
Ask HN: What's the new best practise security model in the enterprise? - lifeisstillgood
Ask HN: how do I design the underlying security model for a whole enterprise system<p>I am (mentally) building my company systems from scratch (you know, the purchase order system, the workflow, the CRM)<p>A fundamental issue is wanting a good extensible security model.  Kerberos ticket granting? What about client side certs? Where does PAM sit? How do I build my purchase order system to use the model ? do I reject out of the box applications that don&#x27;t use this? How are things like netflix &quot;lemur&quot; or &quot;Let&#x27;s Encrypt&quot; fitting in (get Server Certs more easily, yes, but then what?)<p>I already know some of the answers, but lots change as you try to build a complete system, and the trade offs are what I am really looking for.<p>Any help gratefully recvd<p>Edit:<p>So this kinda breaks down into<p>- core concepts
  Public keys to validate server and application identity
  Token granting solutions (oauth, Kerberos) 
  Each application using its own internal model and   
  delegating some part of that to PAM or similar<p>Some of my problems are in the wildly different authentication &#x2F; access approaches internal to each application<p>Some are down to not having run through the trade offs in detail so not having a clear picture where things like Lemur sit<p>Some is just ignorance
======
spydum
Post is very confusing.. If you are writing an enterprise app, you would be
crazy not to build it to support windows active directory (which itself
leverages Kerberos) for authentication. However, you start talking about
letsencrypt/ SSL and it gets a bit sideways. Further, security is more than
just authentication systems. It's typically thought of in terms of
confidentiality, integrity, and availability, each of which have a lot of
nuances (for example, integrity might represent audit logging, request
tampering, journaling).

------
iheartmemcache
This definitely more an infrastructure question -- specific to your
organization's workflow, internal policies, existing software, priorities and
politics -- than a general 'where do I implement {kerberos, RSA SecurID, off-
site audit trails, etc}. You won't get a one-size fits all solution, as it
totally depends on 1) the industry you're working in, 2) the internal
compliance policies you have to deal with, 3) the country you're operating in,
4) the operating policies you have to follow in order to stay compliant with
the clients professional liability insurance policy/policies.

>> "lots change as you try to build a complete system" I mean this is why in
the enterprise, changing one line of code can take 2 weeks of conference calls
(in-house legal often has to be brought in, the original stakeholder of the
project has to be brought in and odds are he's gone so whoever inherited the
project has to be brought in, if you're making a fundamental change to the
system often third-party auditors from the big 4 are requested to sign-off on
the logistics of the change (especially if you're a publically traded company
operating within the US).

RE: Purchase ordering systems - this has been standardized via multiple
standards, but most of the companies I've consulted with have one integrated
system (usually SAP, Dynamics, or one of the other handful of big-name
brands), and they all speak the EDI standard[1], or if not, you'll certainly
have Connector modules. I.e., BizTalk (if you're on a MS Dynamics stack,
that's what you'll be using for workflow) has a SAP connector, SAP has a
connector for Epicor, etc. With respect to security in terms of
server<->server PO negotiation, read this[2] if you're on the MS stack. SAP
R/3,4 (and B1, and AIO) all take care of the issuing of the PO, validating
incoming POs (i.e., the SAP FSCM module will take care of customer management
to see if the credit line is available for the customer, and all that; the
FI/CO stuff will take care of balancing the accounting journals); the
workflows [defined within BizTalk for MS or using custom ABAP modules that
were placed in during your SAP implementation], the security negotiation is
usually done via AS2 (see: [2]) or through one of a few 3rd party EDI
transaction entities (in the same way that there are like 4 major CC
companies, like-so with those EDI value-added transactors). x.509 and
ActiveDirectory are almost always the standard re: authentication[3]

CRM's are historically purchased as a module that plugs into your ERP.

 _Lemur and Let 's Encrypt have _nothing_ to do with anything enterprise and
belong nowhere near it._ (The fact that you even posed this question makes me
really concerned) LE is great for the average Joe developer because it
democratized SSL cert generation, but even if a VeriSign SSL is 100$ that's,
what? half an hour of a consultants time? My clients get that warm feeling
every time they see a brand-name as a line-item on their invoice. _Managers
are all about mitigating risk._ This is why you have VMware instances running
30 year old software simulating DEC Alphas, and why consultants who have
skillsets in REXX and JCL can bill higher than associates in BigLaw. _Any
project has risk attached to it, an integration /re-write project has
avoidable risk. Delegate the risk factor out by getting the CIO to sign off on
a restructuring program that's done by consultants so if it fails you can
blame Accenture or IBM Consulting._ I would never, ever take on a project like
that, even at triple my rate, because it sounds like you're already entrenched
in a fractured system and in my experience those projects fail. I never take
any work that I'm 100% sure I can complete because one major mess up and my
reputation is shot. And this is the type of integration I do for a living.
[Read this if you take nothing else away from my advice - [4]].

Even if you can write a 30 line Ruby script that integrates all of your
systems into one magical, fluid operation, if there's even a slight chance of
failure, you will be the one who assumes responsibility. Furthermore, 6 months
down the line when middle-management and/or upper management is evaluating
your performance, this is what they'll remember.

Your company is an enterprise. You have a fractured knowledge base with
'wildly different authentication [schemes]'. Bring in consultants and don't
risk your career.

[1]
[https://en.wikipedia.org/wiki/X12_Document_List](https://en.wikipedia.org/wiki/X12_Document_List)
Enjoy spending the next 2 years reading. [2] [https://msdn.microsoft.com/en-
us/library/bb743507.aspx](https://msdn.microsoft.com/en-
us/library/bb743507.aspx) [3] Here it is in SAP Netweaver (not to be confused
with R/3, the actual SAP) - it's fairly similar though in the methodology
though as is any of the other ERP / CRM's.
[http://help.sap.com/saphelp_nw70/helpdata/EN/d3/1dd4516c5186...](http://help.sap.com/saphelp_nw70/helpdata/EN/d3/1dd4516c518645a59e5cff2628a5c1/content.htm)
[4]
[https://news.ycombinator.com/item?id=10639309](https://news.ycombinator.com/item?id=10639309)
Read my post here on why rolling your own solution is bad for your customer,
and even worse for you.

