Existing Application Security Requirements

Existing Application Security Requirements

The following are most of the applications used by NGT. I have detailed what mechanisms are being used by existing web applications. For other applications I only briefly mention how they’re protected.

Terms:

ACI : Access Control Instructions

ACL: Access Control List (collection of ACI’s for a given entity)

A&A : Authentication & Authorization

Authn : authentication

Authz : authorization

PRISM

Fairly simple. Prism’s access control depends on two groupings, one called Routing for those that can do and see all. And one called Sales, for those that only have read only access to all.

Work Order

group/role / crea / read / upd / del / what / Notes
NGT / X / X / X / WO tables / Can see NGT, EDGE & INTRA rows
EDGE / X / X / WO tables / Can see EDGE
INTRA / X / X / X / WO tables / Can see NGT & INTRA
MCI / X / X / WO tables / Can see MCI
MCINGT / X / X / WO tables / Can see MCI,NGT,INTRA but not EDGE rows
MNS / X / X / WO tables / Can see EDGE & MCI
Tester / X / X / X / NVT order / 10 users
X / X / X / L4 order / 10 users
L4 / X / X / X / L4 order / 5 users
NVT_Creator / X / X / X / NVT order / 25-50 users
routing / X / X / X / rout order / 5-7 users
provisioning / X / X / X / prov order / 15-25 users
workorder / X / X / X / all orders / 10 users
workorder_ro / X / all orders / 10-35 users
deleteProvisioning / X / X / prov order / 1 user
Skip / X / X

The above authorization matrix is used by the Work Order system. The groups at the top of the table are contained in an Oracle table to overcome shortcomings in SilverStream’s access control framework. When a user logs into the SilverStream page, a Java call is made to the Oracle table USER_PARTITION to find out what the user’s primary group is (named partn_cd, which actually stands for “partition code”). They can only belong to one primary group. This code started out with values for the company owning the order, just NGT and EDGE. A scenario was later concocted by management that complicated matters. It revolved around one salesperson that worked for NGT which Concert management knew personally. Concert decided they didn’t want this one salesperson to be able to see Edge data. So the INTRA group was born. The MCI, MCINGT and MNS groups are future. In any case, the primary group is used to tag each row of data written to the database. Before the Versata/SilverStream application will display any data in scalar or grid form, it will modify the WHERE clause of the SQL query to limit the resultset to rows tagged by primary groups the user’s partn_cd is allowed (persisted in the Oracle table ROW_SECURITY and documented in the Notes column of the table above). It is this complex row-level security that is the primary reason behind my confusion and subsequent attempt to document all our security requirements and attempt to get the DIT to where it can accommodate future changes meant to handle these complexities.

The remaining Work Order groupings below the hashed line are used by the Versata/SilverStream console to control access to the large-grained objects, be they forms, pages, tables, or whatever. However, there is also custom code in both implementations of Work Order that calls a static class, passing the group name, e.g. ‘routing’, asking for a boolean whether the current user known to the static class belongs to the given group. Based on the return value, a widget may be shown, or a menu item may remain hidden, etc. Also, the CRUD matrix shown above isn’t nearly as simple when you look at the actual Versata grid. For the Tester group, for example, the permissions vary depending on the table being protected.

Trouble Ticket

The TT system is just one part of a skeletal portal site custom-built on Oracle Application Server (OAS) using the PLSQL cartridge. Other smaller, but less involved, subsystems served by this OAS Intranet site are:

-a means of sending billing system information, both AP & AR, to the Oracle Financials system.

-some custom reports on invoices and invoicing periods

-a performance and gross margin report.

Every other subsystem available in this site are simply HTML-based UI’s built to administer the various Oracle tables behind the site’s PLSQL framework: users, groups, objects, sessions, security mappings, profiles, etc.

The TT system is served up by the OAS but it bypasses the built-in security mechanisms in OAS as they were too limiting and large-grained for our needs. The only OAS security mechanism we chose to use is based on IP Address validation. Rights are granted or denied to individual IP Addresses, subnets, domains, or any combination of the three. Wildcards are allowed as well. But the rights granted only go down to the http object level. It is not extensible to protect rows, widgets or actions.

This framework has been in use since late ’96. It was only in early 2000 that Oracle finally got a clue and introduced many of these same features in WebDB 3.0, now named Oracle Portal. Following are comments on the various relational tables used to support the PLSQL framework’s security component.

W_OBJ_TYPE

List of the sort of things protected by the object to group map for authorization purposes.

