You have a need to secure your application for access, payments or legacy integration. Supra ITS offers experience and innovative ideas to help the Information Security area:
- Security Token Services.
- SECAF (Security Administration Facility) Security Framework
- Single Sign on to 3270 applications.
- Analysis and Design for RBAC (Role Based Access Control) SECAF
- Self-Service Password reset for SECAF ids.
- SECAF authenticator for generating cookie and later verifying it for web access.
- Analysis of Entrust GetAccess for use in Clients.
- HMAC utility for generating/verifying the hash values for data integrity.
- Single Sign on using SPNEGO-Kerberos between different machines and OS.
- Enhancing Entrust security solution for Certification and Registration.
- Web Cash Management
- Production Support of Entrust Products (GetAccess, TruePass etc.) and migration activities from release to release
- Encryption and Decryption of e-Mails
- Security due diligence review of third-party outsourcing arrangements
- Info security reviews / assessments of business data handling practices
- Network Access Control and network security event monitoring
- Development project security reviews / assessments
- Enhanced Client Authentication (ECA) architecture design and evaluation of third party products like SiteMinder (CA) and ITIM (IBM); Currently involved in developing a Proof of Concept (PoC) for both these products’ interface
- GIP (Global ID Program)
Description of the some of the tasks stated above:
IAM Program – Application and Infrastructure Integration
Designed and documented a framework for the source systems to provide the users access information from their application and infrastructure systems in a standard format to be reported under EAR. Coordinated the effort with the source system PM and developers to ensure correct data is extracted from their system and reported in EAR. Streamline the technical process so that the EAR technical team can easily and efficiently utilizes the processes to integrate other application and infrastructures in fiscal year 2013.
IAM Program – SPML 2.0 (De) Provisioning Web Service
Designed and developed the de-provisioning web service using the industry standard SPML 2.0 framework. The web service resolves the target and sends notifications to the appropriate department for the access removal. The web service is deployed on IBM Websphere Application Server on AIX
IAM Program – Enterprise Access Reporting (EAR) System
Architected and redesigned the Enterprise Access Reporting (EAR) system to better suite the ever changing business requirements. The system was documented using UML 2.0 diagrams and was designed to take the access data from various sources e.g. Mainframe, Windows, UNIX, various in-house developed and vendor applications, etc. pre-defined XML format and report employee accesses. EAR also provides an ability to the managers and the data owners and stewards to certify their staff’s accesses at any given time. Managers and owners can also ask to remove the access if they are no longer required. EAR was created to comply with SOX (Sarbanes–Oxley Act). The application is deployed on IBM Websphere Application Server on AIX.
Identity Attribute Web Service
Architected and designed the generic identity attribute service to provide the identity information from any given source. The web service was designed to support any kind of identity source e.g. Windows Active Directory, any LDAP based directory server, custom identity database, etc. The service is protected using SPNEGO-Kerberos. The Web service is deployed on IBM Websphere Application Server on z/OS
Security Token Services
To generate / validate the custom token to allow the authenticated user on one domain to access the resource on other domain. (Cross-domain authentication).
SECAF Security Framework
Security Administration Facility (SECAF) is a user provisioning system for the Clients tellers. It contains all the IDs and their authorities for different applications in Clients. SECAF Security framework provides a common, scalable, configurable framework for securing web application running on Websphere mainframe environment utilizing SECAF for authorization.
Single Sign on to 3270 applications
3270 application needs to be launched from the desktop without providing the id and password again.
Analysis and Design for RBAC SECAF
SECAF is designed and worked on Discretionary Access Control (DAC) model. DAC does not provide scalability and needs more effort for ID provisioning. An analysis was done and a solution was proposed to Clients for creating Role Base Access Control (RBAC) on SECAF. A Proof of Concept (PoC) development is currently underway.
Self-Service Password reset for SECAF ids.
Only the Business Security Administrators (BSA) access SECAF application and they are responsible for setting up temporary password for the tellers. Tellers do not have access to SECAF panels. A solution was developed to allow tellers to change their password.
SECAF Authenticator for session management.
An authenticator was designed and developed to create a session cookie, which can later be used by web applications for authenticating the same user.
Analysis of Entrust GetAccess for use in Clients.
Clients has been using Entrust products for years now, GetAccess was analyzed for use in Clients and a solution was proposed on how to integrate working with GetAccess.
HMAC utility for generating/verifying the hash values for data integrity.
To check the integrity of the message or document, a solution was created to generate the message authentication code and supplied with the message, on receiving the document message authentication code was verified for integrity.
Single Sign on using SPNEGO-Kerberos between different machines and different OS.Single Sign on solution was created for the tellers to run the Web applications and services on the mainframe after authenticating themselves against KERBEROS server. SPNEGO was used to challenge the request and a Kerberos token was used to authenticate the user.
Enhancing Entrust security solution for Certification and Registration.
Clients Uses Entrust products and wanted to create a solution for registration and certification. A solution was developed to register the user and generate the certification using Entrust API.
Security due diligence review of Third party outsourcing arrangements
When Clients selected an offshore vendor and they started providing services from offshore which included accessing onsite Clients servers during the night etc., TAG was involved in reviewing processes & procedures used by them (in-house at their facility as well as when they access servers onsite in Toronto). We were also involved in providing 24 hr. production support to enable offshore vendor to be able to access servers (and applications) in Ontario (OCC), Montreal (QCC) and British Columbia (BCC) without any security glitch.
Development project security reviews / assessments
TAG was constantly involved in understanding, evaluating the security procedures when any new application is being developed or with System Change Requests (SCR) that have an impact on access control within any application.