Secure Business Processes Optimization System Antonio Sarasa Cabezuelo1, Daniel Ruiz-Zorrilla Gonzalo 2, Marcos Muiños Martín 2 1 Universidad Complutense de Madrid,
[email protected] 2 Lannet, S.L,{ daniel.ruiz,marcos.muinos} @lannet.es Abstract In this article are described security-related aspects implemented on the first stages of a project which has as the main target retaining the experience acquired by the experts in a business area of an enterprise, to later on train junior employees and help in decision making processes. To create this knowledge base, the designed system, based on business rules and information provided by the experts, can train and help the new employees to learn the experience previously acquired by the experts. It is critical to keep this information out of reach from unauthorized personnel, due to the high economic cost an intrusion and access to this information could suppose.
1. Introduction There are business areas in the enterprise on which the inner workings depend in a great measure on the employees’ knowledge. This knowledge is not learned, but acquired through years of experience. In many cases, this knowledge is hard to teach to the new employees, due to its nature, which makes it hard to communicate. This situation can bring negative consequences to the company, leading to economic losses, and the next situations could be reproduced: • Long learning curves, due to the nature of the transmitted knowledge, which causes the company an initial cost during the time the junior employee starts to produce effective work. • Harmful dependency of the company to the employees; their work is like a “black box” which only they know in detail. This can lead the company to undesired situations. • Potential danger of losing all experience acquired through the years, which means starting all over again from the ground up.
• Potential danger of other companies hiring the expert employees, letting the competitors acquiring this valuable knowledge. For all this, there is a growing interest in creating solutions to keep the acquired knowledge, use it to help taking decisions, and allow it to be transmitted to junior employees so that they can make good use of it; this way, this valuable knowledge to the enterprise is saved. To address this problem, the development of a project in collaboration between the private company LANNET S.L. and the department “Sistemas Informáticos y Programación” at the “Universidad Complutense de Madrid” has been proposed in the VI Program of Research and Development of the European Union 2003. The challenge of this project is allowing every user, expert or junior, the access to all this knowledge with no detriment of its informative potential. Given these requirements, the development of a tool that is able to manage all the information referred above and can offer solutions to the problem domain has started. Due to the nature of the information managed by the system, one of the fundamental requisites is the way the data is input into the system. The experts should be able to input the data in a direct and continuous way, because they are the only ones qualified for that task. Additional system requisites are: • Very simple data input / output, and from any device connected to the net. • Intuitive and graphically rich hypermedia access as a didactic element. The interaction between the system and the user is through Web interfaces; these Web interfaces have a hypermedia design with links that make easier the use of the tool and, at the same time, strengthen the didactic aspect. • Learning system for the junior employees [19]. It is of a vital importance that the tool offers the employees a way to learn the knowledge input by the experts.
• Flexible and generic. It should be enough flexible to be used and parameterised to cover the needs of the different business areas. To achieve this goal, its design should be generic enough, trying to abstract the common aspects of every area. • Two types of users. It should cover two types of users: Expert users, or the user with the knowledge needed by the enterprise, which adopts the role of an instructor that feeds the system with knowledge, and the novice user, which is going to use the tool to learn and get the knowledge from the experts. For every user, the tool should offer different working options and privileges. • Intelligent support to the decision making process [2]. The knowledge stored in the system is used not only for learning and back-up procedures, but also for processing and helping the decision making processes, automating the correspondent business process. • Secure system implementing authentication (user identification to verify its identity), authorization (privileges managing system to control the access to the resources) and security over information (data encryption). Other interesting security aspects could be: Confidentiality (information only for authorized users), Data Integrity in transactions, non-repudiation (the transaction cannot be rejected), Controlled access to the systems and components, end-to-end integrity and message confidentiality. In this article are described the security aspects implemented during the development stage of the system. First there is a chapter about existing technologies, later on there is a chapter about the system’s security architecture and finally the conclusion and future works will be presented.
Figure 1.Single Sign-On • Authentication and Authorization Service [9].
Figure Service
2.
Authentication
and
Authorization
• Distributed Transaction between different security domains [15].
2. Existing technologies As stated in the introduction, in the development of the system there is the need of implementing security mechanisms to cover three use cases: • Single Sign-On (SSO)[12][20], allowing the user to perform authentication only once between different security domains.
