Deltek Insight 2012: Technical Insight: Costpoint 7.0 Advanced Security

Technical Insight: Costpoint 7 Advanced Security

Dmitri Tyles, Director of Java EE Framework Development, DeltekGC-49

2 Copyright © 2012 Deltek, Inc.

Authentication Authentication use cases Seven user-level authentication options Authentication for web services

Authorization User and user group rights Module and application level security Result set level security Process and report level security Reporting archive security

Agenda


Understanding Authentication and Authorization Methods Available in Deltek Costpoint Web

Key Takeaways

Authentication


Authentication


Supported Security Use Cases In-house users

Members of corporate Active Directory Always logged in to the corporate LAN

Consultants Members of corporate Active Directory May or may not be logged in to the corporate LAN

Remote office users Not registered in a corporate Active Directory Not logged in to a corporate LAN

Authentication


Costpoint Database

Active Directory

Single Sign-On

Single Sign-On or Active Directory

Windows Domain and Active Directory

Windows Domain and Costpoint Database

Certificate Single Sign-On

User-Level Authentication Options


Costpoint Database Technical implementation

User ID and password are stored in a Costpoint database Oracle or SQL Server database user accounts are not used Password is stored in a hashed form (SHA-1) with user ID used as a salt Challenge-response algorithm is used for authentication with server-side

generated nonce User-credentials combined with nonce are passed from the client in an

encrypted form (AES) User perspective

A user must enter user ID and password on the login screen This method can be used for all three security use cases



Active Directory Technical implementation

User ID is stored in both Active Directory and Costpoint database Costpoint user ID can be mapped to a different Active Directory user ID Password is stored only in Active Directory

User perspective A user must enter user ID and password on the logon screen Either Costpoint or Active Directory user ID can be used to log on to Costpoint This method can be used either for “in-house users” or “consultants” use cases

Note: Costpoint 7 makes the setup of this option easier and also improves performance for authenticating a user against large and/or multi-domain Active Directory configurations

For more information, please attend GC-52: Technical Insight: Costpoint 7.0 Configuration



Single Sign-On Technical implementation


User perspective A user should not enter user ID and password on the logon screen This method can be used only for “in-house users” use case



Single Sign-On or Active Directory Technical implementation


User perspective A user is allowed to log on using either Active Directory or Single Sign-On

method Single Sign-On method requires a user to be logged on to the LAN This method is intended for “consultants” use case Users can still log on using Active Directory method while traveling or at a

customer site



Windows Domain and Active Directory Technical implementation


User perspective The following two conditions must be met for a successful logon:

A user must enter user ID and password on the logon screen

A user must be logged on to the LAN

This method can be used only for “in-house users” use case



Windows Domain and Costpoint Database Technical implementation

User ID and password are stored in a Costpoint database Same rules for password storage and transmission apply as for Costpoint

Database authentication method User perspective

The following two conditions must be met for a successful logon: A user must enter user ID and password on the logon screen

A user must be logged on to the LAN

This method can be used only for “in-house users” use case



Certificate Single Sign-On Technical implementation

User ID and certificate ID are stored in a Costpoint database Certificate user ID may be different from Costpoint user ID Upon establishing two-way SSL connection, Costpoint user ID is determined

through certificate user ID User perspective

A user should not enter user ID and password on the logon screen A user must have a certificate installed in the browser This method can be used for all three security use cases



Authentication for Web Services Implementation is based on Username Token and SAML profiles from

WS Security specification Each Costpoint user account must be explicitly enabled to be used

with web services Use of SSL with web services

Design-time option in Integration Console We recommend SSL except for testing

Hot fix was released to add support for AD authentication for Web services

Detailed information on this topic can be found in session: GC-50: Extending Costpoint: Web Services Integration

Authentication


Login and Password Control Policies Password complexity (corporate settings)

Minimum length / require number / special character / mixed case Password “black list”: User ID, employee ID, password, etc.

Password aging/control Password life (corporate) Disable inactive users period (corporate) Deactivation date (user) Last login date (user) Force password change (user) Re-using of passwords (company)

Account locking after N unsuccessful attempts Weblogic feature: account is locked for X minutes after N unsuccessful

attempts within Y minutes (configuration console)

Authentication (cont’d)

Authorization


User and User Group rights A user may belong to more than one user group Though there is one corporate list of users and user groups, a user

may belong to a user group in selected companies or all companies User and user group rights are cumulative

They are combined at run-time to determine effective user rights for a selected company

Authorization


Module and Application Level Security Full, Read-Only, and Deny rights User and user group rights are combined according to two rules:

Deny always takes precedence Full and Read-Only rights are cumulative

User rights do not act as overwrite rights for user group rights Application rights overwrite module rights Module and application rights for users and user groups can be

granted at a company level or for all companies

Authorization


Result Set Level Security Costpoint Web has more granular security model than client/server Access to each result set (screen/table) inside an application can be

controlled separately Result set level rights overwrite module and application rights In the absence of explicit result set level rights, module/application

level rights are used to determine result set rights Select/Insert/Update/Delete rights can be turned on and off for each

result set Result set rights for users and user groups can be granted at a

company level or for all companies

Authorization


Process and Report Level Security Costpoint Web has more granular security model than client/server Access to each process or report inside an application can be

controlled separately In the absence of process or report level rights, result set level rights

are used to determine whether a user can execute a process or report Deny/Execute rights can be turned on or off for each process or report Process or report rights for users and user groups can be granted at a

company level or for all companies

Authorization


Reporting Archive Security Can control who can view or manage archived reports Access rights for archived reports can be managed at the following

levels: Report group: user-defined collection of reports (such as Post Bills and Print

Bills) Single report type: all archived reports for Print Bills Single archived report

Specific instance of an archived report (such as a Print Bills report printed by user Joe on 01/10/2009)

Organizational security and labor suppression are analyzed to determine whether a user can view an archived report

Authorization


Authorization (cont’d)


Application Vulnerability Assessment (AVA) Performed by Cybertrust for Costpoint 5.x, 6.x, and 7.0

No major security issues discovered Uniform application development methodology enforced by a common

metadata driven framework Not necessary to review every single application to assess vulnerabilities of

the product Ongoing relationship with Verizon/Cybertrust

Plan to do AVAs for each major release

Authentication and Authorization


Segregation of Duties Added in 6.0

Clients Define the List of Conflicting Rights Based on Their Policies

Configuration Options Enforce SOD rules by preventing a user from having conflicting

privileges, or Report on SOD violations without limiting user privileges

SOD Analysis Covers Both C/S and Web User Rights

Get More Details and Try It Out at Costpoint Demo Stands

AuthorizationSegregation of Duties (SOD)

Conclusion


Costpoint 7 Offers Seven User-Level Authentication Options

Two Single Sign-On Options Are Supported

Costpoint 7 Offers Fine-Grained Screen Component/Function Authorization Policies

Conclusion


Questions and Answers


See Deltek Costpoint in the Solutions Pavilion

Attend Additional Sessions on Deltek Costpoint for More In-Depth Information

GC-44: Technical Insight: Costpoint 7.0 GC-45: Looking Ahead at Deltek Costpoint Technology GC-46: Extending Costpoint 7: Content Management GC-48: Extending Costpoint 7: Extensibility Services GC-50: Extending Costpoint: Web Services Integration GC-52: Technical Insight: Costpoint 7.0 Configuration GC-322: Costpoint 7 - The User Experience

Learn More

Thank You!