OBJ_TYPE_CD / OBJ_TYPE_DESC
DHTML / Dynamically-generated HTML
HTML / Static HTML Pages
IMG / A graphic of any type
BIN / Binary File
MNU / Menu Item for Ordering/Security
SBMNU / Submenu Item
EXCEL / Tab-delimited Spreadsheet File
TEXT / ASCII Text File

W_OBJ

Complex table that kept all sorts of information about the instances of the various object types. Here is the structure:

CREATETABLEW_OBJ(

OBJ_ID NUMBER(10) DEFAULT0 NOTNULL,

OBJ_TYPE_CD VARCHAR2(5) NOTNULL,

OBJ_NM VARCHAR2(255) NOTNULL,

OBJ_LCN VARCHAR2(500),

OBJ_HELP_LCN VARCHAR2(500),

OBJ_ORD_NUM NUMBER(2),

OBJ_PARENT_ID NUMBER(10))

Here is some sample data. Depending on the type, data for each object could help construct a horizontal or vertical menutree, provide any valid URL for a requested object like mailto’s, regular URLs and context-sensitive help web pages:

OBJ_ID / OBJ_TYPE_CD / OBJ_NM / OBJ_LCN / OBJ_HELP_LCN / OBJ_ORD_NUM / OBJ_PARENT_ID
10 / MNU / Top / 0 / 0
1 / MNU / Home / ngt.home / 1 / 10
2 / MNU / Admin / ngt.admin / 2 / 1
3 / MNU / Finance / ngt.finance / 3 / 1
4 / MNU / HR / ngt.hr / 4 / 1
5 / MNU / IT / ngt.it / 5 / 1
6 / MNU / Operations / ngt.operations / 6 / 1
7 / MNU / Sales / ngt.sales / 7 / 1
11 / MNU / Feedback / mailto: / 8 / 1
12 / MNU / Help / ia_help.get_help / 9 / 1
1000 / DHTML / ngt.home / ngt.home / 0 / 0
1001 / DHTML / ngt.menu / ngt.menu / 0 / 0
5003 / DHTML / maint_obj.search_results / maint_obj.search_results / hlp_create_obj.htm / 0 / 0
5004 / DHTML / maint_obj.mod_obj / maint_obj.mod_obj / hlp_create_obj.htm / 0 / 0
500 / SBMNU / Directory / it.directory / 1 / 5
501 / SBMNU / Users / ia_user.maint_user / 2 / 5
502 / SBMNU / Groups / ia_admin.maint_ugrp / 3 / 5
503 / SBMNU / Objects / ia_admin.maint_obj / 4 / 5
5000 / DHTML / it.menu / it.menu / 0 / 0
13 / MNU / Logoff / ngt.logoff / 10 / 1

W_UGRP

Simple list of groups. These codes were used by hardcoded IF statements in the backend PL/SQL to determine (1) page level access with a call to a boolean function at the top of each PL/SQL proc which allowed access to the URL or not, (2) widget, menu item, event-level authorization by calling another boolean function called isMemberOfGroup to which you pass 1..N number of comma separated group codes, and (3) row-level access to data owned by the user’s primary group.

Since this PL/SQL infrastructure had no notion of a primary group, a kludge was introduced: In the trouble ticket subsystem, you may only belong to ONE group that began with the letters ‘NOC’, but could also belong to, say, MGRNOC. Anyway this convoluted logic would determine the TT user’s primary group and pass that along with any other data when creating or modifying a trouble ticket. This same logic was used to determine whether to report on just your tickets (NOCLA), or on all tickets (MGRNOC), or whether to allow only read access, (NOCSLS). It’s not pretty.

UGRP_CD / UGRP_DESC
NAA / NGT Web Administrators
NGT / All NGT employees
INV / Invoicing Team
FIN / Finance
SLS / Sales
OPS / Operations
ALL / All Net Apps Users
CHZ / Big Cheeses
IT / Information TechnoWeenies
ADM / Office Management
HR / Human Resources
NOC / NOC HQ
NOCLA / LA Site
NOCCUS / Customer
NOCVND / Vendor
NOCESC / Escalated
MGRNOC / NOC Management
NOCNY / NY Site
NOCTA / Traffic Analysis
NOCSDS / Switch Database Services
NOCERC / Ericsson
NOCQCG / Qual Ctrl
NOCSLS / Sales
NOCHK / Hong Kong Site
NOCSLO / Sales Operations
NOCMIA / Miami POP

W_USER

A fairly simple user table. The keys are that each user has a unique NGT ID, or NID. SECUR_LVL_ID was built in for distinguishing different security levels, or roles, within a group. (Yes, I wrote a PL/SQL routine to encrypt passwords so they weren’t stored in the clear).

