web services security - presentation
TRANSCRIPT
Web Services SecurityWeb Services SecurityBy: By:
Muhammad Jawaid ShamshadMuhammad Jawaid ShamshadMS/PhD (CS)MS/PhD (CS)
052210052210
Advisor: Advisor: Naeem JanjuaNaeem Janjua
AgendaAgenda► IntroductionIntroduction► Terms and ConceptsTerms and Concepts
Web ServicesWeb Services WSDLWSDL Discovering Web Services (UDDI, ebXML)Discovering Web Services (UDDI, ebXML)
► Need for SecurityNeed for Security► Goal of SecurityGoal of Security► Requirements for Web Service SecurityRequirements for Web Service Security► EASIEASI
EASI RequirementsEASI Requirements EASI FrameworkEASI Framework
► ConclusionConclusion► Literature SourcesLiterature Sources► Q & AQ & A
IntroductionIntroduction
►Web services provide fast and flexible Web services provide fast and flexible information sharing between people and information sharing between people and businesses.businesses.
►But along with the benefits, there is a But along with the benefits, there is a serious risk:serious risk: Sensitive and private data can be exposedSensitive and private data can be exposed
►How to secure web services?How to secure web services?
Terms and ConceptsTerms and Concepts
►Web ServiceWeb Service►SOAPSOAP►WSDLWSDL►Discovering Web ServiceDiscovering Web Service
UDDIUDDI ebXMLebXML
Web ServiceWeb Service
►DefinitionDefinition "Web services are software applications that "Web services are software applications that
can be discovered, described, and accessed can be discovered, described, and accessed based on XML and standard Web protocols based on XML and standard Web protocols over intranets, extranets, and the Internet“over intranets, extranets, and the Internet“
►Main focus is interoperabilityMain focus is interoperability►Uses SOAP protocol as syntax of message Uses SOAP protocol as syntax of message
and uses HTTP to transfer that messageand uses HTTP to transfer that message
SOAPSOAP►DefinitionDefinition
““Lightweight protocol for exchange of Lightweight protocol for exchange of information in a decentralized, distributed information in a decentralized, distributed environment“environment“
►Created by Microsoft, DevelopMentor, IBM, Created by Microsoft, DevelopMentor, IBM, Lotus, and Userland in 1999Lotus, and Userland in 1999
►XML-based protocolXML-based protocol►Web services transfers XML messages in Web services transfers XML messages in
SOAP format encapsulated in SOAP SOAP format encapsulated in SOAP envelopenvelop
SOAPSOAP
►SOAP header contains the meta information SOAP header contains the meta information and the body contains the actual message and the body contains the actual message in XML syntaxin XML syntax
WSDLWSDL► DefinitionDefinition
““An XML format for describing network services as a set An XML format for describing network services as a set of endpoints operating on messages containing either of endpoints operating on messages containing either document-oriented or procedure-oriented information“document-oriented or procedure-oriented information“
► Developed by IBM and Microsoft in 2000Developed by IBM and Microsoft in 2000► Contains information where the service is located, Contains information where the service is located,
what the service does, and how to invoke the what the service does, and how to invoke the serviceservice
► Application can look at the WSDL and dynamically Application can look at the WSDL and dynamically construct SOAP messagesconstruct SOAP messages
Discovering Web ServicesDiscovering Web Services
►How to search desired web service and How to search desired web service and communicate with itcommunicate with it Universal Description, Discovery, and Universal Description, Discovery, and
Integration (UDDI)Integration (UDDI) ebXML RegistriesebXML Registries
UDDIUDDI► Introduced by Ariba, Microsoft, and IBM in 2000Introduced by Ariba, Microsoft, and IBM in 2000► Not yet a standard but implemented by major Not yet a standard but implemented by major
vendors like Microsoft and IBMvendors like Microsoft and IBM► Information availableInformation available
white pages white pages of company contact information,of company contact information, yellow pages yellow pages that categorize businesses by standard that categorize businesses by standard
categorization, andcategorization, and green pages green pages that document the technical information that document the technical information
about web services, like WSDLabout web services, like WSDL
ebXMLebXML► A standard created by OASIS in 2001A standard created by OASIS in 2001► Provide a common way for businesses to quickly Provide a common way for businesses to quickly
and dynamically perform business transactions and dynamically perform business transactions based on common business practicesbased on common business practices
► Information availableInformation available Business processes and components described in XMLBusiness processes and components described in XML Capabilities of a trading partnerCapabilities of a trading partner Trading partner agreements between companiesTrading partner agreements between companies
Need for SecurityNeed for Security► E-commerce sites on the InternetE-commerce sites on the Internet .. These rely on These rely on
credit card authorization services from an outside credit card authorization services from an outside company. company.
