infrastructure service approach to handling security in service-oriented architecture business...
TRANSCRIPT
![Page 1: Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras](https://reader035.vdocuments.us/reader035/viewer/2022071705/56649f4c5503460f94c6cd63/html5/thumbnails/1.jpg)
Infrastructure Service Approach to Handling Security in
Service-Oriented Architecture Business Applications
Doina Iepuras
![Page 2: Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras](https://reader035.vdocuments.us/reader035/viewer/2022071705/56649f4c5503460f94c6cd63/html5/thumbnails/2.jpg)
SOA Security
• Authentication – validating the identity of the message originator
• Authorization – controlling the use of the services
• Privacy – no unwanted intercepts while transmitting a message
• Integrity – confidence that message has not been modified
![Page 3: Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras](https://reader035.vdocuments.us/reader035/viewer/2022071705/56649f4c5503460f94c6cd63/html5/thumbnails/3.jpg)
SOA Security Levels
• Transport Layer Security– Point-to-point security– Encryption for data in motion
Cons• Not granular enough• Reduced auditing capabilities
![Page 4: Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras](https://reader035.vdocuments.us/reader035/viewer/2022071705/56649f4c5503460f94c6cd63/html5/thumbnails/4.jpg)
SOA Security Levels
• Message Level Security– End-to-end security– WS-Security - integrity via cryptographic
mechanisms– WS-Policy – framework describing rules and
policies
Cons• Implementation for each message
![Page 5: Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras](https://reader035.vdocuments.us/reader035/viewer/2022071705/56649f4c5503460f94c6cd63/html5/thumbnails/5.jpg)
Application Managed Security
DataStore
DataStore
DataStore
.NetApps
Portal Server
ApplicationServer
BusinessProcesses
FWTrusted Network
FW
J2EEApps
SecurityDecisions
CustomApps
SecurityDecisions
Message
DataStore
WebServer
SecurityDecisions
SecurityDecisions
![Page 6: Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras](https://reader035.vdocuments.us/reader035/viewer/2022071705/56649f4c5503460f94c6cd63/html5/thumbnails/6.jpg)
Application Proxy
• Common interface that can receive and respond to web service calls
• Reduce the load on the enterprise’s infrastructure
• Caches and manages authentication and authorization requests
![Page 7: Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras](https://reader035.vdocuments.us/reader035/viewer/2022071705/56649f4c5503460f94c6cd63/html5/thumbnails/7.jpg)
Gateway Security Pattern
• Handles different transport layers
• Performs enhanced message transformations
• Coarse-grained authorization of the request message and its origins
• Validation of the request format
![Page 8: Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras](https://reader035.vdocuments.us/reader035/viewer/2022071705/56649f4c5503460f94c6cd63/html5/thumbnails/8.jpg)
Enterprise Service Bus
Supports integration and flexible reuse of heterogeneous business components– Routing messages between services– Conversions of transport protocols – Transforming requests from one message
format to another
![Page 9: Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras](https://reader035.vdocuments.us/reader035/viewer/2022071705/56649f4c5503460f94c6cd63/html5/thumbnails/9.jpg)
Security as a Service
• Access control decisions should be made each time a message reaches a transition point
• Allows early detection of unauthorized requests
• Eliminates unnecessary security processing at the application layer
• Issue: a lot of redundancy
![Page 10: Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras](https://reader035.vdocuments.us/reader035/viewer/2022071705/56649f4c5503460f94c6cd63/html5/thumbnails/10.jpg)
Security as a Service
• Implement security as a set of services
• Application relies on services to acquire a security decision
• What if security is already implemented within the application?– The decisions should still be made via a
service which gets the decision from the application implementation
![Page 11: Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras](https://reader035.vdocuments.us/reader035/viewer/2022071705/56649f4c5503460f94c6cd63/html5/thumbnails/11.jpg)
Security as a Service
• Security Decision Service - segregates the security decision functionality
• Security Enforcement Service – applies security decisions to a request
![Page 12: Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras](https://reader035.vdocuments.us/reader035/viewer/2022071705/56649f4c5503460f94c6cd63/html5/thumbnails/12.jpg)
Security as a Service within the ESB
• ESB enables the security as a service model
• Services are implemented as mediations which provide reusable functionality– Service for Encryption/decryption– Service for Validating digital signatures– Service for Authenticating the requestor
![Page 13: Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras](https://reader035.vdocuments.us/reader035/viewer/2022071705/56649f4c5503460f94c6cd63/html5/thumbnails/13.jpg)
ESB Model
DataStore
DataStore
DataStore
.NetApps
J2EEApps
SecurityDecisions
CustomApps
SecurityEnforcement
Services
RequestMessage
ESB
SecurityEnforcement
Services
SecurityDecisionsServices
ApplicationServer
Service EnforcementService
![Page 14: Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras](https://reader035.vdocuments.us/reader035/viewer/2022071705/56649f4c5503460f94c6cd63/html5/thumbnails/14.jpg)
ESB Model
• Validation of request format
• Transport and end-to-end security for service implementations
• Enables layered security approach by separating enforcement and decision services
• Single point of control for identity mapping
• Can be implemented gradually
![Page 15: Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras](https://reader035.vdocuments.us/reader035/viewer/2022071705/56649f4c5503460f94c6cd63/html5/thumbnails/15.jpg)
Q&A