Securing highly distributed data collections
Recently I have attended to the lecture of OWASP's Sebastien Deleersnyder about web applications security. Even though the presentation covered some quite basic issues that websites, portals and maybe (but not likely, I hope) on-line banking systems are having, it certainly was a good opportunity to systematize one's knowledge. Sebastien described most critical web-apps vulnerabilities and demonstrated examples how they can be exploited by an attacker.
It got me thinking, how do web-apps security issues fit into security models of distributed architectures that enable resource sharing among organizations? What I have in mind are systems where data centers are spread all over the world and different organizations have access to different parts of it, while within each organization there are users with many roles assigned and various rights. Such systems need to be protected not only from external threats, but internal unauthorized access to data as well. Although basic web-apps security issues need to be taken into consideration when creating top-level user interface, designing the security framework for such a distributed system is a totally different story.
Real life example
The above is the description of a project I was involved in not so long ago. We needed to create framework to securely integrate patient records data from databases located in several hospitals. The amounts of data were significant, not in terms of gigabytes but in terms of number of sensitive records. And the potential of leaking of patient records cause a significant legal threat to hospitals. Someone could ask: Why not to create one central data bank and store everything in one place? This is not an option for reasons obvious to anyone in the health sector. Medical institutions are typically as protective about their data ownership as are IT companies about their intellectual property. The problem can be solved by controlled sharing of data with fine-grained access control. To implement it, we came up with Federated Authentication model as the alternative approach to Public Key Infrastructure based authentication. In federated security system, each member organization carries the responsibility for granting or revoking access to its resources as well as managing the identity of its members. Such a model enables multiple organizations to join a project. On the one hand it allows access to sensitive resources held by the organizations, whereas on the other hand it allows them to maintain full control over these. The system scales out to a theoretically unlimited number of member organizations.
To implement all the above requirements, we had created security framework that was based on Shibboleth. In this model, user’s identity is managed by his or her home organization. Whenever user logs in to the distributed system, his identity is represented by the Shibboleth handle (unique 128-bit, hexadecimal hash). User may, however, request access to data and applications that belong to other organizations. The resource owner does not know the user, but knows his home organization. From there, he can find out about user’s attributes, then check them against the local access policy, to make an informed decision on allowing the user in.
Complexity made simple
As one can see, security of the portal is only a tip of an iceberg in the whole security framework. From the user's point of view everything looks simple. Access to many services from the web browser after single log in is convenient. The real challenge lies underneath the top-level, user presentation layer. User and policy management is difficult to implement in distributed environment with Single Sign-On (SSO). It takes a lot of careful planning and research to obtain complete and well-done security model design. Creating secure portal as the interface to the distributed resources is only the last phase of the complex process.
When talking about web-apps security, it is important to remember that in complex systems, the real security challenges may be elsewhere – for instance, in designing the user identity management system.