Upload
webb
View
45
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Information Security and WebFOCUS. Penny J Lester SVP Delivery Services August 22, 2008. Authentication. - PowerPoint PPT Presentation
Citation preview
Information Security and
WebFOCUS
Penny J Lester
SVP Delivery Services
August 22, 2008
Authentication
• “Authentication (from Greek αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. “
Authorization
• “Authorization (deciding whether to grant access) is a separate concept to authentication (verifying identity), and usually dependent on it.”
www.google.com/a/security
• Google surveyed 575 IT professionals
•
•
Information Security
• A layered approach to authentication and authorization (auth/auth)– Physical– Network– Operating System (OS)– RDBMS– Application
Physical Security
• Secure the hardware– Active Reports
• Secure the server room
• Secure your passwords– Do not share it– Do not write it down
Network Security
Network Security
Network Security
• Implement a single sign on (SSO) in a Windows network– Update the client odin.cfg
Network Security
• Implement a single sign on (SSO) in a Windows network– Update site.wfs
Network Security
• Implement a single sign on (SSO) in a Windows network– site.wfs
(cont.)
Network Security
• Implement a single sign on (SSO) in a Windows network– site.wfs
(cont.)
Operating System Security
Operating System Security
• Five authentication options
– OPSYS– PTH– DBMS– LDAP – OFF
Operating System Security
• OPSYS – Authentication against OS– Authorization based on OS IDs
• Administrators have full access to web console• OS ID impersonated to run reports
Operating System Security
• OPSYS – PLester57 is not an Administrator
Operating System Security
• OPSYS – Penny is the Administrator
Operating System Security
• OPSYS – authenticate ID to OS, not an Administrator
Operating System Security
• OPSYS – authenticate ID to OS, not an Administrator
Operating System Security
• OPSYS – authenticate ID to OS, is an Administrator
Operating System Security
• OPSYS – authenticate ID to OS, is an Administrator
Operating System Security
• OPSYS – authenticate ID to OS, is invalid
Operating System Security
• OPSYS – authenticate ID to OS, is invalid
Operating System Security
• PTH – Authentication against admin.cfg – Authorization
• if ID is in admin.cfg can access WebFOCUS Web Console and run reports
• if not can only run reports
Operating System Security
• PTH – Configured 1 administrator
Operating System Security
• PTH – Penny is administrator ID
Operating System Security
• PTH – ID “admin” is not administrator
Operating System Security
• PTH – ID “Penny” unrestricted access
• PTH – ID “admin” restricted access
Operating System Security
• DBMS – Authentication against Database vs. the OS– Authorization
• if ID is in the DBMS can run reports • if ID is not in the DBMS cannot run reports
Note: the ID’s must be set up in the DBMS to use SQL authentication vs. Windows authentication
Operating System Security
• DBMS – RDBMS must be up!
Operating System Security
• DBMS – Notice no IWA
Operating System Security
• DBMS Authentication – Penny
• Windows
Operating System Security
• DBMS Penny IWA
Operating System Security
• DBMS Authentication – SQLUser
• SQL Server
Operating System Security
• DBMS SQLUser SQL Server
Operating System Security
• LDAP– Authentication against LDAP file– Authorization
• if ID is in the LDAP file(s) can run reports • if ID is not in the LDAP file(s) cannot run reports
Operating System Security
• LDAP
Operating System Security
• LDAP – Microsoft Active Directory
Operating System Security
• OFF – Danger!!
• “badID” can do anything the administrator ID that started the server can do!!
Database Security
• DBMS can be used for Authentication
Database Security
• Data Adapter – Explicit
Database Security
• Data Adapter – Explicit, invalid ID/pwd
Database Security
• Data Adapter – Password Passthru
Database Security
• Data Adapter – Trusted
Application Security
• Managed Reporting Environment
Application Security
• Managed Reporting Environment– Authentication
Application Security
• Managed Reporting Environment– Authorization
Application Security
• Managed Reporting Environment– Analytical User
Application Security
• Managed Reporting Environment– Content Manager
Summary
• A layered approach to authentication and authorization (auth/auth)– Physical– Network– Operating System (OS)– RDBMS– Application
• WebFOCUS hits four out of five!
Questions?
Thank you!!