Thursday, August 28, 2008

Data Security and XACML

XACML is the key standard for fine-grained access control. I'm a big fan of the request/response model and how everything is normalized down to attributes. I also think that the XACML interaction model (PDP/PEP/PIP/PAP) has been very useful in discussing authorization architecture with customers. Good stuff!

One issue that I have with XACML is that there is no obvious way to address the most common customer authorization problem - data security. Most of the customers that I've met with over the past three years who were in the market for a fine-grained entitlements solution, were looking to address this issue. Basically, they had a large number of resources - customers, accounts, deals, documents etc. and they wanted to externalize the authorization.

XACML answers "Can this user perform this action on this resource?". Customers want to know "What resources can a user perform this action on?".

Why externalize to something like XACML in the first place? Don't the systems of record of these objects have access control? Of course they do, but there are a number of reasons why customers aren't using the OOTB authorization.
  • Granularity - RBAC models are not fine grained enough to meet the business requirements
  • Heterogeneity - In many cases there isn't a single SOR for the data. The data is virtualized so externalization is essential to consistency.
  • System Accounts - Many of the access control models are tied to the user accessing the data source. In many cases, an application uses a single system account, so the OOTB authorization would be tied to that user. This means you can define the behavior per application, not per user (I guess this is a variation of granularity)
For resource counts which are relatively small, the PEP can simply call the PDP N times. This works if the PEP knows the list of possible resources a head of time (i.e. menu items or some list of accounts from another SOR) and that number is small - 10s or 100s or 1000s could be OK depending on the performance of the PDP - OES can do 1000s of authorizations at sub-millisecond latency. But there are definitely cases where the number of resources is in the millions or 10s of millions and this approach will not work.

Oracle VPD (Virtual Private Database) and the RLS (Row Level Security) package uses an approach which I think can be used as a model for solving these types of use cases. Essentially when configured, the RLS returns a WHERE clause which the database then applies to the query.

Generically, the model is as follows:

  1. Data Access Object (DAO) receives request (getCustomers for Josh)
  2. DAO PEP intercepts the request and calls the PDP (can Josh getCustomers?)
  3. PDP evaluates policies and returns response ( Yes, but only in dept 1234)
  4. DAO PEP enforces the decision by modify the search criteria (getCustomers WHERE dept=1234)
  5. Query is processed by SOR and result is returned
The "Only in dept 1234" seems to fit very nicely into XACML Obligations. There are some challenges in how to combine obligations - is the behavior AND or OR? I'm not saying that this is a perfect solution - only the best use of the current today.

Conceptually, the authorization system is returning a list of filters (attribute-operator-value) and delegating the responsibility of applying those filters to the data source. The PEP can then translate the filters into an appropriate language specific (SQL, LDAP, XPath, XQuery) expression.

Do you think this approach can work with XACML as is or is there a need for XACML to do something different?

Monday, August 25, 2008

Fraud Flash for the week of August 25, 2008

Aug. 18, 2008
Dominion Enterprises
A computer server within InterActive Financial Marketing Group (IFMG), a division of Dominion Enterprises located in Richmond, Virginia, was hacked into and illegally accessed by an unknown and unauthorized third party between November 2007 and February 2008. The data intrusion resulted in the potential exposure of personal information, including the names, addresses, birth dates, and social security numbers of 92,095 applicants who submitted credit applications to IFMG's family of special finance Web sites.

The Ministry of Justice (MoJ) Department for Work and Pensions (DWP)
Resource accounts for two departments revealed around 62,000 people were affected by breaches. In its biggest data breach, the MoJ reported that discs containing 27,000 supplier records, including supplier name, address and some cases bank details were stolen. Data losses reported by the MoJ included a laptop that contained data on 14,000 fine defaulters. The data included names, dates of birth, address, offence and in a fifth of cases national insurance numbers. The laptop was stolen within secured government premises and described as inadequately protected. MoJ also reported a loss of paper documents that involved data on 3,648 people including their alleged offences. The DWP's resource accounts said its biggest breach was the retention of two discs by a contractor. The discs contained the data of 9,000 people and forced the department to notify law enforcement. The department also suffered two other incidents. One in July 2007 that potentially affected 7,800 and one in January when papers with data on 45 people were lost.