CREATETABLEW_USER(

NID NUMBER(20) DEFAULT0 NOTNULL,

USER_NM VARCHAR2(30) NOTNULL,

PASSCODE VARCHAR2(60) NOTNULL,

USER_STATUS VARCHAR2(1) NOTNULL,

LAST_NM VARCHAR2(40),

FIRST_NM VARCHAR2(30),

MID_INL VARCHAR2(1),

NICKNAME VARCHAR2(20),

ASSOC_ID NUMBER(9) NOTNULL,

SECUR_LVL_ID NUMBER(2),

DEPT_ID NUMBER(5),

MGR_NID NUMBER(20) DEFAULT0 );

W_USER_UGRP

Maps a user to the groups they belong to.

CREATETABLEW_USER_UGRP(

NID NUMBER(20) NOTNULL,

UGRP_CD VARCHAR2(6) NOTNULL)

W_OBJ_UGRP

Maps an object to the groups that may have access to it.

CREATETABLEW_OBJ_UGRP(

OBJ_ID NUMBER(10) NOTNULL,

UGRP_CD VARCHAR2(6) NOTNULL)

Oracle Financials (OWS/applet-based Oracle Forms)

Based on Oracle database user accounts. I’m willing to bet the latest version can be pointed at LDAP server, but probably only the OID, neither of which we’ll be migrating to anytime soon. This system contains all sorts of data that other applications could use: customers, vendors, accounts, payment history, projects, codes, countries, states, etc. We may want to consider replicating some of this to LDAP.

Text-Based Near Real Time Web Reports

These reports are on SSL site protected by IIS using NT challenge/response. This resulted in many external customer/vendor users being given NT accounts just to get into our website. This was the original jolt which inspired us to begin searching for a central, OS and application-agnostic directory solution.

Seagate Info/Crystal Reports

Could be protected by NT seamlessly. However, they rely on the NT challenge/response mechanism fronted by IIS. If someone is on the LAN and they belong to an NT group that have access to the Seagate directories, they can see anything they want.

Rate Entry (Oracle Forms)

Protected by Oracle database user accounts. Is being rewritten in SilverStream and will use LDAP server.

TEAMS

Currently using default SilverStream security with a few groups and users typed into it. Will be redirected at LDAP when design and population are complete.

Unix

NIS+ on balin, elrond not hooked into it yet.

iPortal

NDS 4.12, yeah!

SQLServer Databases

Proprietary Microsoft? I’m guessing SQLServer 7 can probably hook into an LDAP server, but knowing Microsoft, probably only an Active Directory in W2K server.

Sybase Database

Proprietary Sybase?

Numerous private/departmental Excel, Access, Word, Text & other datastores

Usually not protected. If it does get protected, it’s usually by password only, but could be protected by NT model in some cases.

SilverStream versions of Work Order, PRISM, Rate Entry

Currently awaiting testing or under construction. These are currently using NT for users and groups. Will be repointed at LDAP server when design and population are complete.

TTI

The rumour is that even though it is a Powerbuilder Win32 app, it can be pointed at an LDAP server for its security.

ONYX

Have farmed out the question to ONYX support. No idea yet.

RightFax

?, NT?

Diamonds WorkFlow

Traditional A&A model, with a GUI to create and manage groups, roles, users, rules, flows and links between them. Still awaiting word on whether they can use/store their information in an existing LDAP directory server.

Custom ETL and Real-Time Rating System

None, just the various Unix, NT and Oracle accounts protecting access to the runtime scripts/objects. However, this system does maintain a list of customers/vendors, customer accounts and customer/vendor billing/rate-notice contacts. This should be paid some attention, but will probably not be migrated out of Oracle in the near future. We might concoct a replication scheme between the two.

Security Goals

The eventual NGT vision (aka Bill’s vision) for employee security is one based on biometrics that becomes the single sign-on credential to all applications behind the corporate firewall. Everything would be accessed and easily used through the web browser, enabling extremely thin clients and desktop access anywhere in the world. The data passed over the link between employee and corporate network would be encrypted to the day’s best standards without degrading performance unreasonably. A central or distributed farm of directory servers would contain all information on employees, their locations, their groups, their devices, their applications and individual configurations within each, etc. Localization needs would be transparent, with addresses, names and all text fields displayed in the locale’s language. Directory server entry/modification will be managed by delegation, so that individual divisions, offices or departments are responsible for keeping their own data up-to-date. In addition, A&A decisions -- even down to row-level security -- would be abstracted out of the applications so that we can quit writing a new security framework every time we write a new application.

