1 / 23

Security in application integration

Security in application integration. Kari Nordström. Topics. Objectives Application integration Enterprise Application Integration – EAI Business-to-Business integration – B2Bi Information security Basic concepts & ideas Network security Segmented networks

shakti
Télécharger la présentation

Security in application integration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security in application integration Kari Nordström

  2. Topics • Objectives • Application integration • Enterprise Application Integration – EAI • Business-to-Business integration – B2Bi • Information security • Basic concepts & ideas • Network security • Segmented networks • Security of application integration systems • Results Security in application integration – Kari Nordström

  3. Background and objectives of the thesis • Find out the current level of security in the application integration systems of a certain company • Conduct security reviews with a panel of experts • Make suggestions on improving the security level based on findings • Implement improvements if possible • Supervisor: Docent Timo O. Korhonen Security in application integration – Kari Nordström

  4. Application Integration • Integrating various applications enables information sharing between applications and organisations, not between people (System-to-System connections) • Internal and external integration • EAI & B2Bi • Traditionally integration has dealt with sharing business data and documents • B2Bi is usually used for exchanging business documents • EAI integrates applications to work together, data can be gathered from various sources (applications) before processing Security in application integration – Kari Nordström

  5. Application integration platforms in the company Security in application integration – Kari Nordström

  6. Enterprise Application Integration (1/2) • Integration within a single enterprise • A centralised integration solution • Error handling, monitoring, cost savings over time Security in application integration – Kari Nordström

  7. Enterprise Application Integration (2/2) • Integrating diverse applications requires transformations between formats • Processing and / or enrichment of data is also required in some integrations (defined in the workflow) Security in application integration – Kari Nordström

  8. Business-to-business integration • Integration between separate enterprises (partner integration) • Business data, demand / supply planning … • B2Bi relies on standards, otherwise it would be very cumbersome to connect to other companies, each using their own data formats and processes • Two B2Bi platforms used in the company: • EDI, Electronic Data Interchange • RosettaNet Security in application integration – Kari Nordström

  9. Electronic Data Interchange (1/3) • EDI is the “granddaddy” of all B2Bi systems • Designed to automate exchanging business documents  a quicker and cheaper way • Dates back all the way to the 1960’s, in active use since the 1980’s • Two main standards in use • EDIFACT (EDI For Administration, Commerce and Transport) • ANSI X12 Security in application integration – Kari Nordström

  10. VAN-based EDI (2/3) • VAN (Value Added Network) operators used to relay messages • “An electronic post office” Security in application integration – Kari Nordström

  11. Internet EDI (3/3) • EDI-INT has been thought up to eliminate VAN costs to companies • Standards used: • AS1 (SMTP) • AS2 (HTTP) • AS3 (FTP) • The basic idea: sending EDI messages directly to trading partners over the Internet Security in application integration – Kari Nordström

  12. RosettaNet (1/2) • XML-based integration standard • Developed and maintained by the RosettaNet Consortium, a non-profit organisation of more than 500 corporations • Integrations are based on Partner Interface Processes (PIP), which define how data is processed and the sequence of transactions between trading partners • RosettaNet Implementation Framework (RNIF) describes the basic architecture (RNIF 1.1 & 2.0) • Document Type Definition (DTD) describes the format of messages and data Security in application integration – Kari Nordström

  13. RosettaNet (2/2) • RosettaNet aims in integrating the whole supply chain, not just passing business documents • Marketed as more flexible and easier to implement than EDI • Using VANs actually makes EDI more simple than RosettaNet where companies need to implement all connections themselves Security in application integration – Kari Nordström

  14. Information security • Traditional way to model information security: CIA Security in application integration – Kari Nordström

  15. Authentication Making sure the user is who she claims to be Authorisation Giving an authenticated user the right to do something Accounting All operations performed by users are logged Non-repudiation If a user performs a task, she can’t later deny having done so, the system also can’t later deny the user’s action Antivirus protection Protecting computers and network elements against malicious software Cryptography Scrambling information in a way that only the correct recipient can decipher it General security concepts Security in application integration – Kari Nordström

  16. Network security • Host security vs. network security • Systems are protected on the network level by controlling network traffic • More cost-effective than host security • Typical misconception: network security = firewalls • Firewalls are a central part of network security, but there are numerous other things to consider (understanding the network architecture is key) Security in application integration – Kari Nordström

  17. A few key security strategies • Use multiple, diverse layers of security • Give the lowest possible rights to users • Deny everything that’s not explicitly allowed • Use choke points to monitor traffic • “KISS – Keep It Simple, Stupid” • Make users aware of security issues! • The human factor is often the weakest link in security Security in application integration – Kari Nordström

  18. Network segmentation • A new network architecture in the company that divides an internal network into smaller parts called cells • Naturally also affects AI systems • In practice: more firewalls Security in application integration – Kari Nordström

  19. Security requirements for application integration systems • An AI system is central and crucial in any network that has one • Connected to many other systems  attacker could gain access to virtually the whole network if e.g. the EAI system is hacked • Availability requirements are very high • Many other systems are dependant on integration systems Security in application integration – Kari Nordström

  20. Results of the security reviews • Risk level is high for all three systems • Security implementations do not match the current requirements • Requirements have changed significantly from the 1990’s • RosettaNet was found more secure than EAI and EDI • Age, standardisation, segmented network • EDI’s problem is the number of unknown factors • VAN operator responsible for most of the implementation • EAI’s biggest problem is the lack of security standards Security in application integration – Kari Nordström

  21. EAI security improvements • User management (no super-users)  access control • Certain authentication issues have been addressed • A component was not authenticating connections properly • Client software used (fewer vulnerabilities) • The migration to new architecture will bring major advancements in the security of the system • Border security • Hosts have been hardened Security in application integration – Kari Nordström

  22. B2Bi security improvements • It’s hard to fundamentally change security implementations in standardised systems • User management has been improved vastly in EDI • EDI will also be migrated into new architecture (RosettaNet has already been migrated) • RNIF specifies many security features, such as various forms of encryption, digital certificates and checksums • They just weren’t always used in the company  new policy Security in application integration – Kari Nordström

  23. Any questions or comments? If not, thank you! Security in application integration – Kari Nordström

More Related