Krens & Van Rij  IT Audit Web Environments 16  mei 2006
12 Pages
English
Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Krens & Van Rij IT Audit Web Environments 16 mei 2006

-

Downloading requires you to have access to the YouScribe library
Learn all about the services we offer
12 Pages
English

Description

16 May 2006IT Audit Web EnvironmentKrens & Van RijIT Audit en Advies16 May 2006, Rotterdam“IT Audit Web Environment”Leen van Rij and Theo KrensICT oA puydrigt hW t e© b E20n0v6ir onment + 3 1 ( 0 ) 2 97 250 465 Krens & Van Rij IT Audit en Advies 1ContentsPart I: Technical Overview• Web environments• J2EE and WebSphere• Security chainPart II: Auditing the Web environment• Control objectives • The Krens-van Rij Method• Summary and conclusionIT Audit Web Environment Krens & Van Rij IT Audit en Advies 2Copyright © Krens & Van Rij IT Audit en Advies116 May 2006IT Audit Web EnvironmentPART ITechnical overviewIT Audit Web Environment Krens & Van Rij IT Audit en Advies 3Traditional environmentBusinessProcessesLegacy Applications SystemsIMS, CICS External SubsystemsDB2 Security& Tools MQ Managerz/OS, AIX, Windows, PlatformsSolaris, HP-UXTCP/IPNetworkIT Audit Web Environment Krens & Van Rij IT Audit en Advies 4Copyright © Krens & Van Rij IT Audit en Advies216 May 2006IT Audit Web EnvironmentTodays Business Requirements• Lower costs by improved productivity, reduced complexity• Short time to market to be and stay competitive• Use of industry standard technologies • Extended reach by using Internet and Web technologies • Highly available, to meet the business needs• Secure, to protect ...

