Pushpalanka's Blog

Partners, mergers, legal entities, government entities, customers all need to work together in this era, while honoring the boundaries they should work within. This is with link to my previous post on challenges of future IAM requirements arising with increased interchangeability requirements between diversified parties. Challenges of Future IAM (concerned with Mergers , Acquisitions, Startups) -http://pushpalankajaya.blogspot.com/2017/07/challenges-of-future-iam-concerned-with.html Future of Identity and Access Management (IAM)- http://pushpalankajaya.blogspot.com/2017/07/future-of-identity-and-access.html This need is much more emphasized with the new regulations such as PSD2 in EU region that is putting foundation for Open Banking. While these standards define guidance for implementation interfaces,  End user authentication and authorization Third party authentication and authorization Identity mgt of internal staff,  has hidden needs of identity mediation. Federated

Following are the slides I used in a webinar by WSO2 to look at the IAM and overall security aspects of a fully PSD2 Complaint Solution. While it lists down the basic requirements to be PSD2 complaint, it also explains the requirements that are not visible out in the surface, but very valuable in building a comprehensive and robust solution that will have a long term vision while being PSD2 complaint as per the urgent need. Building a Fool Proof Security Strategy for PSD2 Compliance from WSO2 Inc. The webinar recording is available at  https://wso2.com/library/webinars/2017/11/building-a-fool-proof-security-strategy-for-psd2-compliance/  

Abbreviations Used with PSD2 Payment Services Directive 2 -   PSD2   Regulatory Technical Standard   ( RTS )   - A recommendation requested by PSD2 as a technical guideline to be compliant with PSD2  Strong Customer Authentication -   SCA   Payment Service User -   PSU   Account Servicing Payment Service Provider ( ASPSP ) - the existing banks Payment Initiation Service Provider ( PISP ) - a third party entity or a bank itself that can initiate the payment process  Account Information Service Provider ( AISP ) - a third party or a bank itself which can retrieve PSU's account information may be to show an aggregate view of all accounts.  Payment Service Providers issuing card- based payment instruments ( PSP ) - payment service providers that existed in pre PSD2 era who are doing payments through card networks like VISA or Mastercard. Sometime this is also used to refer all PSPs including PISP and AISP. Common and Secure Communication ( CSC )  Third Party Payment Servi

This presentation discusses on PSD2 standards in detail with the PISP and AISP flows, the technologies involved around the standard and finally how it can be adopted for Sri Lankan financial market.

When the companies bring in external users to work within the enterprise activities, via mergers, acquisitions, outsourcing and allowing end users come via social login, a problem is raised due to the variety of protocols each of these external parties may use for identity management. Most of the time these external parties would not agree to share their user base with sensitive information of the users, which is a major asset of them. In this case identity federation or cross domain authentication comes into provide a solution to this problem. There are identity federation protocols that have evolved with the time mainly OpenID, SAML, WS-Federation and OpenID connect to address the requirement of federated authentication. Even though these protocols have been able to cater for it, while the acquisitions and merges grows up in numbers the solutions still suffers from two major limitations, namely[1], Federation Silos When there is federation requirement, organizations would

When a business needs a rapid growth or a new technology integrated, partnering and acquiring strategies are commonly put forward. WhatsApp been acquired by Facebook, Skype been acquired by Microsoft are such popular acquisitions done by the giants in the industry. According to the Wall Street Journal “2015 the biggest year ever for mergers and acquisitions” globally[1]. When this is considered from the aspects of enterprise identity management, it means the rapid merge of external users to current enterprise system. While this merge needs to happen rapidly in order to take the competitive advantage, privacy and security aspects cannot be ignored. Quocirca which is a primary research and analysis company also confirms that “many businesses now have more external users than internal ones. Many organisations are putting in place advanced identity and access management tools to facilitate the administration and security issues raised by this.”[2].  The impact of these merges and acq