For partners and customers/vendors, they would also exist in the directory server and have many of the same attributes stored about them as the employees. They could be managed by the salespeople responsible for their accounts. Their sites would be programmatically personalized given the products and services subscribed to. And their data would be highly protected from other extranet users accessing it.

For consumers (currently no business case for them), they will be able to self-register to NGT web resources and personalize their experience at the site. They, like the employees and extranet users, would be able to get and manage valuable real-time information on their usage of NGT services. This would include very interactive reporting and data visualization, real-time video/voice/chat conferencing with NGT customer support reps, and online bill disputing and payment. This is where we get into all the fuzzy eBusiness/B2C/<insert buzzword here> ideas currently swirling around the trade rags. So we could add about 100 ideas here, but NGT hasn’t really entered hard into the retail space yet and may never.

Other Snippets of Background

Obviously these are big dreams. We’ve got to start simple and work our way up. One big question is do we have to replace the existing security features of the SilverStream framework/custom code and OAS/PLSQL framework? There are features built into the data model of the latter that aren’t used heavily or at all. So that could be pared down. The SilverStream framework, on the other hand, needs to be beefed up, if anything. Having to add custom code just to determine whether to show a widget in such an advanced app server seems ludicrous. It seems it should have an authorization model something like the PLSQL framework where a named object of any type can be protected. But even better, the named Java object in SilverStream, unlike PLSQL, could subclass or implement an interface that allows fairly transparent, role-based access control contained in a database or directory server.

Current events should also be taken into account. We have purchased SBS, a retail long distance company in LA focused on the Asian market. This was recently divided into 3 separate legal entities: FiestaTel, AAA & Billing Services. We have purchased Asia Touch, a long distance provider in Hong Kong. We have purchased a 49% stake in EasyNet, a wireless provider and ISP in India. We purchased CNH and Skyshop and renamed the merged entity New Global Telecom, Venezuela or NGTV. We also purchased a small next-gen communications provider called Comcepts which focuses on the Russian market, based out of the far Northwest tip of Alaska. NGTV is being integrated into NGT’s existing Exchange server, NT network, Oracle Financials system, etc. as we speak. Asia Touch is next, followed by SBS (maybe).

Finally we have our offices. Hong Kong has already been integrated. They insisted on keeping “.hk” at the end of the usual “ngt.com” domain on all email addresses. The other offices were either integrated from the start (LA, NY) or will be integrated soon (Miami, Mexico, London) or are so small as to not warrant the worry (usually one home-office user in some state).

These are some thoughts about suffixes and main-branch ou’s in the DIT :

• I like having Contractors as just another group under the org employing them. NGT’s contractors often have NT accounts and must belong to NT groups in order to access common documents, policies, applications and source code. There isnt’ much difference between contractors and any other ngtOrgPerson.
• Bought entities should be organized to represent the very real physical and conceptual rift that keeps them from becoming just another foreign office of NGT. FiestaTel, for example, is run by a different president, offers completely different services, is operated by different applications and hardware, has their own org structure, and so on; they will probably remain a separate ou under ngt.com for some time.
• NGT Hong Kong is an exception. They have their own departments and org hierarchy, but their general manager is managed by an NGT VP. They are, for all intents and purposes, a remote office of NGT. The way we decided to enter departments with hierarchical owners in ou=Groups helps this situation as the NGT-HK entity is just another department under International Development.
• When and if an entity, like Asia Touch, gets fully integrated into the NGT NT network and they come under departmental supervision like NGT-HK did, their users will be moved to the NGT branch.
• Easy Net does not belong to New Global. But we do employ people that are practically running that company though. They have a few offices throughout India and we have contacts at all of them. Plus they really have no need or permission to view data or use applications behind NGT’s firewall. I need to include information about each person at EasyNet that I can’t get with inetorgperson.
• It doesn’t make a whole ton of sense to put AppGroups underneath ngt.com. Applications will be shared by internal, partner and external users. It certainly CAN go under ngt.com, but it makes more sense to me to split any information applications want to store/access in LDAP in their own suffix.

In the future, we should be able to support the following security requirements from current applications and future goals: