SlideShare uma empresa Scribd logo
1 de 4
Baixar para ler offline
CESP-Access
Cybercom Enhanced
Security Platform

Access control in CESP is performed by CESP-Access. Once the user
has been uniquely identified his/her ability to access data or application
is checked. The PEP (policy Enforcement Point) is the gatekeeper that
collects data about the caller and the request. This data is the sent to
the Authorization Engine that performs this check. The Authorization
Engine uses the Axiomatic Policy Server to evaluate the policies.
#2-12-2009
Cybercom
CESP-Access




CESP-Access                                                 Technical Data
The Access Control is evaluating if an actor has the        The components of CESP-Access are built with Mi-
required attributes to get access to a requested            crosoft’s .NET technology to ensure efficient integra-
service. An actor can be a physical person or another       tion with other .NET based applications. It may also
service that needs access to one or more resources.         integrate with legacy systems by using adapters that
                                                            interpret log messages stored in text files.
Access is based on the all the user attributes. The ap-
plication can, based on these attributes, grant access      Additionally, CESP-Access is built according to the
to the information based on its own access policies.        Service Oriented Architecture (SOA) model and
The technique used is ABAC (Attribute Based Access          provides Web Service interfaces which enables easy
Control). This way of granting access give much more        integration with other applications and technical
flexibility that traditional access control that is based   platforms, such as Java based systems.
on groups or roles. This flexible access control system
also reduce the burden of an extensive administration
of groups and roles when a lot of different applica-
tions can be accessed using the CESM-ID Single Sign-
On functionality.

The rules that govern the access policies are managed
using a graphical user interface that makes it very
easy and intuitive to define and test different access
control rules.

                                                                                                                     Page 2
Cybercom
CESP-Access




Axiomatic Policy Server (APS)                             CESP-Access PEP
Once the user has been uniquely identified his/her        All calls to a service always pass a check point that
ability to access data or application is checked. APS     helps the service to determine if a request for an
is the authorization engine in CESP. The authoriza-       activity should be performed or if the call should be
tion process is performed in the same way across the      rejected. This function is called PEP (Policy Enforce-
whole CESP.                                               ment Point).

Access policies are defined using rules that are based    The PEP doesn’t take this decision on its own but
on eXtensible Access Control Markup Language              rather its task is to collect all facts about the prop-
(XACML). XACML is an OASIS standardized XML               erties of the caller, the attribute of the requested
language that besides the possibility to express access   resources and other facts about the context in which
control rules also give a possibility to formulize the    the call is done. All this information is packed and
way that rules should be interpreted and combined         sent to the Access Control service that takes a deci-
based on the attributes of the different entities that    sion if the call should be accepted or rejected
they are applied on. The access control policies are
stored in the Access Control Service.                     CESP-Access PDP
                                                          The right to get access to the resources is based on
CESP-Access Authorization Process                         the attributes of the requestor ant the attributes of
This following sections section gives an overview of      the resource that is requested. This function is called
the authorization process and the function of the PEP     PDP (Policy Decision Point) and is located in the
(Policy Enforcement Point) and the PDP (Policy Deci-      access control service. The information is sent as a
sion Point).                                              XACML Request Context.

The service call delivers a SAML ticket which contains    All policies and rules are stored in the access control
the caller’s attribute. This ticket has typically been    service. Based on these policies and rules and the
produced by CESM-ID.                                      information from the PEP an access decision is taken.
                                                          The decision is sent back to the PEP in a XACML Re-
This ticket is then processes by the PEP and the PDP      sponse Context. The service can then get the decision
in accordance with the access policies that is defined    from the PEP and depending on the answer allow the
using the XACML language.                                 caller to get access to the requested resources or not.




                                                                                                                    Page 3
Cybercom
CESP-Access




About Cybercom                                            Contact Details
The Cybercom Group is a high-tech consultancy that        For further information, please contact:
offers global sourcing for end-to-end solutions. The
                                                          Henrik Johansson, Business Unit Manager
Group established itself as a world-class supplier in
                                                          henrik.johansson@cybercomgroup.com
these segments: security, portal solutions, mobile
                                                          +46 70 825 00 80
services, and embedded systems.
                                                          or vistit our website www.cybercom.com
Thanks to its extensive industry and operations ex-
perience, Cybercom can offer strategic and techno-
logical expertise to these markets: telecom, industry,
media, public sector, retail, and banking and financial
services.

