Compliance and Governance Through Complex Entitlement Management

Compliance and Governance
Through Complex Entitlement
Management

Geoff Charron, VP ALES

Noam Bunder, Lead Architect
DataScan Technologies

Agenda Slide

Entitlements in the Context of a SOA
AquaLogic Enterprise Security (ALES) Overview

Implementing Entitlements at DataScan

© 2006 BEA Systems, Inc. | 2

Business Drivers
Application Security has evolved
 Firewalls “keep the bad guys out” at the
perimeter
 Web server security and Web SSO products
provide basic access control at the Web tier
Customers Partners
 Application security logic still hard-wired and
embedded in the application behind the Web
tier

Industry trends are driving the
need to externalize entitlements Employees Contractors

from the application
 Multiple homegrown and embedded
entitlements services
 Increasing regulatory pressure and privacy
concerns Web App Enterprise Data
Servers Servers Apps Stores
 Proliferation of applications and increasing
disparate development teams
 Increasing competitive and time to market
pressures


What are Entitlements?
Entitlements Questions
Who can transfer funds?
How much can they transfer?
How often can they transfer?
Can they delegate those
rights?

Entitlements are the set of privileges that govern what
an application user can do
Entitlements systems manage those privileges, the
decision process and record the results


Key Challenge: Embedded Decisions

Legacy
App

Data-
base
If (Transfer <TransLimit)
and (User can Transfer)
then User
Directory
Allow Access
else
Deny Access
endif

• Security is embedded in applications – creates silos
• Applications are becoming more complex and may be developed
by multiple team (including offshore)
• Developers spend time coding security logic
• Inconsistent policies and lack of central management
• Access decision may not be audited

Key Challenge: Multiple Security Technologies
Main-
frames
J2EE App Web
Web Services
Browser App Data-
Web base
Services
Identity/
Policy
Web
App Identity/
Policy

Web SSO User
Directory Legacy
App

User User
Provisioning Profile

• Multiple User directories, authentication services, Web SSO services,
IAM products
• How to rapidly and cost effectively deploy new applications that leverage
existing infrastructure?


Agenda Slide

Entitlements in the Context of a SOA
AquaLogic Enterprise Security (ALES) Overview

Implementing Entitlements at DataScan


BEA AquaLogic in Your IT Enterprise

Portal Dashboard
Exceptions/Alerts Monitoring Reports

User Interaction Interaction Content
AquaLogic User Interaction

AquaLogic Enterprise Security
Collaboration Search Analytics
Management Management

Business
Service
Interaction Process AquaLogic BPM Suite
Process Process Process Process
Modeling &
Automation Monitoring Analysis Optimization
Simulation

Messaging Operational
Service AquaLogic Service Bus Service
Routing Transformation Service
Integration AquaLogic Service Registry
Management
Registry

Shared Data
and Business
Services

Data Access
AquaLogic Data Services Platform
Data Access Layer

Security Services and
Fine-Grained Access
Control
Back End
Systems and Data
Legacy ERP CRM Custom

What is AquaLogic Enterprise Security?
Browser
Client
Central PDP PAP

•Java API
Entitlements Admin Server
•Web Service
Server
•Web Service SSM
SSM
Distributed PDP •XACML 2.0

App •WLS
PIP
Server •Tomcat
XACML 2.0
Entitlements
Policies Policy
SSM

PEP’s For
ALES is an Entitlements system that enables the centralized
•WLS
•WLP definition of complex application security policy and the
•ALDSP runtime enforcement of that policy.
•ALSB
•Java SDK ALES consists of:
 An Administrative Application (PAP)
 A Policy Decision Point (PDP) that can be centralized or distributed
 A Distributed PDP (SSM) is a Policy Enforcement Point (PEP)
The Administration Application is used to centrally manage
security configuration and policy

Connecting Entitlements to the Application

public Forward processTransfer(TransferBean transferBean) throws Exception
{
AuthenticIdentity ai = getAuthenticIdentityFromRequest(req);
RuntimeAction ra = new RuntimeAction(ACTION.TRANSFER, "SIMPLE_ACTION");
AppContextElement q3 = new SimpleContextElement("amount",transferBean.getAmount());
AppContextElement collectorElement =
SimpleResponseContextCollector.makeContextElement();
AccessResult ar = az.isAccessAllowed(ai,rr,ra,appCtx);
if (ar.isAllowed()) {
executeTransfer(transferBean);
....
}
Note that code can easily be encapsulated


Key ALES Benefits

• Change Entitlements without modifying
the application
Better Business Agility
• Implement changing regulatory and
corporate policies faster

• Finer control over the protection of
Enhanced Security and
application resources
Compliance
• Enhanced audit tracking

• Remove security logic from the
application
Increased IT Efficiency
• Free developers up to focus on value-
added business logic


1 DataScan Company Overview

2 Compliance Requirements at DataScan

3 DataScan BEA Implementation

4 Development Operational Lifecycle

5 Best Practices

6 Questions & Answers

12
DataScan Technologies LLC – All Rights Reserved

About DataScan Technologies
DataScan Technologies
DataScan Technologies is a global Corporate Headquarters

leader in wholesale floorplan
accounting and risk management
systems and services.

 Founded in 1989
 Located in Alpharetta, Georgia
 Over 45 of the most prominent
banks and captives
 Operating in 15 countries
 Currently manages over $45
billion in outstanding collateral

13

Partial Client List
 BMW Financial  Comerica Bank
 World Omni Financial Corp.  SunTrust Bank
 California Federal Bank  National City Bank
 Hibernia National Bank  US Bank
 GE Capital  Toro Credit Corp
 Yale/Hyster  PACCAR
 Bank One  Manheim (MAFS)
 Citizens Bank  ScotiaBank
 JP Morgan Chase Bank  CitiCapital
 Key Bank  CIT Group
 M & T Bank  Toyota Financial Services
 PNC Bank  Hyundai Motor Finance
 Wachovia  Mitsubishi Motors Credit
 Regions Bank  Banknorth
 Provident Bank
 BB&T
 Zions Bank
 Huntington Bank
 VW Credit, Inc.
 Nissan/Renault-Mexico
 New South Federal 14

Wholesale Management System

Wholesale Management System (WMS)
A wholesale finance and accounting system
built specifically for the wholesale floorplan
industry.