Keller High School
Keller family's received a mailing from Keller High School last week. Upon opening it, they found two enrollment forms. One was an emergency-care authorization form. But the other was a student information form containing another classmate’s social security number, student ID number, home address, phone number and contact information for his parents at home and at work. They quickly realized that their child’s private information, which they used to set up their college fund and other accounts, was mailed to someone else.

The Princeton Review
The test-preparatory firm, accidentally published the personal data and standardized test scores of tens of thousands of Florida students on its Web site. One file on the site contained information on about 34,000 students in the public schools in Sarasota, Fla. Another folder contained dozens of files with names and birth dates for 74,000 students in the school system of Fairfax County, Va.

Aug. 19, 2008
Kingston Tax Service
Office computers were stolen from the business. On each of the computers is information which can be used by identity thieves including credit card information and Social Security numbers.

Monday, August 18, 2008

Fraud Flash for the week of August 18, 2008

Aug. 12, 2008
Wells Fargo
Wells Fargo is notifying customers that hackers have accessed their confidential personal data by illegally using its access codes. Personal information including names, addresses, dates of birth, Social Security numbers, driver's license numbers and in some cases, credit account information was accessed by "unauthorized persons".

Child Protective Services
Hundreds of private, personal records were discarded with the trash, including records detailing medical histories of clients with diseases and drug addictions. Documents showing sexual abuse and information that could be used for identity theft, such as Social Security numbers, were also found in the trash.

Aug. 13, 2008
Charter Communications
Computers were stolen from the company’s Greenville offices and contained records of more than 9,000 Charter employees nationwide. The information included Social Security numbers, dates of birth and driver's license numbers.

Aug. 14, 2008
Wuesthoff Medical Center
Hundreds of people in Brevard County found out their personal information was stolen. Names, Social Security numbers and even personal medical information were posted on the Internet.

Apple Inc and MobileMe Online
A recent phishing scam targeting users of Apple Inc.'s .Mac and MobileMe online services has successfully duped hundreds into divulging credit card and other personal information, a security company said today. The phishing campaign scammed between 100 and 200 people with addresses in just one day. An e-mail purporting to be from Apple Inc. alerting users to a billing problem is, in fact, a phishing scam that's targeting users of Apple's online service, according to an e-mail forwarded from a Macworld reader.

Aug. 17, 2008
Bank of Lancaster County (acquired by PNC Bank)
Bank of Lancaster County, which has been acquired by PNC Bank, has been the most frequent target, but it's not alone. Last month Susquehanna Bank warned of fraudulent e-mails trying to trick customers into divulging account information; some Susquehanna customers even received text messages from scam artists.

Friday, August 15, 2008

Where have all the PEP's gone?

I've been having a lot of conversations which customers lately around integrating security services - mostly authentication and authorization - into their enterprise. They've been asking basically the same question - "Where are the Policy Enforcement Points (PEP)?"

First of all, I think this is more than a simple product road map question. For the record - Oracle Access Manager (OAM) supports a large number of Web Server/Operating System platforms. Oracle Entitlement Server (OES) has a Security Module (SM) for a number of Web Servers, WLS + layered products, IBM WebSphere, Oracle VPD support and even Microsoft SharePoint.

Product Management can correct me, but this seems like a pretty good list. So what is the issue?

I think the issue is that many of the customers that I talk to are using a number of application frameworks to build their applications (Struts, JSF, Spring, Hibernate, ADF etc). This means that they want an application framework specific PEP and not a generic Java, JACC, JEE or even Application Server specific PEP. Even though these frameworks are built on these standards, implementing a policy enforcement point at those levels means that the access control policies are going to be based on resources like Java Permissions, Java Servlets or Enterprise JavaBeans. If the goal is to author access control policies which are closely aligned to the business, then securing these lower level resources, especially in the context of an application framework, is practically a non-starter.

So, why not just create PEPs for these application frameworks?

Easier said than done! Not every application framework has a tidy way of wedging an external PEP into the request flow, or reusing the application framework's PEP to call out to a 3rd party PDP. In most cases, externalizing authentication is pretty straight forward, but if you want 3rd party authorization, especially around framework specific objects (Struts Action, JSF UIComponent etc), it will get messy!

Oracle's Application Developer Framework (ADF) and Spring with SpringSecurity (ACEGI) both have the ability to externalize authorization built in, though ADF is based on standard Java security and ACEGI isn't.