The Group employs 2,000 persons and runs projects
worldwide. Cybercom has 28 offices in 11 countries.
Since 1999, Cybercom’s share has been quoted on
the NASDAQ OMX Nordic Exchange. The company
was launched in 1995.




                                                                                                     Page 4


Cybercom Group Europe AB (publ.)
P.O. Box 7574 · SE-103 93 Stockholm · Sweden
Phone: +46 8 578 646 00 · www.cybercom.com

Mais conteúdo relacionado

Destaque

Building APIs with FRAPI
Building APIs with FRAPIBuilding APIs with FRAPI
Building APIs with FRAPIDavid Coallier
 
Registering & Booking Appointments
Registering & Booking AppointmentsRegistering & Booking Appointments
Registering & Booking AppointmentsUCEW
 
CLX0802BalSheet-159951
CLX0802BalSheet-159951CLX0802BalSheet-159951
CLX0802BalSheet-159951finance48
 
advance auto parts 2003_ar
advance auto parts 2003_aradvance auto parts 2003_ar
advance auto parts 2003_arfinance48
 
BarTab Instructional Powerpoint
BarTab Instructional PowerpointBarTab Instructional Powerpoint
BarTab Instructional Powerpointguest3126d5
 
Presentatie 27 Mei Cluster Htv
Presentatie  27 Mei Cluster HtvPresentatie  27 Mei Cluster Htv
Presentatie 27 Mei Cluster HtvJohan Lapidaire
 
SVH In Vogelvlucht Roc Aventus 2 3 2011
SVH In Vogelvlucht Roc Aventus 2 3 2011SVH In Vogelvlucht Roc Aventus 2 3 2011
SVH In Vogelvlucht Roc Aventus 2 3 2011Johan Lapidaire
 
Light Filled Living
Light Filled LivingLight Filled Living
Light Filled Livingstwordsmith
 
Nbs presentation dm_bg
Nbs presentation dm_bgNbs presentation dm_bg
Nbs presentation dm_bgBarry Gregory
 
tenneco annual reports 2004
tenneco annual reports 2004tenneco annual reports 2004
tenneco annual reports 2004finance46
 
Managing service management skills
Managing service management skillsManaging service management skills
Managing service management skillsLex Hendriks
 
Presentatie wijsheidsboeken 9v10 prediker Vineyard Utrecht 18122011
Presentatie wijsheidsboeken 9v10 prediker Vineyard Utrecht 18122011Presentatie wijsheidsboeken 9v10 prediker Vineyard Utrecht 18122011
Presentatie wijsheidsboeken 9v10 prediker Vineyard Utrecht 18122011vineyardutrecht
 
Digital business #2
Digital business #2Digital business #2
Digital business #2finanzas_uca
 

Destaque (20)

Building APIs with FRAPI
Building APIs with FRAPIBuilding APIs with FRAPI
Building APIs with FRAPI
 
Registering & Booking Appointments
Registering & Booking AppointmentsRegistering & Booking Appointments
Registering & Booking Appointments
 
Report Examples
Report ExamplesReport Examples
Report Examples
 
CLX0802BalSheet-159951
CLX0802BalSheet-159951CLX0802BalSheet-159951
CLX0802BalSheet-159951
 
advance auto parts 2003_ar
advance auto parts 2003_aradvance auto parts 2003_ar
advance auto parts 2003_ar
 
100mph, Stage 3: Flipping the Switch
100mph, Stage 3: Flipping the Switch100mph, Stage 3: Flipping the Switch
100mph, Stage 3: Flipping the Switch
 
BarTab Instructional Powerpoint
BarTab Instructional PowerpointBarTab Instructional Powerpoint
BarTab Instructional Powerpoint
 
ShareJS launch talk
ShareJS launch talkShareJS launch talk
ShareJS launch talk
 
Warandecollege 05102010
Warandecollege 05102010Warandecollege 05102010
Warandecollege 05102010
 
