Krens & Van Rij IT Audit Web Environments 16 mei 2006

Erdi - Leen Van Rij

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

12 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Informations

Publié par	Erdi
Nombre de lectures	29
Langue	English

Extrait

16 May 2006
IT Audit Web Environment
Krens & Van Rij
IT Audit en Advies
16 May 2006, Rotterdam
“IT Audit Web Environment”
Leen van Rij and Theo Krens
ICT oA puydrigt hW t e© b E20n0v6ir onment + 3 1 ( 0 ) 2 97 250 465 Krens & Van Rij IT Audit en Advies 1
Contents
Part I: Technical Overview
• Web environments
• J2EE and WebSphere
• Security chain
Part II: Auditing the Web environment
• Control objectives
• The Krens-van Rij Method
• Summary and conclusion
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 2
Copyright © Krens & Van Rij IT Audit en Advies
116 May 2006
IT Audit Web Environment
PART I
Technical overview
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 3
Traditional environment
Business
Processes
Legacy
Applications Systems
IMS, CICS External Subsystems
DB2 Security
& Tools MQ Manager
z/OS, AIX, Windows, Platforms
Solaris, HP-UX
TCP/IPNetwork
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 4
Copyright © Krens & Van Rij IT Audit en Advies
216 May 2006
IT Audit Web Environment
Todays Business Requirements
• Lower costs by improved productivity, reduced complexity
• Short time to market to be and stay competitive
• Use of industry standard technologies
• Extended reach by using Internet and Web technologies
• Highly available, to meet the business needs
• Secure, to protect the privacy of the users and the integrity
of the enterprise
• Reliable and scalable, to ensure accurately and promptly
processing
• Auditable for SOA compliancy
• Combine new business functions with existing information
systems
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 5
Policy Directives
• Architectural approach
• BOA, SOA, SOA, J2EE, DYA
• B2B, B2C, B2E, A2A
• n-tier
• presentation, business logic, data logic
• Reuse, buy, make
• Enterprise Service Bus, Enterprise Application Integration
• Open standards
• JAVA, Open Source
• Browser based
• Future-proof
• Compliant with the Information Security policy
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 6
Copyright © Krens & Van Rij IT Audit en Advies
3Connectors
JDBC
JAXP
JTA
JAAS
JMS
Connectors
JDBC
JAXP
JTA
JAAS
JMS
JDBC
JAXP
JAAS
JMS
16 May 2006
IT Audit Web Environment
J2EE Architecture
Applet Container Web Container EJB Container
HTTP
JSP ServletSSL EJB
Applet
Java Java
HTTP mail mail
J2SE SSL
JAF JAF
Application Client
J2SE J2SE
Container
Application
Client
Database
The J2EE architecture is a standard architecture for
developing multitier enterprise services which can beJ2SE
rapidly deployed and easily enhanced
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 7
WebSphere Application Server
Node
Web Browser HTTP Server Application Server
Client
WebServer Web Container Web
Applet Plug-in ConfigServicesEmbedded
RepositoryEngineHTTP
(XML files)
Server
Admin User
Interface
Client Container
EJB Container ApplicationApplication
Client Database
JCA Container
Scripting
client
Name Server (JNDI)
Security Server
JMS Server
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 8
Copyright © Krens & Van Rij IT Audit en Advies
4
Admin
application
Applications
Admin Services16 May 2006
IT Audit Web Environment
Web environment
Business
Processes
WebSphereWebSphere WebSphereLegacy
Business VoiceApplications Systems Commerce
ResponseIntegration
WebSphere LDAPConnectors
External Portal HTTPIMS, CICS RBACSubsystems
Security Identity MngtDB2 Server& Tools WebSphereManager Access MngtWebSphere MQ
Appl. Server User Mngt
Linux, I5/OS, z/OS,
AIX, Windows, Solaris, Platforms
HP-UX, zLinux
Network TCP/IP
Pervasive computing (Everyplace)
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 9
Authentication mechanisms
WebSphere Application Server
Web Container EJB Container
ServletApplication Thin Java AppletBrowser EJBClient Application
JSP
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 10
Copyright © Krens & Van Rij IT Audit en Advies
5
401 prompt
form login
certificate
Custom servlet
security proxy
trust association
LTPA token
client side login
properties file
key file
standard input
Prompt
Server side login
Delegation
Server side login
Identity assertion16 May 2006
IT Audit Web Environment
Security chain
WebSphere
Enterprise Server
Application Server
HTTP request
HTTPS HTTP
Servlet TRXServer Database
response
EJB
AuthorisationAuthorisation
to use transactionof Client
Authorisation Authorisation
to use Servlet to use queueAuthorisation
Authorisationto use Server
to use dataAuthorisation
to use EJB
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 11
PART II
Auditing the Web Environment
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 12
Copyright © Krens & Van Rij IT Audit en Advies
6?
16 May 2006
IT Audit Web Environment
Control objectives
DS 5.1 Authentication and Access Control
Objective
The logical access to and use of the information
services function's computing resources should be
restricted by the implementation of an adequate
authentication mechanism associated with access
rules.
Such mechanisms should prevent unauthorized
personnel, dial up connections and other system
(network)entry ports from accessing computer
resources and minimize the need for authorized
users to use multiple sign-ons. Procedures should
also be in place to keep authentication and access
mechanisms effective (e.g. regular password
changes).
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 13
Control objectives
? DB2
IMS
TCP/IP
ABCD
z/OS
HTTP
Security Server
Server
(RACF) Unix
PKI
Services
Security
Server
CICS
RACFz/OS
System
Services
Softcopy
Manuals
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 14
Copyright © Krens & Van Rij IT Audit en Advies
7
?IT Management disciplines
16 May 2006
IT Audit Web Environment
The Krens Van Rij method for Auditing
Define Object(s) Confidentiality, Integrity,
Define Quality Aspect(s) Availability, Auditability etc.
OBJECT HTTP WAS Message LDAP Access
DISCIPLINE Server Queue Manager
IT Policy & Organisation
Service Level Management
Configuration Management
Capacity Management
Change Management
Incident/Problem Mngt
Workload Management
Performance Management
Security Management
Availability Management
Accounting Management
Operations Management
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 15
Pitfalls
The auditor can be mislead to audit more than originally defined
within the scope of the audit when there is no clear understanding
and definition about the objects, disciplines and aspects to audit
OBJECT HTTP WAS Message LDAP Access
DISCIPLINE Server Queue Manager
IT Policy & Organisation
Service Level Management
Configuration Management
Capacity Management
Change Management
Incident/Problem Mngt
Workload Management
Performance Management
Security Management
Availability Management
Accounting Management
Operations Management
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 16
Copyright © Krens & Van Rij IT Audit en Advies
816 May 2006
IT Audit Web Environment
IT Policy and organisation
Aspects
• ICT policy
• ICT security policy
• ICT architecture
• Functions/roles
• Ownership
• Segregation of duties
E.J. Bean• Knowledge
ICT
director• Documentation
• …
P.R. OtocolA.P. Plet I.N. Stall
SystemsApplication Administrator/
architectDeveloper IT auditor
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 17
Control objectives
• Objective 2.1.1: Xxxx must have a policy formulated, in which the
application of the WAS is accounted for. This policy should clearly
contain at least:
– the reason(s) for the application of WAS;
– which functionalities/facilities of WAS are permitted to be u