It is possible to model following this representation of hierarchy of users, groups and roles using Bonitas Actor Filter. Workflow engine (Bonita Workflow Engine) In this case we should cofigure Workflow engine to get hierarchy from external LDAP server. TaskList Portal (Bonita UX Portal) AuthN and AuthZ process is delegated to external LDAP. Bonita UX Portal has to configure pointing to LDAP server.Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 13. 6. IAM - uses cases 4. AuthN and AuthZ for existing Services User Storage in WSO2 IS can be used as User Storage for WSO2 ESB. Authentication and Authorization: In WSO2 ESB you can enable/disable security over the exposed services. WSO2 IS offers several protocols and strategies as a Trusted-third-party, of this way, you can reach SSO and Federation of Identities.Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 14. 6. IAM - uses cases 7. AuthN and AuthZ for the Presentation Layer Any Web Portal server commonly has a LDAP connector to sync users, groups and/or roles. Also, any Web Portal has connectors to do authentication and authorization, for example, Liferay has tools for these purposes. WSO2 IS provides OpenID functionality that can be used with Liferay Portal easily. Review the strategies to authentication, authorization and SSO of WSO2IS suitable to our environment.Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 15. 7. IAM flow diagram Deploy WSO2 Identity Server, create several users and roles.Consolidate user credentials (Penrose Virtual Directory) and Deploy LDAP WSO2 ISConfigure LDAP Authentication in Liferay pointing to the embedded LDAP of WSO2 IS. Enable Users and Roles (Group) sync.In this step is possible to do LDAP Authentication and User syncronization.2.Configure LDAP Authentication and users sync in Bonita pointing to the embedded LDAP of WSO2 IS.Right now this functionality is available in Bonita BPM Teamwork version (http://www.bonitasoft.co m/products/productcomparison).3.4.5.Configure LDAP Authentication and users sync in OpenBravo pointing to the embedded LDAP of WSO2 IS. Check the authentication flow and user sync flow in all the system.WSO2ISBONITAOPENBRAVOLIFERAY1.LIFERAYWSO2ISBONITAOPENBRAVOAuthentication in Liferay 1. 2. 3. 4.Start login process Validate credentials WSO2IS sends response Liferay receives responseAuthentication in BonitaConfigure LDAP Authentication and User syncronization of OpenBravo with embedded LDAP of WSO2 IS.1. 2. 3. 4. 5. 6.Start login process Pass login process to Bonita Validate credentials WSO2IS sends response Bonita redirects response Liferay receives responseAuthentication in Openbravo1. 2. 3. 4. 5. 6. 7. 8.Start login process Pass login process to Bonita Bonita passes login process OB passes login process WSO2IS sends response OB redirects response Bonita redirects response Liferay receive responseTestining authentication an sync of users.Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 16. 8. Enterprise Security & SOI - summary23 45 6 789 10Process integration and consolidation of different sources of user identities. Bi-directional synchronization, the goal is to build a centralized database of identities and attributes.1 WSO2 Identity Server exposes API to user management: recovery, change password, update profile. WSO2 IS exposes AutheN/AuthZ Services using serveral strategies/protocols: OpenID, SAML, OAuth, XACML, RBAC, etc. Openia CRM is a module for Openbravo ERP. Openbravo ERP already have functionalities to user management, then Openbravo should be configurated pointing to the embeded LDAP of WSO2 IS or Penrose Virtual Directory. In similar way, Alfresco ECM should be configures with this LDAP. Calling Services of Openbravo ERP or Alfresco ECM requires HTTP Basic Authentication.Bonita BPM in two phases: In design-time and running-time. When the processes are modeling, the Bonita Studios Actor Filters should be configurated to get users, groups and roles from our centrilazed User Storage (LDAP). When the processes are running, the BPM engine delegate the validation of identities (authorization) in WSO2 IS, while the model of roles and permissions (attributes) on the centralized User Storage (LDAP). User Storage in WSO2 IS can be used as the User Storage for WSO2 ESB. In WSO2 ESB you can enable/disable security over the exposed services. WSO2 IS offers several protocols and strategies as a Trusted-third-party, of this way, you can reach SSO and Federation of Identities.Existing or new applications can delegate their authentication process in WSO2 IS, while for user synchronization will use the Penrose Virtual Direcotry as our centralized repository of users and attributes. The advantage of using Liferay Portal Server rather than a pure applications is the ability to delegate the Authentication, Authorization and People Management WSO2 IS only setting connectors with little programming.Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 17. 9. Portuno IdM Nuestra solucin para IAM Es nuestra estrategia tecnolgica que da soporte al ciclo completo de desarrollo de Proyectos de IAM en Ecosistemas Empresariales.Tecnolgicamente est sustentada en: WSO2 Identity Server Penrose Virtual Directory Conjunto de Adaptadores y Configuraciones para Bonita BPM (Studio, Portal), Openbravo ERP, Liferay Portal, Alfresco ECM, etc. que facilitan la Gestin centralizada de credenciales de usuarios.SOAMetodolgicamente est sustentada en las buenas prcticas de arquitectura de aplicaciones crticas y los principios de integracin basada en servicios (SOI).Enterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 18. 9. Portuno IdM Beneficios Basado en productos free/open source maduros y con una comunidad y organizaciones muy activas que les dan soporte. WSO2 IS, Penrose implementan los estndares de seguridad ms usado en estos momentos: SAML, OAuth, SCIM, XACML, X.500, X.509, .. Sigue las buenas prcticas de arquitectura y seguridad: Decoupled Architecture Separation of Concerns (SoC) Service-Oriented Architecture (SOA) Service-Oriented Integration (SOI) Complete IAMs Services exposed as API Ready to Cloud: Social Login No intrusive Technology: Integration and consolidation, not migration or shift to back burnerEnterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 19. 9. Portuno IdM Oferta de Servicios Consultora: - Toma de requerimientos - Diseo de Arquitectura IAM - Plan de Proyecto IAM1 SemanaArquitectura y desarrollo: - Despliegue de Infraestructura IAM - Configuracin base de Infraestructura IAM - Diseo y ejecucin de Test Master Plan para Integracin de Sistemas (Login y Control de Acceso, SSO, Gestin Centralizada de Usuarios)4 SemanasIntegracin con Business Applications: - Con BPM, ERP, CRM, ECM, Portal, Social Login, etc.En relacin a Sistema a IntegrarIAM avanzada: - IAM en Alta Disponibilidad - Administracin y Monitorizacin GestionadaConsultarEnterprise Security & SOI: Identity Access Management in the Organizations with WSO2 IS 20. Arquitectura y Desarrollo Toma de Requerimientos Diseno de la Arquitectura IAM Plan de Proyecto IAMConsultoria Despliegue de Infraestructura IAM Configuracin base de Infraestructura IAM Diseo...