Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Security in application integration Kari Nordström

advertisement 
Security in application integration
Kari Nordström
Topics


Objectives
Application integration
–
–

Information security
–
–
–
–

2
Enterprise Application Integration – EAI
Business-to-Business integration – B2Bi
Basic concepts & ideas
Network security
Segmented networks
Security of application integration systems
Results
Security in application integration – Kari Nordström
09.08.2005
Background and objectives of the
thesis

Find out the current level of security in the application
integration systems of a certain company
–

Make suggestions on improving the security level
based on findings
Implement improvements if possible

Supervisor: Docent Timo O. Korhonen

3
Conduct security reviews with a panel of experts
Security in application integration – Kari Nordström
09.08.2005
Application Integration


Integrating various applications enables information
sharing between applications and organisations, not
between people (System-to-System connections)
Internal and external integration
–

Traditionally integration has dealt with sharing business
data and documents
–
–
4
EAI & B2Bi
B2Bi is usually used for exchanging business documents
EAI integrates applications to work together, data can be
gathered from various sources (applications) before
processing
Security in application integration – Kari Nordström
09.08.2005
Application integration platforms in
the company
Company
EDI partner
EDI partner
ERP
VAN
EDI partner
VAN
Application
EDI
EDI partner
Application
Application
EAI
RN partner
Application
RN partner
RN partner
Internet
Application
RosettaNet
Application
RN partner
RN partner
RN partner
5
RN partner
Security in application integration – Kari Nordström
09.08.2005
Enterprise Application Integration
(1/2)


Integration within a single enterprise
A centralised integration solution
–
Error handling, monitoring, cost savings over time
application
application
application
Database
application
application
application
application
application
EAI
platform
application
application
application
application
application
Database
application
Database
application
application
Database
6
Database
application
ad hoc
Database
Security in application integration – Kari Nordström
application
EAI
09.08.2005
Enterprise Application Integration
(2/2)


Integrating diverse applications requires
transformations between formats
Processing and / or enrichment of data is also required
in some integrations (defined in the workflow)
EAI platform
application A
adapter
A's format
7
Workflow
Canonical format
Security in application integration – Kari Nordström
adapter
application B
B's format
09.08.2005
Business-to-business integration

Integration between separate enterprises (partner
integration)
–


B2Bi relies on standards, otherwise it would be very
cumbersome to connect to other companies, each
using their own data formats and processes
Two B2Bi platforms used in the company:
–
–
8
Business data, demand / supply planning …
EDI, Electronic Data Interchange
RosettaNet
Security in application integration – Kari Nordström
09.08.2005
Electronic Data Interchange (1/3)

EDI is the “granddaddy” of all B2Bi systems
–


Dates back all the way to the 1960’s, in active use
since the 1980’s
Two main standards in use
–
–
9
Designed to automate exchanging business documents  a
quicker and cheaper way
EDIFACT (EDI For Administration, Commerce and Transport)
ANSI X12
Security in application integration – Kari Nordström
09.08.2005
VAN-based EDI (2/3)

VAN (Value Added Network) operators used to relay
messages
–
10
“An electronic post office”
Security in application integration – Kari Nordström
09.08.2005
Internet EDI (3/3)


EDI-INT has been thought
up to eliminate VAN costs
to companies
Standards used:
–
–
–

11
AS1 (SMTP)
AS2 (HTTP)
AS3 (FTP)
The basic idea: sending
EDI messages directly to
trading partners over the
Internet
Security in application integration – Kari Nordström
09.08.2005
RosettaNet (1/2)

XML-based integration standard
–



12
Developed and maintained by the RosettaNet Consortium, a
non-profit organisation of more than 500 corporations
Integrations are based on Partner Interface Processes
(PIP), which define how data is processed and the
sequence of transactions between trading partners
RosettaNet Implementation Framework (RNIF)
describes the basic architecture (RNIF 1.1 & 2.0)
Document Type Definition (DTD) describes the format
of messages and data
Security in application integration – Kari Nordström
09.08.2005
RosettaNet (2/2)


RosettaNet aims in integrating the whole supply chain,
not just passing business documents
Marketed as more flexible and easier to implement
than EDI
–
13
Using VANs actually makes EDI more simple than RosettaNet
where companies need to implement all connections
themselves
Security in application integration – Kari Nordström
09.08.2005
Information security