Dealer Access System (DAS)
Allows dealerships to have Internet access
to key information in the system.

Collateral Management System (CMS)
An automated floorplan data collection and
risk management system utilizing touch
screen technology.
Nationwide Audit Services (NAS)
A turnkey audit inspection service featuring
a professional staff utilizing CMS.
15

Risk Management
Step 1

Step 5 Step 2
Risk Managers Auditor and Kit

Step 4

Step 3
Workflow Engine and E-mail Notification
16





5 Best Practices


17

Business Drivers

 Mission critical application for banking and automotive
industry managing over $45 billion in assets
• Time to market
• Buy vs. Build
• Time/resources required for implementation and policy
changes << Key
• Performance impact
• Security compliance
 SAS70 Type 2
 GLBA/SoX
 BITS/CC-MSR
 ISO 27001
 BRMMI/PriSM
18

Challenges

 Require a new Security Platform for replacement of legacy-
based ASP financial services system with global existing
install base
 Legacy system has embedded, customer-specific security
logic
 High maintenance required for security policy changes
 Annual corporate audits (internal, SAS70 Type 2)
 Bi-annual customer security open-house
 Unscheduled customer ethical hacks
 Rapidly evolving financial industry security requirements
(BITS, ISO 27001)

19

Compliance Overview

 Sarbanes Oxley Regulations
• Requires internal controls or rules in place to ensure
integrity of financial information
• Section 404 – Internal controls
 Graham Leech Biley Act (GLBA)
• SEC 501 is centered around the admin., physical, and
technical safeguards over non-public customer
information
 BITS
• Common Criteria Master Security Requirements
• Security for the security system
 ISO 27001
• IT Systems Management and Governance
 BRMMI/PrISM
• Upcoming Business Resiliency Maturity Model
• Over 750 practices merging
COBIT, BS7799/ISO17799, ITIL, ISF, NIST 800
series, SEI BOK, DRII
20

Compliance-Based Design

 Prioritize design around “required” BITS topics
 Consolidate past ethical hacks and audits
 Time boxed delivery, focus on good design
 Balance delivery priorities with risk analysis
 Security Compliance Road Map
• Policies
• Processes
• Controls
• Audits/Monitoring

21

ALES Compliance Mapping

 Compliance based
requirements and
design
 Transparent security
implementation
 Standards support
• SAML
• XACML

22





5 Best Practices


23

SOA Based Implementation

24

ALES Implementation

 Architecture Overview
• Plain Java, Leverage BEA

25

ALES Deployment

 Operational Overview

1. Cluster
2. JVM
3. Managed Server
4. Sessions
5. ALES SSM
6. Connection Pools
7. EAR Deployment
8. Security Policy Administration
9. Portal Desktop Administration
26





5 Best Practices


27

Development Team Composition

 BEA Professional Services
• Initial Proof of Concept
• Assistance with design
• Working construction road map
 Development Team
• Back End and Front End teams
• Security team
• Continuous builds to QA
• Authentication only
• Portal based security

28

Operational Lifecycle

 Security Development Team
• Specialized, with contractors
 IT Administration
• Security administrators (2-3)
• Dedicated with back-up
 Documentation and Checklists
• Packaged deployment

29

Operational Environments

 Distinct Environments
• Development, QA Smoke Testing and Functional Testing
“Live”, Customer Beta/UAT, Support, Production and
Disaster Recovery
 Utilizing Virtualization
 Growth and Performance
• Current production list includes four major financial
institutions
• Rolling out to all customers over the next two years
• Utilizing virtualization
 2 x 4-way Dual Core 64 bit RedHat Linux AS 4.0, 32Gb
RAM, XEN environments
 800+ users daily CPU load not exceeding 3%
 Risk Managers, Bank Users, Dealerships 30





5 Best Practices


31

Why BEA?

 BEA Selection Criteria
• Track record and solution completeness
• Product suitability
 Architecture
 Road Map
• Support
 Key Factors
• Provides an elegant means to extract Security Logic
from the application
• Disconnected design provides high performance and
resiliency
• Provides flexible configuration with minimal maintenance
and operational resiliency
32

Kick Off

 Step by Step – Key Success Factors
• Proposed Project
 Project plan called for a three month implementation for
pilot target
• Gain Sponsorship
 Demonstrate value: Prototype and POC
 Leverage existing platform
• Establish Goals and Value Proposition
 Capitalize on performance
 Create gurus: Early mastery and battle scars

33

Best Practices

 Partner with BEA Professional Services, leverage BEA
Support (Hotline, Website) and BEA Educational
Services classes
 Train IT first! System administration is key
 Build a workable environment (workstation/server)
 Integrate prototypes into plan
 Focus on what works, take risks where they are
manageable
 Integrate BEA with other departments early
(IT, Support, etc.)

34

Looking Forward

 Customer and Regulation Driven
• SAML Implementation
• Refinement of standards and compliance
• Full security-visibility throughout architectural stack

35





5 Best Practices


36

Compliance and Governance Through Complex Entitlement Management

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Compliance and Governance Through Complex Entitlement Management

Semelhante a Compliance and Governance Through Complex Entitlement Management (20)

Compliance and Governance Through Complex Entitlement Management