sb20: soa security and the impact to bcpdownload.101com.com/pub/cpm/files/sb20huangspreitzer.pdf ·...
TRANSCRIPT
SB20: SOA Security and the Impacts to BCP
Mark Spreitzer, CBCPCGI Enterprise Security PracticeDirector, Business Continuity/CIP
Office: [email protected]
www.cgi.com
Ken Huang, CISSPCGI Enterprise Security PracticeDirector, Security Engineering
Office: [email protected]
www.cgi.com
Agenda• Defining Service Oriented Architecture (SOA)• How to roadmap SOA • SOA and Service Level Agreements• SOA Security Stack• SOA and the RTO & RPO• SOA and the BIA Questionnaire• Tips for applying SOA to BCP• Summary & Questions
What is SOA?• Business-centric approach to IT architecture
– supports integrating your business as linked, repeatable business tasks, or services.
• SOA enables business to define and implement loosely-coupled and coarse-grained services– services are made available to other participants in the
network in a standardized way – to increase ROI and reusability
Roadmap Example• Approach
– Workflow the value chain• information provided and consumed
– Identify opportunities to standardize the information interface
– Develop solution with those services– Increase ROI & reusability profit!
• Points to remember– Business and IT are working on the same tool– Path to execution: all services are defined
Workflow the Business Process
Program ProvidersProgram Development
Regional and International Offices
Program Operations
ConsumersReceive Catalogs/Bills
FinanceBilling and Financial
Tracking
Call CenterRegistration/Payments
PublisherCatalog Printing
and Mailing Vendors
Finance Application
Finance Application
Program Changes
Special Requests
MarketingCatalog & Brochure
Design
Customer Service
Consumer QuestionsProgram Changes/Cancellations
Program EditsFinance
Currency conversion and Fee association
Mail OperationsBrochure Distribution
MailOperations
Identify external vs. internal services
Program ProvidersProgram Development
Regional and International Offices
Program Operations
ConsumersReceive Catalogs/Bills
FinanceBilling and Financial
Tracking
Call CenterRegistration/Payments
PublisherCatalog Printing
and Mailing Vendors
Finance Application
Finance Application
Program Changes
Special Requests
MarketingCatalog & Brochure
Design
Customer Service
Consumer QuestionsProgram Changes/Cancellations
Program EditsFinance
Currency conversion and Fee association
Mail OperationsBrochure Distribution
MailOperations
Identify the Information Interface
Program ProvidersProgram Development
Regional and International Offices
Program Operations
ConsumersReceive Catalogs/Bills
FinanceBilling and Financial
Tracking
Call CenterRegistration/Payments
PublisherCatalog Printing
and Mailing Vendors
Finance Application
Finance Application
Program Changes
Special Requests
MarketingCatalog & Brochure
Design
Customer Service
Consumer QuestionsProgram Changes/Cancellations
Program EditsFinance
Currency conversion and Fee association
Mail OperationsBrochure Distribution
MailOperations
VPN
VPN
VPN
VPN
VPN
VPNIA
M
IAM
IAM
VPN
IAM = Identity & Access Management
Before SOA• Disconnect between Business
Strategies and IT Solutions– Operation support– Individual project based decision– Ad hoc and technology driven
implementation
• Proprietary middleware & presentation technologies
• Non-Scalable Point to point integration
• Lack of Agility• Limited Reusability
SOA Identity Management
Program ProvidersProgram Development
Regional and International Offices
Program Operations
ConsumersReceive Catalogs/Bills
FinanceBilling and Financial
Tracking
Call CenterRegistration/Payments
PublisherCatalog Printing
and Mailing Vendors
Finance Application
Finance Application
Program Changes
Special Requests
MarketingCatalog & Brochure
Design
Customer Service
Consumer QuestionsProgram Changes/Cancellations
Program EditsFinance
Currency conversion and Fee association
Mail OperationsBrochure Distribution
MailOperations
trust
trust
trust
trust
trust
trusttrust
trust
trust
trust
What SOA Provides• Focus on Business Processes
– Internal and external view of business services
– How data flow between services components– Analyze the trust among services partners– Provide an abstraction layer for services and
workflow associated– Involved into business strategies and
decisions– Have long-term blueprint and big pictures as
guidance• Enforcement of reusability
– Promote agility– Promote standardization
• Gartner sees the use of SOA for mission critical applications ramping from 50 percent in 2007 to 80 percent by 2010
BCP and SOA: What is in common?• Focus on core and critical business processes and values• Insider and outsider view of Business• Business Centric approach instead of IT Centric• What changes?
– SOA Architect and Governance body
SOA and Service Level Agreements (SLA)
• Before SOA (hard-wired deployments)– SLAs relatively easy to implement using conventional tools
• With SOA– Environment becomes dynamic– loosely-coupled enterprise SLA becomes difficult– Service end points may be added or changed– New services might be offered or existing SLAs redefined– SLAs may even exist between different enterprises entirely
• Solution: map and exercise plans to the value chain
SOA Security Stack• Areas influenced by SOA
Security standards– Policy Standards
• Trust• Confidentiality
– Identity Management • Business partner entitlements • Service partner entitlements
– Messaging integrity and confidentiality• Lower layer security• Key management• Encryption management
Three categories of standards• Identity Management Standards
– SAML - XACML– Liberty ID-FF - DSML– SPML - WS-Federation, etc.