Figure 3. Distributed Transaction Authentication is the process on which the system checks if the user is who he says he is. In the process, the final user is required to give certain credentials
(like a user id and a password) that can be checked against a known data list. If the given credentials are valid, the user is authenticated; if not, the user is not authenticated. Authorization [4] is the process executed once the user has been authenticated. This process defines what the user can or cannot do in the system, like the views he can access to, the data fields he can see, read-only restrictions over data fields, etc. Although authorization is usually viewed as a security function, the decisions that define which users have access to what functionalities are business decisions. Then, the rules that implement the authorization are business rules, so the authorization code will follow the business logic and not the security logic. The security infrastructure must allow the business logic [3] to access the user identities and set the group the user belongs to or the functions he is allow to execute. To implement our authorization business rules, the user must have been authenticated previously, and all data related to it has been loaded. To define the functions, groups and any other authorization criteria needed, teams from security and business areas from the company must meet. Both teams should agree on the set of necessary functions [18] for the enterprise application and also should work together to assign those functions to the already existent set of functions used in other applications among the enterprise. If each team creates their own functions in an isolated way, the managing and administration of users and functions for all the enterprise applications can be very complex. Related to the above problems, there are three important standards trying to solve the expressed questions: Java Authentication and Authorization Service (JAAS), Security Assertion Markup Language (SAML) y Extensible Access Control Markup Language (XACML).
2.1. Java Authentication and Authorization Service. Traditionally, security in Java didn’t include the necessary infrastructure to support traditional authentication and authorization. In traditional operative systems the authentication process is implemented over a main process or entity through some kind of challenge-response mechanism (being the most known a combination of user id and password). The “challenge”[1] can be complex like encrypted data or have specific information, and the response is based on validating this type of “challenge”. About the authorization, it is usually
performed against an entity or main process and a list of authorized resources for that entity or process. Security in J2SE is based on public key cryptography [16] and code signature. In other words, the authentication process is based on the idea that the code is being executed on the JVM [5] and no other main process is going to ask for resources. And the authorization process is based on the notion that the code tries to use the computed resources. Java Authentication and Authorization Service (JAAS)[13] was designed to solve this defects. It is a set of packages that allow the services to perform an authentication, strengthen the code-based access controls with user-based access controls and authentication capabilities, which permits the definition of permissions not only based on the executing code, but also based on who is executing it and forces the control access to the users. It implements a Java version of the Pluggable Authentication Module (PAM) framework, and supports user based authorization. JAAS can be used for authentication and authorization processes: • User authentication. Gives confidence and security about who is executing Java code on a given time, no matter if the code is being executed as an application, an applet, a bean… It is based on the Pluggable Authentication Module (PAM) framework, and can be used both in the clients and in the servers. The authorization part is an extension of the authorization schemes existing in J2SE and used in the policy files [17]. It is implemented as a plug-in, allowing the applications to be independent from the authentication mechanism used by the system; this allows the addition of new or revised authentication systems without having to modify the application itself. • User authorization. Assures the access control rights of the users required to execute the desired actions. In this case, JAAS extends the Java security architecture, using security policies that specify what access rights are defined for the executing code (this mechanism defines the permissions based on where the code comes from and not on who executes it), so with JAAS the permission definition it’s not only based on the code, but also on who executes it.
2.2. The Security Assertion Markup Language. XML-based framework for exchanging security information developed by OASIS [7], characterized by: • Assertions are represented as XML constructs
• XML-based request/response protocol • Rules to use assertions with standard message frameworks. Bindings and Profiles. Works as an “electronic passport” based on the use of assertions over subjects; these assertions are issued by SAML authorities [8], and may have conditions about its validity, or may be digitally signed. Assertions might contain several different internal statements: • Authentication Statement [8]. “An authority states that subject S was authenticated by M in time T”. It provides Single Sign-On. Here, SAML does not verify or revoke credentials, only gives information about authentication processes executed previously. • Decision Statement [7]. “An authority gives permission to subject S to access of type A to resource R, given evidence E”. Subject can be a human being, or a program, and resource can be a web document, a web service… Useful in distributed transactions and authorization services. • Attribute Statement [8]. “An authority states that subject S has attributes A, B… with values a, b…”. Useful in distributed transactions, where data is obtained from LDAP directory, and in authorization services.
