Thursday, September 25, 2008

SOA Security - ADT or Crocodile Filled Moat?

I'm sitting here in the middle of the Moscone center as OpenWorld 2008 comes to an end. It's been a long week, but I wanted to take some time to capture some thoughts on my first open world presentation.

This morning, Eric Leach and I presented to an enthusiastic group on securing WebLogic applications with Oracle Access Management. As the "technical guy", I put together a demo of Oracle Access Manager, Web Logic Server, Oracle Entitlements Server and Oracle Web Services Manager all working together in a "best practice" architecture.

The demo covered a fairly common scenario: end-to-end security in a SOA. For example, the customer already has an investment in OAM, and they need to extend that security capabilities down to the rest of the architecture - applications, services and data.

In the past, I think that the temptation would be to use OAM. Prior to the emergence of the entitlements market, WAM was the only COTS solution for externalizing authorization. WAM products are most successfully deployed when focused on the problem of web SSO. Authorization and the centralized management of security policy is better handled by Oracle Entitlements Server - OES.

I used OES to provide authorization for JEE resources, JSP pages, and Web Services. Both OES and OAM used a common directory - Oracle Internet Directory - as a system of record for users, user attributes and group memberships. This information fed the policies enforced by OES.

In order to have these policies enforced correctly, the various enforcement points need to have the correct user identity. The problem of propagating identity across an SOA is not a simple one. In the course of the demo, I actually had to use multiple mechanisms. The identity from OAM to WLS is passed via OAM Session cookie. WLS then generates a SAML Assertion and passes it in the WS-Security Envelope to a OWSM. OWSM in making the very fine grained access control checks to OES uses a simple USERID_TOKEN (username). In theory, I could have used SAML for all of these interactions, but in many cases the full on SAML is too much.

Like most everything in security, there is no "correct" answer - no perfect solution. The solution that I demonstrated using OAM, WLS, OES and OWSM is an attempt at a reasonable 80% case - something which most customers could use as a jumping off point for defining their own solution.
I think a good analogy in information security to "How much security is enough security?" is "What alarm system should I buy for my house?". I like to think of the solution I outlined in the OOW session as the "ADT Starter Package" of solutions - pretty good for most single family residences. Most houses don't need a moat or guard dogs, but a military base needs more than a "Keep Out" get my point :)

Thanks again to everyone who attended the session and all of the questions. I gave out quite a few business cards, so I hope to hear from all of you. For those who didn't attend, once I get home, I'll add the relevant links form the session, and hope to drive some discussion around the solution.

Wednesday, September 24, 2008

Oracle Entitlements Server Now Available

I'm glad to announce that we have released Oracle Entitlements Server (OES) this week. OES came to Oracle via the BEA acquisition (where it was called AquaLogic Enterprise Security).

OES is a fine grained entitlements management product that allows you establish policies for how users can interact with and access things inside your applications and services. We call it "fine grained" entitlements because OES can protect anything inside an application; user interface elements, server-side transactions, database columns and rows, even "business" things like Reports, and Accounts.

OES (or 10gR3 for short) is the result of several years of refining this product based upon tons of customer feedback. This release (aside from now having a new name and Oracle logo) has a couple of stand-out features:

1. Support for large policy sets and easy Delegated Administration. In OES we can now separate massive policy stores across multiple organizations and applications. Many OES (ALES) customers are setting up enterprise-wide authorization service layers and need a central place to manage policies for multiple LOB applications without everything in the same namespace. OES now has this ability to partition policies according to use and placement in the organization.

2. SharePoint protection. OES now ships a Policy Enforcement Point (PEP) that plugs into a MOSS 2007 environment to perform fine grained entitlements for web pages, web parts, lists, documents and other SharePoint "stuff".

3. Policy Simulation. The OES administration console now has a powerful simulation tool that lets a policy admin try out various scenarios and test policies without having to write an actual application to use them.

You can try out OES by downloading it from OTN here.

Also there is more information on OES here.

Thursday, September 11, 2008

Fraud Flash for the week of September 8, 2008

Aug. 30, 2008
National Technical Institute for the Deaf Rochester Institute of Technology
A recently stolen laptop contained the names, birth dates and Social Security numbers of about 12,700 applicants to the National Technical Institute for the Deaf and another 1,100 people at Rochester Institute of Technology. The laptop belonged to an employee and was stolen on Monday from an office at NTID. People at RIT, who are not affiliated with NTID, are affected because their personal information was being used as part of a control group in an internal study.

Southwest Medical Association
Thousands of medical charts, all listed to Southwest Medical Association, became the property of a man who bought the contents of a storage unit for just $25 dollars in an auction.

Sept. 3, 2008
Oakland School District
Thieves broke into the Oakland school district’s human resources offices and stole up to 12 computers containing the personal information of an estimated 100 new hires.

Sept. 4, 2008
Ecumenical Ministries of Oregon
A computer containing information for at least 350 HIV patients was stolen from the Ecumenical Ministries of Oregon’s HIV Day Center.

Erie County Health Facility
The Erie County Executive’s office issued a statement about a laptop computer stolen from a county health facility.

Sept. 5, 2008
East Burke High School
For the past five years, East Burke High School's website exposed file s containing personal information including names, Social Security numbers, addresses, phone numbers, job titles, email ad-dresses and unlisted phone numbers of teachers, bus drivers, custodians and other staff members on the Internet.