• Web Services Standards – WS-Security– WS Security Policy– WS-SecureConversation– WS-Trust– WS-ReliableMessaging
• Digital Security Standards (Mostly in the lower layers of IP Stack)
– XKMS - XML-SIG– XML-ENC - TLS IPSec– PKI - SSL– S/MIME - LDAP– Kerberos etc.
SAML (Security Assertion Markup Language)
• XML standard for exchanging authentication and authorization data between security domains.
• SAML Building Blocks– Extensible Markup Language (XML) – XML Schema – XML Signature
• For authentication and message integrity. – XML Encryption
• For Identity encryption – SOAP
Liberty Alliance Project• Global alliance on Identity
Federation– Organization of over 150
members comprised of business, non-profit and government agencies
– Developing an open standard for federated network identity (Liberty ID-FF)
• Liberty ID-FF (Identity Federation Framework)– Now part of OASIS standard
• OASIS (Organization for the Advancement of Structured Information Standards)
• Is the basis for SAML 2.0
WS-Federation• Competing standard to SAML
–Developed by BEA Systems, BMC Software, CA, Inc., IBM, , Microsoft, Novell, and VeriSign
• Part of the larger WS-* Security framework• Microsoft has its own standard
–Interoperates with WS-Federation–Based on Active Directory –Bundled in Windows Server 2003 R2 –Microsoft ADFS (Active Directory Federation
Service)
XACML (eXtensible Access Control Markup Language)
• Declarative access control policy language• Implemented in XML • Processing model
– describing how to interpret the access policies
• Defines who can access what resource• Passed from PEP (Policy Enforcement Point) to PDP
(Policy Decision Point)– PDP uses the information inside XACML to determine who has
access to which resource
WSS (WS-Security)• Application layer protocol• Enables end-to-end security using security tokens• Describes how to attach security tokens to
messages– SOAP signature and HTTP encryption headers– including binary security tokens such as X.509
certificates and Kerberos tickets• Contains specifications on how integrity and
confidentiality can be enforced on Web services messaging– Includes details on the use of SAML and Kerberos, and
certificate formats such as X.509
Other WS-* Standards• Provides for Confidentiality and Integrity• Extension of WS-Security
–WS-SecureConversation• Provide the message authentication
–WS-SecurityPolicy• Define how and when the security tokens should be
used in Web Service conversation.–WS-Trust
• Provides framework for validation of security tokens.
WS-ReliableMessaging• Provides for System Availability• Protocol that allows SOAP messages to be delivered
reliably between distributed applications• Queues messages/requests in the presence of software
component, system, or network failures– Developed by BEA Systems, Microsoft, IBM, and Tibco (March 2003)– Approved as an OASIS Standard on June 14th, 2007
Application Destination
Send RemoteMessaging
Source
RemoteMessaging Destination
ApplicationSource
Transmit
Acknowledge
Deliver
SOA Security tips• Network and Transport Layer security:
–firewall, IPSec, SSL, VPN, HTTPS–Most non-invasive
• Use XML-Enc and XML-Sig• Apply WS-* Security• Identity and Access Management is must
have.
What SOA means to Data• Information is protected as it moves
– from structured to unstructured– in and out of applications– across each business process
• Information view as self describing and defending • Policies work consistently through the defensive layers and
technologies• Policies and controls account for business context
• Benefactors– Customers– Vendors– Employees– SOA Partners
SOA and the RTO & RPORecovery Time Objective (RTO)• Before SOA
– RTO tied to individual mission critical applications and business processes• With SOA
– RTO expectation is changed – RTO is tied to overall SOA infrastructure– SOA enables deep integration, and fast response time
Recovery Point Objective (RPO)• Before SOA
– Recovery of IT infrastructure Hardware, software, and network components • With SOA
– SOA security is key to define the RPO– Redefine where the data resides – More redundancy of systems and data
SOA and the BIA QuestionnaireBusiness Recovery• Before SOA
– Functional business mapping– Map systems and networks to identify interviews– Overlay technology (applications, networks, etc.)– Overlay organization chart to understand the components affected by an incident/outage
• With SOA– Overlay Line of Business SOA configuration over the Organization charts– Map SOA infrastructure to the business functions to produce questionnaire
IT Recovery• Before SOA
– Inventory of systems– Interview with applications owners, network and system administrators– Focused on systems– Results based on internal view
• With SOA– Focused on value chain– Results based on interfaces– SOA Governance body or committee in addition to the above
Tips for applying SOA to BCP• Establish senior management support• Cross train BCP/SOA
– First understand correlations then map partner links
• Review BCP plan with SOA Team– New Threat Landscape– Areas of Responsibilities– Emergency Contact information– Recovery Team composition
• Establish Review and Revision interval• Review backup of SOA applications and data• Exercise plans based on value chain
Summary• SOA impacts recovery processes
– Changes business flow changes RTO– Changes data flow changes RPO– Changes value chain changes BIA
• Enables further understanding of business• SOA may simplify the value chain
– Enables service foundations such as eTom and ITIL– Enables Virtualization (Data and Application)– Simplifies Insourcing/Outsourcing– Enables Mergers, Acquisitions and Divestment