Orbeon Security - Financial Institution

Hi

We are trying to implement Orbeon forms at a financial institution. As you
can imagine, their security requirements are quite stringent.

Does anyone have any experience implementing Orbeon in a high security
environment ? Can you please provide some best practice methods of how we
can tighten the security of the Orbeon deployment ? Do you have any examples
of having implemented this in a financial institution with regards to
security and protection of customer information ?

Does anyone here have any experience with using Orbeon together with a 2
factor authentication system like SMS tokens being sent to users to confirm
their identity ?

Thanks.

--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

If you haven't seen it already, I think you'll find the information on the
page linked below interesting, and just let me know if this doesn't answer
some of the questions you might have about security:

https://doc.orbeon.com/configuration/advanced/security.html

Regarding 2-factor authentication, authentication in general is something
that happens before requests get to Orbeon Forms. Orbeon Forms can leverage
the mechanism built in your app server (e.g. Tomcat) or you have use a
reverse proxy. In Orbeon Forms, the first technique is called "container
driven", which the second is called "header driven".

https://doc.orbeon.com/form-runner/access-control/users.html

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

Hi

Thank you very much for your response.

I have gone through the links you have sent to me.

The information in there is helpful.

I am trying to understand how we can strengthen orbeon's security from a
network infrastructure point of view as opposed to the vulnerabilities of
orbeon such as how we can implement technologies such as SSL, Firewalls, IP
Routing, Database flushing to secure the solution. I noticed that Orbeon has
been implemented in organisations such as ASX which I assume would have
similar stringent security requirements. Are you able to provide us with an
example of how Orbeon has been implemented in those case with regards to
infrastructure and other aspects of the deployment ?

With regards to the second question, I am not referring to authentication of
users to login to the Orbeon solution but to validate the users. For
example, we have a user that signs an E-Form using the E-Signature module,
how can we determine the identity of the person that has signed the document
?

I have gone through the document you have provided here
http://wiki.orbeon.com/forms/projects/electronic-digital-signature

but the customer we are working with requires us to be able to further
validate the users of the solution via other methods.
With regards to 2 factor authentication, do you have any examples of having
implemented Orbeon with SMS tokens to validate users ? Do you have any
examples of having utilized Orbeon to connect to APIs of customer's
enterprise system to validate users ?

Thanks

--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

Hi Alessandro

Would you be interested in working with my organization
in completing the implementation of the Orbeon Forms solution for our
customer based on their requirements ?

The work will be mainly in terms of strengthening the core security of the
Orbeon Forms solution and implementing customer validation within the forms.

If so, please provide us with your direct contact details so that we can get
in touch with you to discuss terms and costs.

Hope to hear back from you soon.

Thanks.






--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to orbeon+unsubscribe@googlegroups.com.
To post to this group, send email to orbeon@googlegroups.com.

Hi,

You're correct to say that security is, for some of our customers,
exceptionally important. We focus on the security of Orbeon Forms itself,
and we're not trying to act as security consultants so don't have
recommendations for what goes "around" Orbeon Forms. As you can imagine, we
see SSL, firewalls, security proxies, single sign-on systems, … used
frequently and in general customers deploy those technologies across web
apps, so there isn't much specific to Orbeon Forms.

Regarding validating a user's signature, are you already using a specific
e-signature module, or have one in mind? How you validate the e-signature
will be specific to the particular software you're using for e-signature. Or
am I misunderstanding your question?

Regarding two-factor authentication, you can have an authentication system
that requires users to enter a code sent to them by SMS every time they log
in, or only the first time they do so from a "new computer", but this is
something you would set up at the level of that authentication system, and
when any request gets to Orbeon Forms, it will have already been
authenticated based on the rules you've defined.

Regarding help with completing the implementation of an Orbeon Forms, we
might be able to put you in touch with the right person. I'll follow-up on
this with you through private email.

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

Hi,

Did you get all answers to the questions you had about security so far?
You'll let me know if any clarification would help, or I left out anything
from my response.

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].