Security in application integration Kari Nordström.
-
Upload
cathleen-simon -
Category
Documents
-
view
224 -
download
0
Transcript of Security in application integration Kari Nordström.
Security in application integration
Kari Nordström
09.08.2005
Security in application integration – Kari Nordström2
TopicsTopics
Objectives Application integration
– Enterprise Application Integration – EAI– Business-to-Business integration – B2Bi
Information security– Basic concepts & ideas– Network security– Segmented networks– Security of application integration systems
Results
09.08.2005
Security in application integration – Kari Nordström3
Background and objectives of the thesisBackground and objectives of the thesis
Find out the current level of security in the application integration systems of a certain company
– Conduct security reviews with a panel of experts
Make suggestions on improving the security level based on findings
Implement improvements if possible
Supervisor: Docent Timo O. Korhonen
09.08.2005
Security in application integration – Kari Nordström4
Application IntegrationApplication Integration
Integrating various applications enables information sharing between applications and organisations, not between people (System-to-System connections)
Internal and external integration– EAI & B2Bi
Traditionally integration has dealt with sharing business data and documents
– B2Bi is usually used for exchanging business documents– EAI integrates applications to work together, data can be
gathered from various sources (applications) before processing
09.08.2005
Security in application integration – Kari Nordström5
Application integration platforms in the companyApplication integration platforms in the company
Company
EAI
EDI
RosettaNetInternet
VAN
VAN
ERP
Application
Application
Application
Application
Application
Application
EDI partner
RN partner
EDI partner
EDI partner
EDI partner
RN partner
RN partner
RN partner
RN partner
RN partner
RN partner
09.08.2005
Security in application integration – Kari Nordström6
Enterprise Application Integration (1/2)Enterprise Application Integration (1/2)
Integration within a single enterprise A centralised integration solution
– Error handling, monitoring, cost savings over time
ad hoc
application
application
application
application
application
application
application
application
application
application
application
application
application
application
application
application
application
application
EAIplatform
Data-base
Data-base
Data-base
Data-base
Data-base
Data-base
EAI
09.08.2005
Security in application integration – Kari Nordström7
Enterprise Application Integration (2/2)Enterprise Application Integration (2/2)
Integrating diverse applications requires transformations between formats
Processing and / or enrichment of data is also required in some integrations (defined in the workflow)
EAI platform
application A application BWorkflowadapter adapter
A's format Canonical format B's format
09.08.2005
Security in application integration – Kari Nordström8
Business-to-business integrationBusiness-to-business integration
Integration between separate enterprises (partner integration)
– Business data, demand / supply planning …
B2Bi relies on standards, otherwise it would be very cumbersome to connect to other companies, each using their own data formats and processes
Two B2Bi platforms used in the company:– EDI, Electronic Data Interchange– RosettaNet
09.08.2005
Security in application integration – Kari Nordström9
Electronic Data Interchange (1/3)Electronic Data Interchange (1/3)
EDI is the “granddaddy” of all B2Bi systems– Designed to automate exchanging business documents a
quicker and cheaper way
Dates back all the way to the 1960’s, in active use since the 1980’s
Two main standards in use– EDIFACT (EDI For Administration, Commerce and Transport)– ANSI X12
09.08.2005
Security in application integration – Kari Nordström10
VAN-based EDI (2/3)VAN-based EDI (2/3)
VAN (Value Added Network) operators used to relay messages
– “An electronic post office”
Company
ERP system
VAN
Application X
Trading partner
ERP system Application Y
Company'smailbox
Tradingpartner'smailbox
VAN operator'sprocessing systemEDI system
Translator
EDI system
Translator
09.08.2005
Security in application integration – Kari Nordström11
Internet EDI (3/3)Internet EDI (3/3)
EDI-INT has been thought up to eliminate VAN costs to companies
Standards used:– AS1 (SMTP)– AS2 (HTTP)– AS3 (FTP)
The basic idea: sending EDI messages directly to trading partners over the Internet
Company A Company B
HTTP server
AS2compliant
server
Translator
ERP system
HTTP server
ERP system
The Internet
AS2compliant
server
Translator
09.08.2005
Security in application integration – Kari Nordström12
RosettaNet (1/2)RosettaNet (1/2)
XML-based integration standard– Developed and maintained by the RosettaNet Consortium, a
non-profit organisation of more than 500 corporations
Integrations are based on Partner Interface Processes (PIP), which define how data is processed and the sequence of transactions between trading partners