Presentatie 27 Mei Cluster Htv
Presentatie  27 Mei Cluster HtvPresentatie  27 Mei Cluster Htv
Presentatie 27 Mei Cluster Htv
 
SVH In Vogelvlucht Roc Aventus 2 3 2011
SVH In Vogelvlucht Roc Aventus 2 3 2011SVH In Vogelvlucht Roc Aventus 2 3 2011
SVH In Vogelvlucht Roc Aventus 2 3 2011
 
Tenesi
TenesiTenesi
Tenesi
 
Cloud Security Law Issues--an Overview
Cloud Security Law Issues--an OverviewCloud Security Law Issues--an Overview
Cloud Security Law Issues--an Overview
 
Intro to Google Analytics
Intro to Google AnalyticsIntro to Google Analytics
Intro to Google Analytics
 
Light Filled Living
Light Filled LivingLight Filled Living
Light Filled Living
 
Nbs presentation dm_bg
Nbs presentation dm_bgNbs presentation dm_bg
Nbs presentation dm_bg
 
tenneco annual reports 2004
tenneco annual reports 2004tenneco annual reports 2004
tenneco annual reports 2004
 
Managing service management skills
Managing service management skillsManaging service management skills
Managing service management skills
 
Presentatie wijsheidsboeken 9v10 prediker Vineyard Utrecht 18122011
Presentatie wijsheidsboeken 9v10 prediker Vineyard Utrecht 18122011Presentatie wijsheidsboeken 9v10 prediker Vineyard Utrecht 18122011
Presentatie wijsheidsboeken 9v10 prediker Vineyard Utrecht 18122011
 
Digital business #2
Digital business #2Digital business #2
Digital business #2
 

Semelhante a Cybercom Enhanced Security Platform, CESP-Access

Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmassureshattanayake
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas WSO2
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmassureshattanayake
 
.Net projects 2011 by core ieeeprojects.com
.Net projects 2011 by core ieeeprojects.com .Net projects 2011 by core ieeeprojects.com
.Net projects 2011 by core ieeeprojects.com msudan92
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE Mahzad Zahedi
 
Nakina NOS Overview
Nakina NOS OverviewNakina NOS Overview
Nakina NOS Overviewhal2005
 
expressive, efficient, and revocable data access control for multi authority ...
expressive, efficient, and revocable data access control for multi authority ...expressive, efficient, and revocable data access control for multi authority ...
expressive, efficient, and revocable data access control for multi authority ...swathi78
 
JAVA 2013 IEEE DATAMINING PROJECT Access policy consolidation for event proce...
JAVA 2013 IEEE DATAMINING PROJECT Access policy consolidation for event proce...JAVA 2013 IEEE DATAMINING PROJECT Access policy consolidation for event proce...
JAVA 2013 IEEE DATAMINING PROJECT Access policy consolidation for event proce...IEEEGLOBALSOFTTECHNOLOGIES
 
JAVA 2013 IEEE NETWORKING PROJECT Access policy consolidation for event proce...
JAVA 2013 IEEE NETWORKING PROJECT Access policy consolidation for event proce...JAVA 2013 IEEE NETWORKING PROJECT Access policy consolidation for event proce...
JAVA 2013 IEEE NETWORKING PROJECT Access policy consolidation for event proce...IEEEGLOBALSOFTTECHNOLOGIES
 
Access policy consolidation for event processing systems
Access policy consolidation for event processing systemsAccess policy consolidation for event processing systems
Access policy consolidation for event processing systemsIEEEFINALYEARPROJECTS
 
Access policy consolidation for event processing systems
Access policy consolidation for event processing systemsAccess policy consolidation for event processing systems
Access policy consolidation for event processing systemsIEEEFINALYEARPROJECTS
 
Intent Based Networking: turning intentions into reality with network securit...
Intent Based Networking: turning intentions into reality with network securit...Intent Based Networking: turning intentions into reality with network securit...
Intent Based Networking: turning intentions into reality with network securit...shira koper
 
EMC - Bruno Melandri, Cloud Computing, Milano 2 luglio 2009
EMC - Bruno Melandri, Cloud Computing, Milano 2 luglio 2009EMC - Bruno Melandri, Cloud Computing, Milano 2 luglio 2009
EMC - Bruno Melandri, Cloud Computing, Milano 2 luglio 2009Manuela Moroncini
 