In other cases, where there's a will, there's a way. I've pulled together a catalog of some approaches for integrating into various containers. Take a look. I've used these types approaches in the field to integrate various PDPs.

So, what do you think?

- Is dependency injection (aspect oriented) a reasonable way to add this type of fine grained authorization?
- For Struts, is creating a custom RequestProcessor a workable solution? It would allow for authorization at the Struts Action level.
-Is there something short of a custom Render Kit which would meet the requirements for JSF?
-Is a generic approach like JSP tag libraries best?

Wednesday, August 13, 2008

How To: Setting up Oracle Access Manger for Multiple Authentication Types

David Abramowicz, a Senior Sales Consultant for Oracle in Sweden, put together a how to for setting up OAM with multiple authentication types while maintaining the originally requested URL.

Thanks David!


Frequently customers want their users to choose between multiple different authentication types, but still be redirected back to the originally requested URL after authentication. This requires setting up an authentication scheme to broker authentication mechanisms, and some redirect manipulation as described in this document.

Basically a forms based authentication is set up, which is a list of URLs protected with different authentication mechanisms. After a user selects one of the URLs, that particular authentication is executed. The user is then redirected back to the originally requested URL.

In order to set this up, you need to execute the following steps:
  • Set up new authentication mechanism: “Authentication Selection”
  • Set up redirection script on action URL of “Authentication Selection”
  • Make a list of Authentication URLs for choosing “Authentication Selection”
  • Create a policy domain for Authentication URLs

End-User Flow

1. User accesses URL protected with “Authentication Selection”
2. User gets redirected to “Authentication Selection” form URL
3. User chooses between authentication mechanisms
4. User authenticates successfully
5. User gets redirected to action URL of “Authentication Selection”
6. User gets redirected to originally requested URL

Set up new authentication mechanism: “Authentication Selection”

  • Create a “Form” authentication mechansism, call it “Authentication Selection Level 1”
  • Make sure that the mechanism has passthrough:yes, to have access to originally requested URL

It is important to ensure that users can’t actually authenticate using this mechanism, as seen below in the credential_mapping:

Set up redirection script on action URL of “Authentication Selection”

On the action URL of “Authentication Selection”, redirect to originally requested URL by parsing the obFormLoginCookie:

<--code snippet for parsing obFormLoginCookie-->

<%@ page import="java.util.*" %>

//Get Redirect URL from ObFormLoginCookie, and redirect
Cookie[] cookies = request.getCookies();
String cookieValue = null;
for(int i = 0; i < cookies.length; i++) {
if (cookies[i].getName().equalsIgnoreCase("ObFormLoginCookie")) {
cookieValue = cookies[i].getValue();

cookieValue =;

String relativeURL = null, host = null, redirectURL = null;

StringTokenizer tokenizer = new StringTokenizer(cookieValue);
relativeURL = tokenizer.nextToken();
relativeURL = tokenizer.nextToken();
relativeURL = relativeURL.substring(relativeURL.indexOf("=") + 1);

host = tokenizer.nextToken();
host = tokenizer.nextToken();
host = host.substring(host.indexOf("=") + 1);

redirectURL = host + relativeURL;


<--code snippet-->

Make a list of Authentication URLs for choosing “Authentication Selection”
  • Create a web page with a list of two or more authentication mechanisms.
  • Every list item should point to a web page that redirects to the action URL of “Authentication Selection”
  • Please make sure you don’t use the same action URL for “Authentication Selection” as for any of the real forms-based authentication mechanisms, as this could overwrite the obFormLoginCookie OAM uses for redirection

Create a policy domain for Authentication URLs

  • Create a policy domain that protects this list.

  • The authorization rule for all URLs in the list should be “Allow all”
  • For each authentication mechanism in the URL list, create a policy domain

  • The authentication rules needs to be set up for each URL/policy, where every URL/policy is protected with the appropriate authentication mechanism

That's it! You should be all set to go. You can also set this up to work with multiple authentication levels.

Authentication Selection with Levels
  • Create another “Form” based authentication as above called “Authentication Selection Level 2”,
  • Point the form URL to a new list of authentication mechanisms, where all mechanisms match authentication level 2.

