Visual Presentation on Federal State and Gateway User Sources

How to Use
Ignition’s Security Features
Kent Melville
Sales Engineer / Inductive Automation
What We’ve Already Said
Steps for Protecting Your Ignition System 
– ICC 2017 (Carl Gould)
Open and Secure SCADA: Efficient and Economical Control, Without
the Risk 
– Webinar (Travis Cox and Chris Harlow - Bedrock Automation)
Ignition Hardening Guide 
(Website)
Java Security and Ignition 
(White Paper)
Introduction
Today’s Focus:
The Application: Ignition’s Security Features
Table of Contents
1.
Existing Features
2.
Upcoming Features
3.
Q/A Security Panel
Existing Features
1.
Roles
2.
Zones
3.
TLS Encryption
4.
User Sources
5.
Active Directory
6.
7.9.4
Roles
Operator
Which is the username and which is the role?
JSMITH
Roles
Operator
Not a username
Which is the username and which is the role?
JSMITH
Zones
Roles care about 
WHO.
Zones care about 
WHERE.
TLS Encryption
Enable SSL – Get a Cert
Certificate Authority
Self-signed Cert
Third Party services (Let’s Encrypt)
OPC UA
Client
Gateway Network
User Sources
Where to manage your users and roles:
Option #1 - Internal Authentication - Users and roles are stored
internally to Ignition.
Option #2 - Database Authentication - Users and roles are stored in
a SQL database. Managing users is done via direct interaction with
the database.
Active Directory Integration
Option #3 - Active Directory Authentication - Users are managed
by Active Directory. Users are authenticated through the LDAP
protocol.
Where are the roles managed?
Active Directory Groups
Internal Ignition
Database
7.9.4 Changes
Client Permissions
For upgrades from
 
previous versions
 
all are disabled
For fresh installs all
 
are Enabled
7.9.4 Changes
Named Queries are
defined and run at the
gateway but can be
referenced from the
project.
They accept parameters to
be dynamic but prevent
the client from running
arbitrary queries.
Upcoming Features
1.
System Commissioning
2.
Federated Identities
3.
Multi-Factor Authentication
4.
Security Levels
System Commissioning
Terminology
Authentication
 - the process of verifying a user’s identity.
Authorization
 - the process of determining who should have access
to what, or who should be able to undertake what actions.
7.9
Authentication: Internal Ignition User Source or AD
Authorization: Roles and Zones
8.0
Authentication: ?
Authorization: ?
Federated Identities
Authentication
 in Ignition 8 is done through Federated Identity
Providers (often shortened to IdP).
What is a Federated Identity?
Federal
State
State
State
Federated Identities
Ignition 8 will include three different IdP types out of the box:
Ignition IdP
Legacy User Sources
OpenID-Connect IdP
SAML IdP
Federated Identites
Benefits
Web Single Sign On (SSO) - Better UX and more Secure
Single Source of Record for Identity Data
Simplified Provisioning and De-Provisioning
Multi-Factor Authentication
Passwords (or any one factor of authentication) alone are generally
insufficient in protecting modern digital identity systems
Multi-factor authentication (MFA)
Two-factor authentication (2FA) is a subset of MFA where exactly 2
mechanisms are used to prove one’s identity
Multi-Factor Authentication
The three most common types of identity proofing mechanisms are:
What you know
Typically a password or passphrase
What you have
Badge which you can scan
A software or hardware based one-time-password (OTP) generator
A device such as a smartphone which is capable of receiving
authentication requests
What you are (biometrics)
Fingerprint
Facial or Voice Recognition
Retina scan
Security Levels
Next up - 
Authorization
.
Introducing 
Security Levels
A
 platform-level construct aimed to make the permission modeling
inside Ignition more convenient, portable
Introduce a stand-alone permission modeling system for use within
Ignition, regardless of how identity was established
Put another way: security levels allow Ignition to have its own authorization
system, independent of the authentication system being used.
Security Levels
Security Levels will look a lot like roles:
User
Operator
LineA
LineB
Supervisor
Security Levels
There are two “special” security levels defined by the platform
Public
All users are always granted the Public security level, 
even if they are not
authenticated
Demo Project is almost entirely using the Public security level.
Authenticated
If a session has authenticated against the configured IdP successfully,
they will have the “Authenticated” security level
Security Levels
If the IdP used 
did
 provide “role” information, the roles provided will be
added as child security levels underneath “Authenticated”
Public
Authenticated
A
B
The legacy role information underneath Authenticated provides a way to
bridge this new method of permission modeling with the role-based
permission modeling from Ignition 7
Security Architecture
Perspective:
Federated Identities
and Security Levels
Gateway:
User Sources
Vision Client:
User Sources
Designer:
User Sources
Demo
Kent Melville
Sales Engineer
Software Developer
Joel Specht
Cyber Security Risk Officer
Jason Waits
Slide Note
Embed
Share

In this visual presentation, various slides showcase images related to federal states, security levels, and gateway user sources. The slides cover topics such as perspectives, federated identities, vision, design, and more. Each image provides a glimpse into different aspects of these subjects, offering a visual journey through concepts related to federal states and user sources.

  • Federal State
  • Gateway
  • User Sources
  • Visual Presentation
  • Security Levels

Uploaded on Sep 21, 2024 | 1 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Federal State State State

  2. Gateway: User Sources Vision Client: User Sources Designer: User Sources Perspective: Federated Identities and Security Levels

More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#