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS Balancing performance--accuracy--an...
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS Balancing performance--accuracy--an...IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS Balancing performance--accuracy--an...
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS Balancing performance--accuracy--an...IEEEMEMTECHSTUDENTPROJECTS
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 
Layer 7: Enterprise Service Governance with SecureSpan
Layer 7: Enterprise Service Governance with SecureSpanLayer 7: Enterprise Service Governance with SecureSpan
Layer 7: Enterprise Service Governance with SecureSpanCA API Management
 
Cgmm presentation on distributed multimedia systems
Cgmm presentation on distributed multimedia systemsCgmm presentation on distributed multimedia systems
Cgmm presentation on distributed multimedia systemsMansi Verma
 

Semelhante a Cybercom Enhanced Security Platform, CESP-Access (20)

Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Sesame in a nutshell
Sesame in a nutshellSesame in a nutshell
Sesame in a nutshell
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
.Net projects 2011 by core ieeeprojects.com
.Net projects 2011 by core ieeeprojects.com .Net projects 2011 by core ieeeprojects.com
.Net projects 2011 by core ieeeprojects.com
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE
 
Nakina NOS Overview
Nakina NOS OverviewNakina NOS Overview
Nakina NOS Overview
 
expressive, efficient, and revocable data access control for multi authority ...
expressive, efficient, and revocable data access control for multi authority ...expressive, efficient, and revocable data access control for multi authority ...
expressive, efficient, and revocable data access control for multi authority ...
 
JAVA 2013 IEEE DATAMINING PROJECT Access policy consolidation for event proce...
JAVA 2013 IEEE DATAMINING PROJECT Access policy consolidation for event proce...JAVA 2013 IEEE DATAMINING PROJECT Access policy consolidation for event proce...
JAVA 2013 IEEE DATAMINING PROJECT Access policy consolidation for event proce...
 
JAVA 2013 IEEE NETWORKING PROJECT Access policy consolidation for event proce...
JAVA 2013 IEEE NETWORKING PROJECT Access policy consolidation for event proce...JAVA 2013 IEEE NETWORKING PROJECT Access policy consolidation for event proce...
JAVA 2013 IEEE NETWORKING PROJECT Access policy consolidation for event proce...
 
Access policy consolidation for event processing systems
Access policy consolidation for event processing systemsAccess policy consolidation for event processing systems
Access policy consolidation for event processing systems
 
Access policy consolidation for event processing systems
Access policy consolidation for event processing systemsAccess policy consolidation for event processing systems
Access policy consolidation for event processing systems
 
Intent Based Networking: turning intentions into reality with network securit...
Intent Based Networking: turning intentions into reality with network securit...Intent Based Networking: turning intentions into reality with network securit...
Intent Based Networking: turning intentions into reality with network securit...
 
Ijcatr04051007
Ijcatr04051007Ijcatr04051007
Ijcatr04051007
 
EMC - Bruno Melandri, Cloud Computing, Milano 2 luglio 2009
EMC - Bruno Melandri, Cloud Computing, Milano 2 luglio 2009EMC - Bruno Melandri, Cloud Computing, Milano 2 luglio 2009
EMC - Bruno Melandri, Cloud Computing, Milano 2 luglio 2009
 
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS Balancing performance--accuracy--an...
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS Balancing performance--accuracy--an...IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS Balancing performance--accuracy--an...
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS Balancing performance--accuracy--an...
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
Layer 7: Enterprise Service Governance with SecureSpan
Layer 7: Enterprise Service Governance with SecureSpanLayer 7: Enterprise Service Governance with SecureSpan
Layer 7: Enterprise Service Governance with SecureSpan
 
Cgmm presentation on distributed multimedia systems
Cgmm presentation on distributed multimedia systemsCgmm presentation on distributed multimedia systems
Cgmm presentation on distributed multimedia systems
 