2.3. The Extensible Access Control Markup Language. XACML (eXtensible Access Control Markup Language) [23] is an XML-based language for access control developed by OASIS. XACML describes a control access policies language and a request/response language. The policies language is used to express the access control policies (who can do what and when). The request/response language express checking if a particular access should be allowed (request) and describes answers to that requests (response). XACML offers a number of benefits over other access control policy languages: • Being a standard, specific policy definition languages can be replaced, unifying the area, and allowing reusing existing code. • XACML is flexible enough to cover more than one access control policy and can be extended to new ones. • A XACML policy can cover many resources, avoiding inconsistent policies over several resources • XACML allows referring one policy from another, which is important for big companies. For example, a policy from a specific site can refer to the specific policy of a company or a country.
In a typical XACML usage scenario, a subject wants to execute a certain action over a particular resource. The subject sends the request to the entity that protects the resource. This entity is called Policy Enforcement Point (PEP). The PEP builds a response (using XACML) based on the subject attributes, the action, the resource and any other relevant information. The PEP sends the response to a Policy Decision Point (PDP), where the response is examined, retrieves the policies (written in XACML policy language) that apply to this response, and determines if the access should be granted or not using XACML policy examination rules. The response (written in XACML response language) is sent back to the PEP, which can allow or deny the access to the requester.
Figur3 4 Typical XACML interaction
3. Development of the system 3.1. Architecture of the system The architecture of the system, on Figure 1, is composed by two parts: The user interface, wich allows user interaction with the system, and the system itself, wich is composed by three important subsystems: • Fuzzy inference system, which implements the help to decision making processes[3]. It uses the three knowledge bases contained in the system. • E-Learning system, which manages information objects to create learning units to teach the users. • Knowledge managing system, used by the expert users to manage and configure the system. Each one of this subsystems interacts with three different knowledge bases: The first knowledge base stores the particular enterprise action rules, the second knowledge base stores the general enterprise action rules and the third knowledge base stores experts’
knowledge; on certain facts, what consequences or actions take the expert.
Figure 5. System’s architecture
3.2. SmartQTC Security To implement the security system that adresses the security problem domain, SmartQTC Framework[22], developed by Lannet[14] is been used.
Figure 6. SMARTQTC
Services oriented framework, based on the idea of creating new applications by integrating and reusing components already developed. Its highly scalable architecture is based on design patterns and provides services, as well as any necessary component. This means that the developer works at a service level; he only needs to know the required data input, the required data output, the necessary algorithms and business rules and the presentation logic, and the framework will take care of the rest, allowing the developer to concentrate on the business problem domain, and hiding the technical low-level aspects from him. Due to de requirements of the project, the framework has been extended with the addition of new modules that cover all the needs. The security aspects SmartQTC offers are the following: stability, integrity and availability. Security is intrinsic to SmartQTC Framework, so will all applications written with SmartQTC Framework inherit the security related features, functions and its robust architecture. Defensive programming techniques are enforced and the need for costly penetration tests, source code audits and other issues which delay productive deployment of your business applications are minimized. The benefits of this approach are: • Security is not only security-related functionalities, but also quality code and effective architecture. • A quality code base ensures secure code. • Proven, standardized components used as the system's base. • Highly extensible security services provided by SmartQTC Framework, as all functional aspects are from the architectural foundation separated in independent but interlaced services. • Covering functionality from secure system access to monitoring of all user actions, including data encryption and other security-related functionalities. Implemented security functionalities: • Smart Security (Access control module). Defines and implements and extensible security model used to control the access of the users into the system with authentication against relational databases or LDAP directories. The default implementation is based on a proprietary standard, but it could be easily extended to an open standard (SAML / XACML). Its modular design and independency from the framework makes it possible to switch to other security models without modifying any other part of the application or business code. Makes possible a federated systems /
services network with single sign-on, distributed transactions, etc. SmartConfig (Global security level). Makes possible to set several security properties from a single point. This feature is context sensitive, as the SmartQTC Framework can run in multiple configuration spaces. Encryption at different levels: Low level: no encryption Medium level: persistent data encryption High level: persistent data, value objects and log encryption Very high level: High level + Secure data access • SmartView (Security content filters). Pre and postfilters between control layer and presentation layer, to control the input and the output of data in and from the system. This filters the data entered in a web form to prevent cross site scripting, SQL injection or any malicious code form being executed by the system, and the data that is sent to the client browser, depending on the user rights, location or any other rules. • SmartLog (Security log). Logging of actions performed by users and logging of access and transactions in database. • SmartDAO (Secure data access). When very high security level is needed, the access to the persistent data is performed using a different architecture. This is transparent from the developer perspective. Instead of sending plain SQL statements to the database, the statement is encrypted and sent through a secure proxy to a service located in same host as the database, which executes the query or the call to a stored procedure.