Traditional way to model information security: CIA
Confidentiality
CIA
14
Integrity
Availability
Security in application integration – Kari Nordström
09.08.2005
General security concepts

Authentication
–

Making sure the user is who
she claims to be
Non-repudiation
–
Authorisation
–


Giving an authenticated user
the right to do something

–
Antivirus protection
–
Accounting
All operations performed by
users are logged

Protecting computers and
network elements against
malicious software
Cryptography
–
15
If a user performs a task, she
can’t later deny having done
so, the system also can’t
later deny the user’s action
Security in application integration – Kari Nordström
Scrambling information in a
way that only the correct
recipient can decipher it
09.08.2005
Network security


Host security vs. network security
Systems are protected on the network level by
controlling network traffic
–

Typical misconception: network security = firewalls
–
16
More cost-effective than host security
Firewalls are a central part of network security, but there are
numerous other things to consider (understanding the network
architecture is key)
Security in application integration – Kari Nordström
09.08.2005
A few key security strategies

Use multiple, diverse layers of security
Give the lowest possible rights to users
Deny everything that’s not explicitly allowed
Use choke points to monitor traffic
“KISS – Keep It Simple, Stupid”

Make users aware of security issues!




–
17
The human factor is often the weakest link in security
Security in application integration – Kari Nordström
09.08.2005
Network segmentation



A new network
architecture in the
company that
divides an internal
network into smaller
parts called cells
Naturally also affects
AI systems
In practice:
more firewalls
Internet
Intranet
Firewall
Firewall
Firewall
Firewall
Firewall
Firewall
Firewall
Firewall
Firewall
Firewall
Firewall
Firewall
Cell
Cell
Firewall
Firewall
Firewall
Firewall
Firewall
Firewall
GRE
tunnel
Cell
Firewall
Firewall
Security in application integration – Kari Nordström
Firewall
Firewall
Firewall
Firewall
Access Network
Access Network
Backbone
18
Extranet
GRE
tunnel
Firewall
Firewall
Firewall
Firewall
Cell
Cell
Firewall
Firewall
Firewall
Firewall
Firewall
Firewall
Cell
Firewall
Firewall
Backbone
09.08.2005
Security requirements for
application integration systems



An AI system is central and crucial in any network that
has one
Connected to many other systems  attacker could
gain access to virtually the whole network if e.g. the
EAI system is hacked
Availability requirements are very high
–
19
Many other systems are dependant on integration systems
Security in application integration – Kari Nordström
09.08.2005
Results of the security reviews


Risk level is high for all three systems
Security implementations do not match the current
requirements
–

RosettaNet was found more secure than EAI and EDI
–

20
Age, standardisation, segmented network
EDI’s problem is the number of unknown factors
–

Requirements have changed significantly from the 1990’s
VAN operator responsible for most of the implementation
EAI’s biggest problem is the lack of security standards
Security in application integration – Kari Nordström
09.08.2005
EAI security improvements


User management (no super-users)  access control
Certain authentication issues have been addressed
–


Client software used (fewer vulnerabilities)
The migration to new architecture will bring major
advancements in the security of the system
–

21
A component was not authenticating connections properly
Border security
Hosts have been hardened
Security in application integration – Kari Nordström
09.08.2005
B2Bi security improvements




It’s hard to fundamentally change security
implementations in standardised systems
User management has been improved vastly in EDI
EDI will also be migrated into new architecture
(RosettaNet has already been migrated)
RNIF specifies many security features, such as various
forms of encryption, digital certificates and checksums
–
22
They just weren’t always used in the company  new policy
Security in application integration – Kari Nordström
09.08.2005
Any questions or comments?
If not, thank you!
23
Security in application integration – Kari Nordström
09.08.2005
Related documents
Guide to Firewalls and Network Security
Guide to Firewalls and Network Security
Clique/Trust Solution Suitable for Level 2 Grid
Clique/Trust Solution Suitable for Level 2 Grid
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
technical planning - St. Joseph Elementary School Library
technical planning - St. Joseph Elementary School Library
MIS5214 Your Name __________________________ Week 11
MIS5214 Your Name __________________________ Week 11
Download
advertisement