Vous êtes sur la page 1sur 41

Security

prepared by:
Abhijit Mishra
Introduction

In the world of Internet, the Challenge is:


Security, the enabling technology for e-Commerce.

Why Security?
To protect data from unwanted users.

Traditionally, Security deals with:


– Risks
– Threats
– Vulnerabilities
– Attacks
Computer Crimes

• The FBI reports that US industries suffer annual losses totaling


$63 billion as a result of theft of intellectual property stored on
computers.

• $236 million loss to saboteurs, viruses, laptop theft, financial


fraud, telecommunications fraud and theft of proprietary
information. Source: CSI

• Computer security breaches: 16% rise in past year. Source: CSI

• Password files are stolen regularly.

• Firewalls not helping; 80% of hackers are employees and


ex-employees.
Security and e-Commerce

E-Commerce is a key to:


• developing new customer
• finding new sources of revenue
• improving customer service, satisfaction and retention
• expanding into new markets
• reducing costs
• pioneering innovative new business strategies

Type of Attack Average Loss


Unauthorized Insider Access $2,809,000
Theft of Proprietary Information $1,677,000
Telecom Fraud $539,000
Financial Fraud $388,000
Sabotage $86,000
System Penetration by Outsider $86,000
Security Policy

Sample elements of a security policy include:

• Approval process for granting access to a system


• Requirements for Identification and Authentication
• Method for keeping system configurations current insofar as
security patches and enhancements
• Process to promulgate the security policies and updates
• Process to confirm or enforce compliance to security policies

Authentication Authorization

Audit Administration
PeopleSoft’s Approach

PeopleSoft Security:

PeopleSoft provides you with security features,including


Components and PeopleTools, to ensure that your
sensitive application data, such as employee salaries,
performance reviews, or home addresses, doesn't fall
into the wrong hands.
Native Security Services in
PeopleSoft 7.5 and
Prior Versions
Database Security

Each DBMS that PeopleSoft supports has its own security


system; works in conjunction with PeopleSoft Online Security.

DBMS Security generally controls which:

• Users can login to a database


• Users can access tables and views and can manipulate
data
• Users can perform server system administration activities
PeopleSoft Online Security

The PeopleSoft security approach is tailored for the Internet.


It enables
• to easily create and maintain security definitions
• to reduce the maintenance of your security system

By using PeopleTools security tools, one can control access to:


• Batch Processes
• Object Definitions
• Application Data
• Other Components
PeopleSoft Security Types

• Sign-on and Time-out Security


• Page and Dialog Security
• Batch Environment Security
a) Process Security
b) Reporting Security
• Object Security
• Application Data Security
a) Query/Table Level Security
b) Row Level Security
c) Field Security
PeopleSoft Security Types contd.
• Sign-on and Time-out Security
Sign-on : Monday to Friday 9am to 5:45pm
Time-out: 20mins. Idle time

• Page and Dialog Security


Menus or specific actions (Enabled/Disabled)

• Batch Environment Security


a) Process Security
(1) Run Control ID
(2) Process Groups
(3) Restricting off-line RDBMS access
b) Reporting Security
Report Repository at Web Server
Server should be locked from outside access
Can distribute reports and view them based on Roles
PeopleSoft Security Types contd.
• Object Security
Field, Record and Page level Security
• Application Data Security
a) Table Level Security
Works only for queries (SQL)
Query Access Groups in Tree Manager
Doesn’t control run-time page access table data

b) Row Level Security


SQL views - security views
saving only rows of data
Tailored to specific applications
c) Field Level Security
Securing fields or columns
by using PeopleCode
PeopleSoft Internet Architecture
Security

• Falls under PeopleSoft Online Security


• Also known as Run-time Security
• Only authorized users can connect to web and application servers
• Only authorized application servers can connect to a given database
• Uses authentication tokens embedded in browser cookies

To secure the links between the numerous components within


the system, including browser, web servers, application
servers, database servers and so on, PeopleSoft incorporates
a combination of Secure Socked Layer (SSL) security and
Tuxedo/Jolt Encryption.
PeopleSoft Internet Architecture
Security contd.
PeopleSoft Security Definitions

Security Definition:

It refers to Security attributes created by using Maintain


Security.
Also known as Access Profiles but at the database level.

The main PeopleSoft security object types are:


• User Profiles

• Roles

• Permission Lists
PeopleSoft Security Definitions contd.
User Profile:
Set of data describing a particular user of PeopleSoft system
Data includes Language Code, SETIDs etc.
Different from application data tables e.g. PERSON_DATA

User Profile Types:


Security related: Passwords
Descriptive: Email Address
Preference: Multilingual

When User Profiles are relevant:


When user interacts with the system by
• logging in
• viewing his/her worklist entry
• receiving an email
etc.
PeopleSoft Security Definitions contd.

Roles:
Intermediate objects that link User Profile with permission
lists.

Examples:
Employee, Manager, Customer, Vendor, Student etc.

Roles can be assign in two ways:


• Manually

• Dynamically
by using PeopleCode, LDAP and Query Tools
PeopleSoft Security Definitions contd.

Permission Lists:
List or group of authorizations that are assigned to a Role.

They store:
Sign-on times, Page access, PeopleTools access etc.

Some Permission Lists, such as Process Profile or


row-level security, you apply directly to a User Profile.

Data permissions, or row-level security, appear either


through a Primary Permissions List or a Row Security
Permissions list.
PeopleSoft Security Definitions contd.

