Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Information Security and WebFOCUS
Document related concepts
no text concepts found
Transcript
Information Security and WebFOCUS Penny J Lester SVP Delivery Services August 22, 2008 Authentication • “Authentication (from Greek αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. “ Authorization • “Authorization (deciding whether to grant access) is a separate concept to authentication (verifying identity), and usually dependent on it.” www.google.com/a/security • Google surveyed 575 IT professionals • • Information Security • A layered approach to authentication and authorization (auth/auth) – Physical – Network – Operating System (OS) – RDBMS – Application Physical Security • Secure the hardware – Active Reports • Secure the server room • Secure your passwords – Do not share it – Do not write it down Network Security Network Security Network Security • Implement a single sign on (SSO) in a Windows network – Update the client odin.cfg Network Security • Implement a single sign on (SSO) in a Windows network – Update site.wfs Network Security • Implement a single sign on (SSO) in a Windows network – site.wfs (cont.) Network Security • Implement a single sign on (SSO) in a Windows network – site.wfs (cont.) Operating System Security Operating System Security • Five authentication options – OPSYS – PTH – DBMS – LDAP – OFF Operating System Security • OPSYS – Authentication against OS – Authorization based on OS IDs • Administrators have full access to web console • OS ID impersonated to run reports Operating System Security • OPSYS – PLester57 is not an Administrator Operating System Security • OPSYS – Penny is the Administrator Operating System Security • OPSYS – authenticate ID to OS, not an Administrator Operating System Security • OPSYS – authenticate ID to OS, not an Administrator Operating System Security • OPSYS – authenticate ID to OS, is an Administrator Operating System Security • OPSYS – authenticate ID to OS, is an Administrator Operating System Security • OPSYS – authenticate ID to OS, is invalid Operating System Security • OPSYS – authenticate ID to OS, is invalid Operating System Security • PTH – Authentication against admin.cfg – Authorization • if ID is in admin.cfg can access WebFOCUS Web Console and run reports • if not can only run reports Operating System Security • PTH – Configured 1 administrator Operating System Security • PTH – Penny is administrator ID Operating System Security • PTH – ID “admin” is not administrator Operating System Security • PTH – ID “Penny” unrestricted access • PTH – ID “admin” restricted access Operating System Security • DBMS – Authentication against Database vs. the OS – Authorization • if ID is in the DBMS can run reports • if ID is not in the DBMS cannot run reports Note: the ID’s must be set up in the DBMS to use SQL authentication vs. Windows authentication Operating System Security • DBMS – RDBMS must be up! Operating System Security • DBMS – Notice no IWA Operating System Security • DBMS Authentication – Penny • Windows Operating System Security • DBMS Penny IWA Operating System Security • DBMS Authentication – SQLUser • SQL Server Operating System Security • DBMS SQLUser SQL Server Operating System Security • LDAP – Authentication against LDAP file – Authorization • if ID is in the LDAP file(s) can run reports • if ID is not in the LDAP file(s) cannot run reports Operating System Security • LDAP Operating System Security • LDAP – Microsoft Active Directory Operating System Security • OFF – Danger!! • “badID” can do anything the administrator ID that started the server can do!! Database Security • DBMS can be used for Authentication Database Security • Data Adapter – Explicit Database Security • Data Adapter – Explicit, invalid ID/pwd Database Security • Data Adapter – Password Passthru Database Security • Data Adapter – Trusted Application Security • Managed Reporting Environment Application Security • Managed Reporting Environment – Authentication Application Security • Managed Reporting Environment – Authorization Application Security • Managed Reporting Environment – Analytical User Application Security • Managed Reporting Environment – Content Manager Summary • A layered approach to authentication and authorization (auth/auth) – Physical – Network – Operating System (OS) – RDBMS – Application • WebFOCUS hits four out of five! Questions? Thank you!!