Newly reported incidents elsewhere:

In Japan:

Sept. 5, 2008
The personal data of as many as 18,000 customers have been compromised after the server of Tokyo-based pet supply firm Hotta was accessed by a hacker in China.
About 3,000 cases of identity theft have been found among users of Yahoo Japan Corp.‘s online auction site. The total number of confirmed and suspected ID theft cases targeting the nation’s largest Internet auction site has reached about 10,000.

In Korea:

Sept. 6, 2008
GS Caltex
Two multimedia discs containing the personal information of 11.1 million customers of GS Caltex, one of Korea`s largest oil refineries, were reportedly found on the street, but now it appears to have been an insider job and the story just a coverup.

In the U.K.:

Sept. 2, 2008
The Aberdeen Press
Scottish newspaper The Aberdeen Press inadvertently made it easy to harvest sensitive information about registered users from its site as a result of a basic information security mistake.

Sept. 5, 2008
A memory stick containing information about the STI tests of 146 people has gone missing from the Chelsea and Westminster Hospital

Sept. 6, 2008
Ministry of Justice
A disk containing the personal details of 5,000 prison staff was lost by EDS last year, but the prison service wasn’t notified until this July.

Sept. 7, 2008
Royal Bank of Scotland
A laptop containing the personal details of 100 bank customers was stolen from a Welsh branch of Royal Bank of Scotland in May, but customers had not been informed of the theft because the details held on the laptop were encrypted.

In Canada:

Sept. 6, 2008
Direct Cash Management Inc
Ehud Tenenbaum, an Israeli hacker who broke into U.S. Department of Defense computers as a teenager is the alleged mastermind of a $1.8-million theft from Direct Cash Management Inc. in Calgary.


Sept. 5, 2008
UAE Credit Network
An international investigation is under way to find hackers believed to have stolen information from financial servers in the UAE to make fraudulent credit and debit card purchases in the US.

Thursday, September 4, 2008

Fraud Flash for the week of September 1, 2008

Aug. 22, 2008
Liberty McDonald's Restaurant
An employee at a Liberty McDonald's restaurant, took credit or debit cards from drive-through customers and used a device she had hidden near the window to swipe the cards to record their numbers. The information on the device then was downloaded and used to make new cards either in the names of the persons which the original cards belonged or in the names of the perpetrators.

Aug. 26, 2008
Pennsylvania Department of Public Welfare
Paper jams in a state Department of General Services mail inserter caused benefit renewal packets to go to the wrong Pennsylvania welfare client's home. Nearly half of them included the intended recipients' Social Security numbers.

Prince William County Public Schools
Personal information of some students, employees and volunteers was accidentally posted online by a Prince William County Public Schools employee. Information for more than 2,600 people was exposed through a file-sharing program by an employee working from home on a personal computer. Names, addresses and student identification numbers of more than 1,600 students were exposed. Names and social security numbers of 65 employees were exposed. Other confidential information for about 250 employees was exposed. And the names, addresses and e-mail addresses of more than 700 volunteers were exposed.

Aug. 27, 2008
Kansas State University
An instructor for classes offered through the Division of Continuing Education, taught through the UFM Community Learning Center, reported an overnight theft of numerous items from a car, which was parked outside a Manhattan residence. Items taken included a backpack with a list of names and Social Security numbers of 86 K-State students who had taken that instructor’s classes from fall 2007 through summer 2008.

Aug. 28, 2008
The Washington Trust Co.
The Washington Trust Co. has notified about 1,000 customers that their debit and credit card accounts might have been compromised in a suspected security breach at an unidentified MasterCard merchant. The company is investigating a suspected security breach of a U.S. e-commerce-based merchant's Web server which contained debit card data.

Reynoldsburg Ohio City School District
Reynoldsburg school officials were phasing out the use of Social Security numbers in the district's student database when someone stole a laptop containing that information. The district laptop, taken from a computer technician's car, also included names, addresses and phone numbers for two-thirds of the district's enrollment.

Aug. 29, 2008
Ohio Credit Union
A large number of Ohioans have been receiving e-mails telling them that services from the Ohio Credit Union were withdrawn, followed by a telephone number to contact. The Ohio Credit Union League is entreating people receiving these e-mails to not communicate at the given number, as it is a phishing fraud. Instead, the League is asking recipients to call their financial agency directly and report the messages so that authorities could be alerted as well as their accounts be kept on hold, if necessary, as reported by nbc4i on August 21, 2008.

Aug. 30, 2008
Ohio Police & Fire Pension System
A former mailroom supervisor at the Ohio Police & Fire Pension System forwarded the names, addresses and Social Security numbers from his work e-mail address to his personal e-mail address before quitting his job. The file contains information for 13,000 of the approximately 24,000 retired members of the Ohio Police & Fire Pension System, most of whom are former police officers.

Sept. 02, 2008
Montana Credit Union Network
Many Montanans have been receiving calls purportedly "alerting" them to the fact that their debit or credit card has been deactivated or suspended, followed by a phone number to call. The Montana Credit Union Network is urging recipients to NOT call this number; this is a phishing scam. Phishing is a fraudulent attempt to try to access sensitive information by appearing as a trusted source. In this case, the message appears to be sent by a credit union or financial institution asking the recipient to contact them. Once the call is placed, an automatic message prompts the caller to enter their credit or debit card information.