Information Security and WebFOCUS

Download Report

Transcript Information Security and WebFOCUS 

Information Security
and
WebFOCUS
Penny J Lester
SVP Delivery Services
August 22, 2008
Authentication
• “Authentication (from Greek αυθεντικός;
real or genuine, from authentes; author) is
the act of establishing or confirming
something (or someone) as authentic, that
is, that claims made by or about the thing
are true. “
Authorization
• “Authorization (deciding whether to grant
access) is a separate concept to
authentication (verifying identity), and
usually dependent on it.”
www.google.com/a/security
• Google surveyed 575 IT professionals
•
•
Information Security
• A layered approach to authentication and
authorization (auth/auth)
– Physical
– Network
– Operating System (OS)
– RDBMS
– Application
Physical Security
• Secure the hardware
– Active Reports
• Secure the server room
• Secure your passwords
– Do not share it
– Do not write it down
Network Security
Network Security
Network Security
• Implement a single sign on (SSO) in a
Windows network
– Update the client odin.cfg
Network Security
• Implement a single sign on (SSO) in a
Windows network
– Update site.wfs
Network Security
• Implement a single sign on (SSO) in a
Windows network
– site.wfs
(cont.)
Network Security
• Implement a single sign on (SSO) in a
Windows network
– site.wfs
(cont.)
Operating System Security
Operating System Security
• Five authentication options
– OPSYS
– PTH
– DBMS
– LDAP
– OFF
Operating System Security
• OPSYS
– Authentication against OS
– Authorization based on OS IDs
• Administrators have full access to web console
• OS ID impersonated to run reports
Operating System Security
• OPSYS – PLester57 is not an
Administrator
Operating System Security
• OPSYS – Penny is the Administrator
Operating System Security
• OPSYS – authenticate ID to OS, not an
Administrator
Operating System Security
• OPSYS – authenticate ID to OS, not an
Administrator
Operating System Security
• OPSYS – authenticate ID to OS, is an
Administrator
Operating System Security
• OPSYS – authenticate ID to OS, is an
Administrator
Operating System Security
• OPSYS – authenticate ID to OS, is invalid
Operating System Security
• OPSYS – authenticate ID to OS, is invalid
Operating System Security
• PTH
– Authentication against admin.cfg
– Authorization
• if ID is in admin.cfg can access WebFOCUS Web
Console and run reports
• if not can only run reports
Operating System Security
• PTH – Configured 1 administrator
Operating System Security
• PTH – Penny is administrator ID
Operating System Security
• PTH – ID “admin” is not administrator
Operating System Security
• PTH – ID “Penny” unrestricted access
• PTH – ID “admin” restricted access
Operating System Security
• DBMS
– Authentication against Database vs. the OS
– Authorization
• if ID is in the DBMS can run reports
• if ID is not in the DBMS cannot run reports
Note: the ID’s must be set up in the DBMS to use
SQL authentication vs. Windows authentication
Operating System Security
• DBMS – RDBMS must be up!
Operating System Security
• DBMS – Notice no IWA
Operating System Security
• DBMS Authentication
– Penny
• Windows
Operating System Security
• DBMS Penny IWA
Operating System Security
• DBMS Authentication
– SQLUser
• SQL Server
Operating System Security
• DBMS SQLUser SQL Server
Operating System Security
• LDAP
– Authentication against LDAP file
– Authorization
• if ID is in the LDAP file(s) can run reports
• if ID is not in the LDAP file(s) cannot run reports
Operating System Security
• LDAP
Operating System Security
• LDAP – Microsoft Active Directory
Operating System Security
• OFF – Danger!!
• “badID” can do anything the administrator
ID that started the server can do!!
Database Security
• DBMS can be used for Authentication
Database Security
• Data Adapter – Explicit
Database Security
• Data Adapter – Explicit, invalid ID/pwd
Database Security
• Data Adapter – Password Passthru
Database Security
• Data Adapter – Trusted
Application Security
• Managed Reporting Environment
Application Security
• Managed Reporting Environment
– Authentication
Application Security
• Managed Reporting Environment
– Authorization
Application Security
• Managed Reporting Environment
– Analytical User
Application Security
• Managed Reporting Environment
– Content Manager
Summary
• A layered approach to authentication and
authorization (auth/auth)
– Physical
– Network
– Operating System (OS)
– RDBMS
– Application
• WebFOCUS hits four out of five!
Questions?
Thank you!!