Monday, August 11, 2008

Fraud Flash for the week of August 11, 2008

July 31, 2008
University of Texas at Dallas
A security breach in UTD’s computer network may have exposed Social Security numbers along with names, addresses, email addresses or telephone numbers. 4,406 students who were on the Dean’s List or graduated between 2000 and 2003 3,892 students who were contacted to take part in a survey by the Office of Undergraduate Education in 2002 88 staff members from Facilities Management 716 faculty and staff members listed in a space inventory record from 2001.

Aug. 1, 2008
Tennessee Valley Authority
A laptop stolen from TVA contained Social Security numbers and reflects generally inadequate policies and procedures for tracking computers at the agency. The laptop was one of approximately 26 computer and computer-related items stolen from TVA between May 26, 2006, and Nov. 30, 2007, according to the IG, although the report stated it was unclear whether sensitive information was present on any of the laptops or PCs stolen from TVA.

Delphi Automotive Ohio Depart. of Job & Family Services
A flash drive with Social Security numbers and other personal information from former Dayton-area Delphi workers was removed from the unattended laptop of a state employee and is missing. The drive included the names, addresses, telephone numbers as well as the Social Security numbers of the workers.

Aug. 2, 2008
Countrywide Financial Corp.,0,7330731.story
The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers. The breach occurred over a two-year period though July. The insider was a senior financial analyst at Full Spectrum Lending, Countrywide's subprime lending division. Some, perhaps most, and possibly all the names were being sold to people in the mortgage industry to make new pitches.

Aug. 4, 2008
Arapahoe Community College
A contractor who manages the student information database had a flash drive lost or stolen. Information on the drive included the names, addresses, credit card numbers and Social Security numbers.

Aug. 5, 2008 The Clear Program
"Fast-pass" Registered Travel program for airline passengers, operated by Verified Identity Pass for the U.S. Transportation Security Admin.A laptop containing personal information for about 33,000 people was reported stolen in a possible security breach for the Clear Program. The laptop was stolen at San Francisco International Airport. The stolen information included names, addresses, dates of birth, and driver's license numbers or passport numbers.

Aug. 7, 2008
Harris County Hospital
A low-level Harris County Hospital District administrator probably violated federal law when she downloaded medical and financial records for patients with HIV, AIDS and other medical conditions onto a flash drive that later was lost or stolen. The data on the device included the patients' names, medical record numbers, billing codes, the facilities where the office visits occurred and other billing information. It also included the patients' Medicaid or Medicare numbers, which can indicate their Social Security numbers or those of their spouses.

Monday, August 4, 2008

Fraud Flash for the week of August 4, 2008

July 28, 2008
Facebook accidentally publicly revealed personal information about its members, which could be useful to identity thieves. The full dates of birth of many of Facebook's 80 million active users were visible to others, even if the individual member had requested that the information remained confidential.

July 29, 2008

Moraine Park Technical College
Customers of the bookstores located at three Moraine Park Technical College campuses were notified Tuesday of a security breach that occurred in July 2006.

A laptop containing personal information of current and former employees, including some from Hampton Roads, was stolen from a St. Louis-area Anheuser-Busch office. Information contained on the computer included employees' Social Security numbers, home addresses and marital status.

July 30, 2008
Data Breach Fallout: Do CISOs Need Legal Protection?
Since the security executive is on the hot seat after a data breach, some industry experts suggest CISOs get themselves some form of liability protection. The downside is that such protection could shield those who deserve the blame for an incident

July 31, 2008
City of Yuma
The Social Security numbers of about 300 city of Yuma employees were "unintentionally released" in an e-mail sent to city administrative personnel.

August 4, 2008
Report Sheds Light on Tricky Fraud, I.D. Theft Issues
Consumer fraud and identity theft numbers have risen steadily over the past few years, and consumers are taking notice.

A Marine has admitted robbing a Providence bank and using the identity of a fellow service member to steal money.

CETA warns identity theft boom to continue
An online shopping boom is threatening to accelerate an increase in identity theft according to independent general insurance network CETA Insurance Limited.

Georgia Blue Cross
Poor system testing caused a medical records privacy breach affecting over 200,000 members of Georgia Blue Cross and Blue Shield. The case has implications for both consumer privacy and IT’s impact on business operations.

The identity theft scheme was designed to copy and sell on up to 2 million mortgage holders' details including their social security numbers.