RosettaNet Implementation Framework (RNIF) describes the basic architecture (RNIF 1.1 & 2.0)
Document Type Definition (DTD) describes the format of messages and data
09.08.2005
Security in application integration – Kari Nordström13
RosettaNet (2/2)RosettaNet (2/2)
RosettaNet aims in integrating the whole supply chain, not just passing business documents
Marketed as more flexible and easier to implement than EDI
– Using VANs actually makes EDI more simple than RosettaNet where companies need to implement all connections themselves
09.08.2005
Security in application integration – Kari Nordström14
Information securityInformation security
Traditional way to model information security: CIA
CIA
Confidentiality
Integrity Availability
09.08.2005
Security in application integration – Kari Nordström15
General security conceptsGeneral security concepts
Authentication– Making sure the user is who
she claims to be Authorisation
– Giving an authenticated user the right to do something
Accounting– All operations performed by
users are logged
Non-repudiation– If a user performs a task, she
can’t later deny having done so, the system also can’t later deny the user’s action
Antivirus protection– Protecting computers and
network elements against malicious software
Cryptography– Scrambling information in a
way that only the correct recipient can decipher it
09.08.2005
Security in application integration – Kari Nordström16
Network securityNetwork security
Host security vs. network security Systems are protected on the network level by
controlling network traffic– More cost-effective than host security
Typical misconception: network security = firewalls– Firewalls are a central part of network security, but there are
numerous other things to consider (understanding the network architecture is key)
09.08.2005
Security in application integration – Kari Nordström17
A few key security strategiesA few key security strategies
Use multiple, diverse layers of security Give the lowest possible rights to users Deny everything that’s not explicitly allowed Use choke points to monitor traffic “KISS – Keep It Simple, Stupid”
Make users aware of security issues!– The human factor is often the weakest link in security
09.08.2005
Security in application integration – Kari Nordström18
Network segmentationNetwork segmentation
A new network architecture in the company that divides an internal network into smaller parts called cells
Naturally also affects AI systems
In practice: more firewalls GRE
tunnel
Access Network
BackboneBackbone
Access Network
FirewallFirewallFirewallFirewallFirewallFirewall
Cell Cell Cell Cell Cell Cell
IntranetInternet
Extranet
Firewall Firewall Firewall Firewall Firewall Firewall
FirewallFirewallFirewallFirewall Firewall Firewall
FirewallFirewallFirewallFirewall Firewall Firewall
FirewallFirewallFirewallFirewall Firewall Firewall
FirewallFirewallFirewallFirewall Firewall Firewall
GREtunnel
09.08.2005
Security in application integration – Kari Nordström19
Security requirements for application integration systemsSecurity requirements for application integration systems
An AI system is central and crucial in any network that has one
Connected to many other systems attacker could gain access to virtually the whole network if e.g. the EAI system is hacked
Availability requirements are very high– Many other systems are dependant on integration systems
09.08.2005
Security in application integration – Kari Nordström20
Results of the security reviewsResults of the security reviews
Risk level is high for all three systems Security implementations do not match the current
requirements– Requirements have changed significantly from the 1990’s
RosettaNet was found more secure than EAI and EDI– Age, standardisation, segmented network
EDI’s problem is the number of unknown factors– VAN operator responsible for most of the implementation
EAI’s biggest problem is the lack of security standards
09.08.2005
Security in application integration – Kari Nordström21
EAI security improvementsEAI security improvements
User management (no super-users) access control Certain authentication issues have been addressed
– A component was not authenticating connections properly
Client software used (fewer vulnerabilities) The migration to new architecture will bring major
advancements in the security of the system– Border security
Hosts have been hardened
09.08.2005
Security in application integration – Kari Nordström22
B2Bi security improvementsB2Bi security improvements
It’s hard to fundamentally change security implementations in standardised systems
User management has been improved vastly in EDI EDI will also be migrated into new architecture
(RosettaNet has already been migrated) RNIF specifies many security features, such as various
forms of encryption, digital certificates and checksums– They just weren’t always used in the company new policy
09.08.2005
Security in application integration – Kari Nordström23
Any questions or comments?Any questions or comments?
If not, thank you!