Subjects

Informations

Published by
Reads 47
Language English

Exrait

16 May 2006
IT Audit Web Environment
Krens & Van Rij
IT Audit en Advies
16 May 2006, Rotterdam
“IT Audit Web Environment”
Leen van Rij and Theo Krens
ICT oA puydrigt hW t e© b E20n0v6ir onment + 3 1 ( 0 ) 2 97 250 465 Krens & Van Rij IT Audit en Advies 1
Contents
Part I: Technical Overview
• Web environments
• J2EE and WebSphere
• Security chain
Part II: Auditing the Web environment
• Control objectives
• The Krens-van Rij Method
• Summary and conclusion
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 2
Copyright © Krens & Van Rij IT Audit en Advies
116 May 2006
IT Audit Web Environment
PART I
Technical overview
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 3
Traditional environment
Business
Processes
Legacy
Applications Systems
IMS, CICS External Subsystems
DB2 Security
& Tools MQ Manager
z/OS, AIX, Windows, Platforms
Solaris, HP-UX
TCP/IPNetwork
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 4
Copyright © Krens & Van Rij IT Audit en Advies
216 May 2006
IT Audit Web Environment
Todays Business Requirements
• Lower costs by improved productivity, reduced complexity
• Short time to market to be and stay competitive
• Use of industry standard technologies
• Extended reach by using Internet and Web technologies
• Highly available, to meet the business needs
• Secure, to protect the privacy of the users and the integrity
of the enterprise
• Reliable and scalable, to ensure accurately and promptly
processing
• Auditable for SOA compliancy
• Combine new business functions with existing information
systems
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 5
Policy Directives
• Architectural approach
• BOA, SOA, SOA, J2EE, DYA
• B2B, B2C, B2E, A2A
• n-tier
• presentation, business logic, data logic
• Reuse, buy, make
• Enterprise Service Bus, Enterprise Application Integration
• Open standards
• JAVA, Open Source
• Browser based
• Future-proof
• Compliant with the Information Security policy
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 6
Copyright © Krens & Van Rij IT Audit en Advies
3Connectors
JDBC
JAXP
JTA
JAAS
JMS
Connectors
JDBC
JAXP
JTA
JAAS
JMS
JDBC
JAXP
JAAS
JMS
16 May 2006
IT Audit Web Environment
J2EE Architecture
Applet Container Web Container EJB Container
HTTP
JSP ServletSSL EJB
Applet
Java Java
HTTP mail mail
J2SE SSL
JAF JAF
Application Client
J2SE J2SE
Container
Application
Client
Database
The J2EE architecture is a standard architecture for
developing multitier enterprise services which can beJ2SE
rapidly deployed and easily enhanced
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 7
WebSphere Application Server
Node
Web Browser HTTP Server Application Server
Client
WebServer Web Container Web
Applet Plug-in ConfigServicesEmbedded
RepositoryEngineHTTP
(XML files)
Server
Admin User
Interface
Client Container
EJB Container ApplicationApplication
Client Database
JCA Container
Scripting
client
Name Server (JNDI)
Security Server
JMS Server
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 8
Copyright © Krens & Van Rij IT Audit en Advies
4
Admin
application
Applications
Admin Services16 May 2006
IT Audit Web Environment
Web environment
Business
Processes
WebSphereWebSphere WebSphereLegacy
Business VoiceApplications Systems Commerce
ResponseIntegration
WebSphere LDAPConnectors
External Portal HTTPIMS, CICS RBACSubsystems
Security Identity MngtDB2 Server& Tools WebSphereManager Access MngtWebSphere MQ
Appl. Server User Mngt
Linux, I5/OS, z/OS,
AIX, Windows, Solaris, Platforms
HP-UX, zLinux
Network TCP/IP
Pervasive computing (Everyplace)
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 9
Authentication mechanisms
WebSphere Application Server
Web Container EJB Container
ServletApplication Thin Java AppletBrowser EJBClient Application
JSP
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 10
Copyright © Krens & Van Rij IT Audit en Advies
5
401 prompt
form login
certificate
Custom servlet
security proxy
trust association
LTPA token
client side login
properties file
key file
standard input
Prompt
Server side login
Delegation
Server side login
Identity assertion16 May 2006
IT Audit Web Environment
Security chain
WebSphere
Enterprise Server
Application Server
HTTP request
HTTPS HTTP
Servlet TRXServer Database
response
EJB
AuthorisationAuthorisation
to use transactionof Client
Authorisation Authorisation
to use Servlet to use queueAuthorisation
Authorisationto use Server
to use dataAuthorisation
to use EJB
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 11
PART II
Auditing the Web Environment
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 12
Copyright © Krens & Van Rij IT Audit en Advies
6?
16 May 2006
IT Audit Web Environment
Control objectives
DS 5.1 Authentication and Access Control
Objective
The logical access to and use of the information
services function's computing resources should be
restricted by the implementation of an adequate
authentication mechanism associated with access
rules.
Such mechanisms should prevent unauthorized
personnel, dial up connections and other system
(network)entry ports from accessing computer
resources and minimize the need for authorized
users to use multiple sign-ons. Procedures should
also be in place to keep authentication and access
mechanisms effective (e.g. regular password
changes).
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 13
Control objectives
? DB2
IMS
TCP/IP
ABCD
z/OS
HTTP
Security Server
Server
(RACF) Unix
PKI
Services
Security
Server
CICS
RACFz/OS
System
Services
Softcopy
Manuals
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 14
Copyright © Krens & Van Rij IT Audit en Advies
7
?IT Management disciplines
16 May 2006
IT Audit Web Environment
The Krens Van Rij method for Auditing
Define Object(s) Confidentiality, Integrity,
Define Quality Aspect(s) Availability, Auditability etc.
OBJECT HTTP WAS Message LDAP Access
DISCIPLINE Server Queue Manager
IT Policy & Organisation
Service Level Management
Configuration Management
Capacity Management
Change Management
Incident/Problem Mngt
Workload Management
Performance Management
Security Management
Availability Management
Accounting Management
Operations Management
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 15
Pitfalls
The auditor can be mislead to audit more than originally defined
within the scope of the audit when there is no clear understanding
and definition about the objects, disciplines and aspects to audit
OBJECT HTTP WAS Message LDAP Access
DISCIPLINE Server Queue Manager
IT Policy & Organisation
Service Level Management
Configuration Management
Capacity Management
Change Management
Incident/Problem Mngt
Workload Management
Performance Management
Security Management
Availability Management
Accounting Management
Operations Management
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 16
Copyright © Krens & Van Rij IT Audit en Advies
816 May 2006
IT Audit Web Environment
IT Policy and organisation
Aspects
• ICT policy
• ICT security policy
• ICT architecture
• Functions/roles
• Ownership
• Segregation of duties
E.J. Bean• Knowledge
ICT
director• Documentation
• …
P.R. OtocolA.P. Plet I.N. Stall
SystemsApplication Administrator/
architectDeveloper IT auditor
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 17
Control objectives
• Objective 2.1.1: Xxxx must have a policy formulated, in which the
application of the WAS is accounted for. This policy should clearly
contain at least:
– the reason(s) for the application of WAS;
– which functionalities/facilities of WAS are permitted to be used;
– the future use of WAS;
– modifications to WAS in accordance with technical innovations by the
supplier.
• Objective 2.1.2: An owner must be appointed within Xxxx with
responsibility for WAS.
• Objective 2.1.3: An auditable segregation of duties has to be
introduced, between at least:
– functional management;
– technical management;
– operational management;
– security management;
– the audit function.
• Objective 2.1.4: …….
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 18
Copyright © Krens & Van Rij IT Audit en Advies
9
J2EE
T1&O16 May 2006
IT Audit Web Environment
Configuration Management
Aspects
• Hardware components
• Software components
• Up-to-date
description/overview
• Parameter
Settings/Definitions
• Updates
• Comparison SOLL-IST
• Handbook • CI • CI• CI
• CIConfiguration • CI• CI• …. • CI • CI• CIManagement
• CI • etc.• CIDataBase
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 19
Control objectives
Objective 2.3.1: Xxxx must have an up-to-date
description of the implementation of the WebSphere
Application Server.
Objective 2.3.2: Xxxx must use an up-to-date /current
normal version of the WebSphere Application Server.
Objective 2.3.3: At an early stage, Xxxx must assess
whether or not it is essential to implement the
WebSphere Application Server updates issued by the
supplier.
Objective 2.3.4: Xxxx must have guidelines and
procedures governing the use and maintenance of the
WAS configuration files.
Objective 2.3.5: …….
IT Audit Web Environment Krens & Van Rij IT Audit en Advies 20
Copyright © Krens & Van Rij IT Audit en Advies
10