Authentication
Authorization and Access Control
- Logically separating duties into Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs)
Two types of Access Control
- Discretionary Access Control (DAC) (based on permissions, roles, attributes, and groups)
- Mandtory Access Control (MAC) (restricts access based on the security clearances and formal accesses of subjects and the security labels on the resources)
WS-Security SOAP Messaging
- Security Assertion Markup Language (SAML) Token
- WS-Security X.509 Certicate Token
- WS-Security Kerberos Token
- WS-Security Username Token
WS-Truse
- Security Token Servie (STS)
WS-Federation
WS-SecureConversation
WS-Policy
WS-SecurityPolicy
SAML
XACML (expressive) (data flow diagram)
XML Signature (XML-SIG or XML-DSIG)
XML Encryption
Separation of Security into Components and Services
Authentication and Identity Blueprints
- Identity Propagation for SSO Solutions (direct truse, transitive truse (service Provider trusts the identity of user based on an assertion of another party))
- Identity Propagation within an Application Server or ESB
- Assigtning Attesting Trust to a Limited Number of Entities
- Assigtning Attesting Trust to a Limited Number of Entities
- Using a Trusted Token Service
- Identity Propagation with REST Using Browser SSO
Decision Diagram for Propagation and Trust - How Do You Decide?
Access Control Blueprints
- Controlling Access to Data, Not Just Services
Access Control Policy Enforcement Approaches
- The Purely Centralized PDP Model with Global Policy
- The Purely Decentralized PDP/PEP Model with Attribute Propagation
- Decentralized PDP/PEP with Identity Propagation
- Combining Local and Global Enterprise Policy
- Predetermined Authorization Decision-Based Models (PADBAC) (digital ly signed)
Decision Flow Chart for Access Control - How Do You Decide?
No comments:
Post a Comment