Cybercom Enhanced Security Platform, CESP-Access

  • 1. CESP-Access Cybercom Enhanced Security Platform Access control in CESP is performed by CESP-Access. Once the user has been uniquely identified his/her ability to access data or application is checked. The PEP (policy Enforcement Point) is the gatekeeper that collects data about the caller and the request. This data is the sent to the Authorization Engine that performs this check. The Authorization Engine uses the Axiomatic Policy Server to evaluate the policies.
  • 2. #2-12-2009 Cybercom CESP-Access CESP-Access Technical Data The Access Control is evaluating if an actor has the The components of CESP-Access are built with Mi- required attributes to get access to a requested crosoft’s .NET technology to ensure efficient integra- service. An actor can be a physical person or another tion with other .NET based applications. It may also service that needs access to one or more resources. integrate with legacy systems by using adapters that interpret log messages stored in text files. Access is based on the all the user attributes. The ap- plication can, based on these attributes, grant access Additionally, CESP-Access is built according to the to the information based on its own access policies. Service Oriented Architecture (SOA) model and The technique used is ABAC (Attribute Based Access provides Web Service interfaces which enables easy Control). This way of granting access give much more integration with other applications and technical flexibility that traditional access control that is based platforms, such as Java based systems. on groups or roles. This flexible access control system also reduce the burden of an extensive administration of groups and roles when a lot of different applica- tions can be accessed using the CESM-ID Single Sign- On functionality. The rules that govern the access policies are managed using a graphical user interface that makes it very easy and intuitive to define and test different access control rules. Page 2
  • 3. Cybercom CESP-Access Axiomatic Policy Server (APS) CESP-Access PEP Once the user has been uniquely identified his/her All calls to a service always pass a check point that ability to access data or application is checked. APS helps the service to determine if a request for an is the authorization engine in CESP. The authoriza- activity should be performed or if the call should be tion process is performed in the same way across the rejected. This function is called PEP (Policy Enforce- whole CESP. ment Point). Access policies are defined using rules that are based The PEP doesn’t take this decision on its own but on eXtensible Access Control Markup Language rather its task is to collect all facts about the prop- (XACML). XACML is an OASIS standardized XML erties of the caller, the attribute of the requested language that besides the possibility to express access resources and other facts about the context in which control rules also give a possibility to formulize the the call is done. All this information is packed and way that rules should be interpreted and combined sent to the Access Control service that takes a deci- based on the attributes of the different entities that sion if the call should be accepted or rejected they are applied on. The access control policies are stored in the Access Control Service. CESP-Access PDP The right to get access to the resources is based on CESP-Access Authorization Process the attributes of the requestor ant the attributes of This following sections section gives an overview of the resource that is requested. This function is called the authorization process and the function of the PEP PDP (Policy Decision Point) and is located in the (Policy Enforcement Point) and the PDP (Policy Deci- access control service. The information is sent as a sion Point). XACML Request Context. The service call delivers a SAML ticket which contains All policies and rules are stored in the access control the caller’s attribute. This ticket has typically been service. Based on these policies and rules and the produced by CESM-ID. information from the PEP an access decision is taken. The decision is sent back to the PEP in a XACML Re- This ticket is then processes by the PEP and the PDP sponse Context. The service can then get the decision in accordance with the access policies that is defined from the PEP and depending on the answer allow the using the XACML language. caller to get access to the requested resources or not. Page 3
  • 4. Cybercom CESP-Access About Cybercom Contact Details The Cybercom Group is a high-tech consultancy that For further information, please contact: offers global sourcing for end-to-end solutions. The Henrik Johansson, Business Unit Manager Group established itself as a world-class supplier in henrik.johansson@cybercomgroup.com these segments: security, portal solutions, mobile +46 70 825 00 80 services, and embedded systems. or vistit our website www.cybercom.com Thanks to its extensive industry and operations ex- perience, Cybercom can offer strategic and techno- logical expertise to these markets: telecom, industry, media, public sector, retail, and banking and financial services. The Group employs 2,000 persons and runs projects worldwide. Cybercom has 28 offices in 11 countries. Since 1999, Cybercom’s share has been quoted on the NASDAQ OMX Nordic Exchange. The company was launched in 1995. Page 4 Cybercom Group Europe AB (publ.) P.O. Box 7574 · SE-103 93 Stockholm · Sweden Phone: +46 8 578 646 00 · www.cybercom.com