Bitcoins seems to be an interesting subject and is been taking the hype recently. If we look at the value of a Bitcoin over the range of years, at 2015 it was worth $250 and now it is going beyond value of $2500 at the moment. This is capable of attracting more people towards it. We will proceed with more posts to understand Bitcoins, how to use it and any useful information for anyone interested in moving forward with Bitcoins, which I think is the currency of the future. Following captured from coinbase.com on 8th June 2017 shows the value deviation of bitcoin from it's very start. Source : https://www.coinbase.com

Following webinar recording I did being at WSO2 discusses in detail on the security implications of PSD2, the available technical standards around the recommendations and what WSO2 products are in-line to cater for those.  Source :  http://wso2.com/library/webinars/2017/04/frictionless-adoption-of-payment-services-directive-with-wso2/ The detailed article can be found at :  http://wso2.com/library/articles/2017/05/frictionless-adoption-of-the-security-recommendations-for-the-payment-services-directive-2-psd2-with-wso2/

European Union has enforced Payment Service Directive version 2 (PSD2) for the Payment Service Providers to adapt by the year 2018. Following slide-deck discusses the PSD2 background  PSD2 effects on the business domain  Security implications of the directive  What technologies, standards are available to meet the requirements  How WSO2 products can support to adapt PSD2 Frictionless Adaption of PSD2 with WSO2 from Pushpalanka Jayawardhana The whole webinar based on the slides is can be found at [1]. [1] - http://wso2.com/library/webinars/2017/04/frictionless-adoption-of-payment-services-directive-with-wso2/  

Identity mediation for enterprise identity bus from Pushpalanka Jayawardhana

As identified and predicted by several prominent analyst firms(Forrester, Gartner) , acquiring and merging has been the frequent mechanism for enterprises to expand in the recent past and the years to come. With this expansion there is a rising need for enterprises to handle the enterprise across identity and access management procedures in a secured way that is fast enough to have the competitive advantage of the merged or acquired assets. With different enterprises having variety of standards and protocols in use for identity and access management, catering for this requirement is absolutely challenging given the time factor. A similar situation has been addressed by Enterprise Service Bus(ESB) concept few years back, when the requirements raised to mediate between different transport protocols and data formats when communication is required between disparate enterprise systems that are legacy and modern. We are trying to apply the same concepts around ESB in the arena of identit

This is the third of a series of posts on extension points available in WSO2 Identity Server, with relevance to separate protocols. Previous posts can be found at, WSO2 Identity Server - Extension Points - Part 1 - SAML WSO2 Identity Server - Extension Points - Part 2 - OAuth With the XACML architecture there are 4 main separate components as, PIP (Policy Information Point) - serves information required for policy evaluation. PAP (Policy Administration Point) - serves capabilities to govern the policies. PDP (Policy Decision Point) - make decision on incoming requests whether to permit or deny based on the defined policies and information collected from PIP. PEP (Policy Enforcement Point) - the interception point which checks and honors the policy decision. WSO2 Identity Server can act as all these 4 components. In this post we will check on the extendability of these components and their usages. Policy Information Point(PIP) modules Usage: When t

OAuth2 is widely used in the enterprise today for authorization aspects of APIs. This is the second post on the extension points available in WSO2 Identity Server after WSO2 Identity Server - Extension Points - Part 1 - SAML All the implementation using following extension point needs to be configured at <IS_HOME>/repository/conf/identity/identity.xml file under the element OAuth. 1. Custom OAuth grant handler Usage: When we need to support an OAuth flow that is different from standard grant types. Validates the grant, scopes, and access delegation. Sample: https://docs.wso2.com/display/IS510/Writing+a+Custom+OAuth+2.0+Grant+Type Interface: org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler 2. Client Auth Handler Usage: When the client credential authentication needs to be customized. By default we validate the client id and secret. Interface: org.wso2.carbon.identity.oauth2.token.handlers.clientauth.ClientAuthenticationHan