click to edit master title style martin borrett lead security architect technical staff member ne...
TRANSCRIPT
Click to edit Master title style
Martin BorrettLead Security ArchitectTechnical Staff MemberNE EuropeIBM SWG
SOA Security Challenges, Patterns and Solutions
What is different now? Trends
Increased focus on compliance and governance Service oriented architecture Web 2.0 and collaboration models User centric identity Trusted identity
Implications Porous perimeter with trust extending beyond traditional ‘boundaries’ Composite applications and business process transformation challenge traditional
approaches to define and manage security policies Empowering users to make selection – sharing of identity info, who they trust,.. Need to factor in reputation, trust models, and information leakage
New identity and access management challenges Composite application and mash-ups
adoption Need consistent enforcement of policies Requires enterprise to ensure consistent and integration identity
management, access control and data security
Compliance driving a need for closed-loop solution
Need unified identity & access management with delegation & change control
Audit accountability needs to relate activities to ‘end users’ not just ids or systems
Deployment of heterogeneous IT infrastructures creates costly islands of security administration
Mature standards exist today (WS-Policy, WS-Trust, XACML) Need common, pluggable framework (authentication,
authorization)
Architectural principles Consistent policy enforcement (Runtime)*
Security as a service - Service orientation Federation through mediation
Externalization of policies from applications Flexibility to deal with change Does not mean applications need to be re-written, necessarily
Consistent policy management (Administration)
Interoperability and integration Open approach – open standards and open source
–* note: enforcement in this context is inclusive of decision points
Consistent runtime enforcement - Example
Client System (browser, rich client) F
irew
all
Proxy/Intermediary F
irew
all
Web Application Server/Portal
Server
ExistingApplication
EnterpriseInformation
System
Centralized Security Services
‘Security as a Service’
Policies and configurations are currently specific to the various products, with tool-specific definitions. How do you check compliance across all of them?
Compliance Officer
Corporate Intranet
The corporate policy is to protect disclosure of
social security numbers
SecurityOfficer
Message encryption policy
Integration Architect
Service Registry
Service policy
DeveloperShould I code entitlements into the application
Service
Manage and enforce the policies
Operations ConsoleIT Operations
Challenge: How to apply policy consistently?
Solution Pattern - Components & InteractionFor Policy Administration, Decision and Enforcement
Policy Administration Point
(PAP)
Policy Enforcement Point (PEP)
Policy Decision Point (PDP)
Policy decision
DiscoveryPolicy Information
Point (PIP )Publish
Information
7
1
3 2
4
Message Security Policy for Authentication & Identity Propagation
Client System (browser, rich client) F
irew
all
Proxy/Intermediary F
irew
all
Web Application Server/Portal
Server
ExistingApplication
Authentication Services
IT Security Runtime Services
Identity Services
Policy Enforcement
Jon
<Jdoe_token>
EnterpriseInformation
Systemz42
[email protected] Mapped toz42
Message confidentiality & integrity policies -
What to sign? Encrypt?
What identity token? Trust
policy?
WS-Trust
Applications need end user’s identity for controlling access and compliance Identity information needs to be mediated for access Authentication service
What assertions are needed? What is the trust policy? How to secure messages for integrity & confidentiality? How to authenticate, validate and transform identity claims/tokens across boundaries
Authorization Policy for Access & Entitlements
Client System (browser, rich client) F
irew
all
Proxy/Intermediary F
irew
all
Web Application Server/Portal
Server
ExistingApplication
Authorization Services
IT Security Runtime Services
Identity Services
Policy Enforcement
Jon
Can Jonaccess apps
Can Jonaccess financeapps
EnterpriseInformation
System
Can Jon access Alice’sinvestment record, givenJon is Alice’s financial advisor?
Access Decisions;Entitlements;Use claims
Obtain identity information,
attributes to make decisions
Access decisions to take following into considerations Identity context. resource context, Request context
Need an efficient way to externalize access control out of application logic Authorization service
Centralized decision point for access and entitlements
Security Policy Management
Client System (browser, rich client) F
irew
all
Proxy/Intermediary F
irew
all
Web Application Server/Portal
Server
ExistingApplication
Policy lifecycle
Identity policies
Transform MonitorAuthor Enforce
EnterpriseInformation
System
Manage trust relationships
across domains
Authorization policies
Manage authorization policies &
entitlements
Canonical form(e.g., WS-SecurityPolicy, XACML)
Canonical form(e.g., WS-SecurityPolicy, XACML)
Policy management
Local transformation Local transformation Local transformation
Trust policies
Multiple heterogeneous enforcement points Potential inconsistency in managing policies and configuration across those Unified security policy management
Federate policies to enforcement points (including decision points/services) Canonical form of policy expressions – and local transformations as necessary
Service Registry
Logical Architecture
Client System (browser, rich client) F
irew
all
Proxy/Intermediary F
irew
all
Web Application Server/Portal
Server
ExistingApplication
Policy lifecycleTransform MonitorAuthor Enforce
EnterpriseInformation
System
Canonical form(e.g., WS-SecurityPolicy, XACML)
Canonical form(e.g., WS-SecurityPolicy, XACML)
Local transformation Local transformation Local transformation
Authentication Services
IT Security Runtime Services
Authorization &Privacy Services
AuditServices
Identity Services
Confidentiality & Integrity Services Non-repudiation
Services
Business Security Services
Identity & Access
Data Protection, Privacy& Disclosure Control
Secure Systems & Networks
Compliance &Reporting
Trust Management
Non-repudiationServices
… and Interoperability & integration with open standards
Service interfaces Token exchange and authorization - WS-Trust Identity service – IdAS (open source effort in progress - Project Higgins @
Eclipse) Policy expressions
Authorization policies - XACML Message protection policies – e.g., WS-SecurityPolicy
Programming model WS* - WS-Trust, XACML Java – Declarative model in J2EE; programming APIs through Java
Authentication and Authorization service (JAAS), Java Authorization Contract for Containers (JACC)
Collaborators on open standards Microsoft, Oracle, SAP, Sun, and others
Open source – Project Higgins at Eclipse.org