PL1
Role 1
PL2

PL3
Display
Profile 1 Role 2 PL1 Modify
Delete

PL4

Role 3 PL3

User Profile Roles Permission Lists Permissions


PeopleSoft Authorization IDs
User ID:
ID required to enter the PeopleSoft application.
Also used to distinctly identify the User Profile.

Connect ID:
ID required to connect to the PeopleSoft database.
ID required for direct/2-tier connection.

Access ID:
Has administrator level database access(SELECT, UPDATE, DELETE)
ID used when connecting PeopleSoft database through
Application Server.

Symbolic ID:
ID used to retrieve Access ID which is stored in
PSACCESSPRFL.
PeopleSoft Authorization IDs
2-Tier
Configuration Manager Database

User ID Connect ID

3-Tier
PeopleSoft Application Application Server Database

User ID Symbolic ID Access ID


PeopleTools 8.1 Security Features
for eBusiness Applications
PeopleSoft Users

PeopleSoft
Customers Suppliers
Application

PeopleSoft
Internet
Architecture

Employees
Vendors
Directory Server Integration
Lightweight Directory Access
Protocol
LDAP benefits:
• Single, centralized user profile for PeopleSoft and non-PeopleSoft
applications.

• Can control access to PeopleSoft applications.

• Less redundant data, less cost and fewer errors.

• Customers can utilize PeopleSoft business events and data to drive


LDAP user profile and group creation and maintenance.
Lightweight Directory Access
Protocol contd.

Directories that PeopleSoft specifically supports:


• Novell NDS (Novell Directory Services) eDirectory

• iPlanet Directory Server (Netscape)

• Microsoft Active Directory

All interfaces between PeopleTools and the Directory are written in


LDAP; customers can essentially use any LDAP version 3 compliant
server.
LDAP Integration

Sign-on PeopleCode
User Log-in BI API invokes

Pulls User Profiles


New User = New Profile
LDAP -> PS App Server
Existing User = Sync.
User Profiles
PeopleSoft Directory Interface
for HRMS

The PeopleSoft Directory Interface for HRMS provides:


• an LDAP data mapping tool
• application messaging process
• an additional LDAP BI
to synchronize PeopelSoft and LDAP information

How this works:

PeopleSoft Application
Application
Application
Msg. LDAP
Msg. version
Directory
3 Data
triggers
Containing
a Subscription
directory data
process
Business
gets
Interlink
(User Profiles)
business gets
eventasynchronously
published gets
invoked
invoked
gets updated
SSL and Digital Certificates

PeopleSoft uses HTTP over SSL (HTTPS) to secure the


transmission of the content delivered to/from a user’s browser
as well as for integration between PeopleSoft and other systems.

The SSL implementation for HTTPS is provided through the use of

etc. CAs
for Java that is enabled within PeopleTools. Hence no additional
licensing required by PeopleSoft users.
SSL for Secure Communications

HTTPS Connection

SSL Server SSL Client

Validity Check
Validity Check

Digital Digital
Certificate Certificate

Server Authentication Client Authentication


Widely Used Optional

Mutual Authentication
Need more PKI
Sample Digital Certificate
Server Authentication

Source Application Destination Application


Message Node Message Node

SSL Client SSL Server


Server
Authentication
Required Digital Certificates: SSL Required Digital Certificates:
App Msg
• Root CA certificate compatible • Server certificate from a CA
with the Destination’s CA
Mutual Authentication

Source Application Destination Application


Message Node Message Node

SSL Client SSL Server


Mutual
Authentication
Required Digital Certificates: SSL Required Digital Certificates:
App Msg
• Root CA certificate compatible • Server certificate from a CA
with the Destination’s CA
• Client certificate compatible
with the Destination’s CA
Externalized Authentication
PeopleSoft
PeopleSoft Web Server Application Server

2 3 5
HTTP Servlet Sign-On
Server Engine PeopleCode
Passes PS ID Passes Log On
User DN To PS

Authenticates Fetch User profile


1 4
From Dir/PS

3rd Party Web Authentication

Digital Certificate, User ID/Pwd,


Hardware Token, Smart Card, Directory
Biometric etc.
Additional Security Enhancements
in PeopleTools 8.1

Security Administrator written in App Designer:


• Yesterday: Custom C++ MFC based windows application

• Today: all User Profile, Role maintenance, Permission List page


are PeopleTools based; deployed through Web Server

• Benefits:a) Need additional field to User Profile?


b) Need to publish XML messages to other systems whe
security aspect changes?
c) Need to tie workflow into security administration?
d) Need to make wizard style interface for line-level
managers?

= No Problem !!
Additional Security Enhancements
in PeopleTools 8.1 contd.

Security Administrator is completely API accessible:


• Built in: Application Designer

• Access through:Component Interfaces

• Benefits:Can
a) Create b) Update
c) Query d) Delete

any of security information from


a) COM
b) C++
c) Java
Additional Security Enhancements
in PeopleTools 8.1 contd.

Rules-based Roles:
• Definition: Automatically change Roles as employees ar
hired, transferred or depart

• Rules can be abstracted in:


a) PeopleSoft Queries
b) PeopleCode
c) LDAP rules
d) Java/C++

• Benefits: More Powerful


Dynamic
Less overall maintenance
Additional Security Enhancements
in PeopleTools 8.1 contd.

Securing between Tiers:

Web Server Application Server Database

BEA Jolt Database


Encryption Interface
Encryption
References

A) 8.14 Home > PeopleBooks Library > Security

B) Security Features of PeopleSoft Internet Architecture ->


a PeopleSoft White Paper (Sept 02)
Queries/Clarifications
Thanks