4. Conclusion and future works. Currently a final system prototype is not finished yet, and some parts of the system not related to security are still under work, like the inference system. In the other hand, the framework extension is already done, and it’s fully functional. Applying it to the system to implement the security system has brought several benefits: • Lower cost of administration, due to the automation of the authorization tasks, simpler identity policy and user managing, and a lower cost and deploy time. • Better user productivity: Easier authentication process with single sign-on, giving a faster access to resources and lowering the number of requests to the help-desk related to password managing. Also, the services offered to the users can be personalized.
• Better security. Unique and scalable security model for all web services and applications, with a central access point to authentication, credentials managing and single sing-on on the Internet. • Open standards and federated identity. The implementation and support of Liberty Alliance [11] y Security Assertion Markup Language (SAML) standards gives the interoperability between different authentication and identity systems. In the actual state of the system, the security related aspects are stabilized, and will be re-evaluated once the final prototype is finished. As a future work, we want to fine tune SmartQTC Security module and analyse the support to other standards currently being developed at Liberty Alliance [21].
5.Acknowledgements This work is supported by the Spanish Ministry of Science and Technology(MCYT, Spain) under Project TIC2002-04067-C03-02.
6.References [1] M. Abadi and R. Needham. Prudent engineering practice for cryptographic protocols. IEEE Transactions on Software Engineering, 22(1):6–15, 1996. [2]C.Altrock Fuzzy Logic and NeuroFuzzy Applications in Business and Finance.Prentice Hall 1996 [3] R. Anderson and R. Needham. Robustness principles for public key protocols. In CRYPTO: Proceedings of Crypto, pages 236–247, Berlin, 1995. Springer-Verlag. [4] S. Cantor and M. Erdos. Shibboleth-architecture draft v05, May 2002. [5] P. Dave and N. Moussa. TCP connection hijacking, 2002. [6] T. Dierks and C. Allen. RFC 2246: The TLS protocol, January 1999. Status: Standards Track. [7] P. H.-B. et al. Assertions and protocol for the OASIS security assertion markup language (SAML), 2002. [8] P. M. et al. Bindings and profiles for the OASIS security assertion markup language (SAML), 2002. [9] R. T. Fielding, J. Gettys, J. C. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. RFC 2616: Hypertext transfer protocol – HTTP/1.1, June 1999. Status: Standards Track. [10] K. Fu, E. Sit, K. Smith, and N. Feamster. Dos and don’ts of client authentication on the web. In Proceedings of the 10th USENIX Security Symposium, 2001. [11] J. Hodges and T. Wason. Liberty architecture overview, 2003. [12] D. P. Kormann and A. D. Rubin. Risks of the passport single signon protocol. Computer Networks, 33:51–58, 2000. [13] http://java.sun.com/products/jaas/
[14] http://www.lannet.es/ [15] G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS), volume 1055, pages 147–166. Springer-Verlag, Berlin Germany, 1996. [16] C. Meadows. Analyzing the needham-schroeder publickey protocol: A comparison of two approaches. In ESORICS: European Symposium on Research in Computer Security. LNCS, Springer-Verlag, 1996. [17]H. S. Nwana, “Software agents: An overview,” Knowl. Eng. Rev., vol. 11, no. 3, pp. 205-244, 1996. [18] R. Needham and M. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12):393–399, 1978. [19] B. Pfitzmann and M. Waidner. Privacy in browserbasedattribute exchange. In Proceeding of the ACM Workshopon Privacy in the Electronic Society, pages 52– 62,Washington, DC, 2002. ACM Press. [20] B. Pfitzmann and M. Waidner. Token-based web single signon with enabled clients. Technical Report IBM Research Report RZ 3458, IBM Research Division, 2002. [21] J. Rouault and T. Wason. Liberty bindings and profiles specification, 2003. [22]http://www.smartqtc.com/ [23]http://xml.coverpages.org/xacml.html