► Cross-sell ing and customer relat ionship Cross-sell ing and customer relat ionship managementmanagement .. This relies on customer information being This relies on customer information being shared across many lines of business within an enterprise. shared across many lines of business within an enterprise.
► Supply chain managementSupply chain management .. This requires continuing This requires continuing communication among all of the suppliers in a communication among all of the suppliers in a manufacturing chain. The transactions describing the manufacturing chain. The transactions describing the supply chain that are exchanged among the enterprises supply chain that are exchanged among the enterprises contain highly proprietary data.contain highly proprietary data.
Goal of SecurityGoal of Security
►ConfidentialityConfidentiality► IntegrityIntegrity►AccountabilityAccountability►AvailabilityAvailability
Requirements for WS SecurityRequirements for WS Security
►AuthenticationAuthentication►AuthorizationAuthorization►CryptographyCryptography►AccountabilityAccountability►Security AdministrationSecurity Administration
EASIEASI►End-to-end Enterprise Application Security End-to-end Enterprise Application Security
IntegrationIntegration►Provides a common security framework to Provides a common security framework to
integrate many different security solutionsintegrate many different security solutions►Enables new security technologies in each Enables new security technologies in each
tier to be added without affecting the tier to be added without affecting the business applicationsbusiness applications
►Framework for distributed application Framework for distributed application security, not limited to web services.security, not limited to web services.
EASI RequirementsEASI Requirements► Perimeter security technologiesPerimeter security technologies .. Used between the Used between the
client and the server. Perimeter security enforces client and the server. Perimeter security enforces protection for customer, partner, and employee access to protection for customer, partner, and employee access to corporate resources. Perimeter security primarily protects corporate resources. Perimeter security primarily protects against external attackers, such as hackers.against external attackers, such as hackers.
► Mid-tier security technologiesMid-tier security technologies .. Used between the Used between the mid-tier business components. Mid-tier security focuses mid-tier business components. Mid-tier security focuses primarily on protecting against insider attacks, but also primarily on protecting against insider attacks, but also provides another layer of protection against external provides another layer of protection against external attackers.attackers.
► Back-off ice security technologiesBack-off ice security technologies .. Address the Address the protection of databases and operating- system-specific protection of databases and operating- system-specific back-end systems.back-end systems.
EASI FrameworkEASI Framework
►Specifies the interactions among the Specifies the interactions among the security services and application security services and application components that use those security components that use those security servicesservices.
►Possible to add new security technology solutions without making big changes.
►Supports “plug-ins” for new security technologies.
EASI Framework continued…EASI Framework continued…
►ApplicationsApplications Provides enterprise security services for Provides enterprise security services for
presentation components, business logic presentation components, business logic components, and the back officecomponents, and the back office.
Supports security mechanisms that enforce security on behalf of security aware and security unaware applications.
EASI Framework continued…EASI Framework continued…
►Security Aware ApplicationSecurity Aware Application Uses the security APIs to access and validate Uses the security APIs to access and validate
the security policies. the security policies. May directly access security functions that May directly access security functions that
enable the applications to perform additional enable the applications to perform additional security checkssecurity checks
EASI Framework continued…EASI Framework continued…
►Security Unaware ApplicationSecurity Unaware Application Does not explicitly call security servicesDoes not explicitly call security services Security is enforced by using interceptors. Interceptor transparently calls the underlying
security APIs on behalf of the application.
EASI Framework continued…EASI Framework continued…►Application Programming Interface
Standard Security API►Support for APIs is based on open standards or
industry de facto standards Custom Security API
►Implemented when needs cannot be met by existing standard APIs
Vendor Security API►May be used where open standards have not yet
been defined
EASI Framework continued…EASI Framework continued…
►Core Security Services Authentication Authorization Cryptography Accountability Security Administration
ConclusionConclusion► It is recommended that web services be designed It is recommended that web services be designed
according to the principles of a enterprise according to the principles of a enterprise application security architecture. application security architecture.
► However, it is sometimes desirable to build However, it is sometimes desirable to build services capable of referencing each other, which services capable of referencing each other, which may lead to a finer-grained, secure services may lead to a finer-grained, secure services design. design.
► When building a new service, it is worth When building a new service, it is worth considering carefully the pros and cons of all considering carefully the pros and cons of all design styles, which can result in a better design styles, which can result in a better integration solution for a targeted domain integration solution for a targeted domain
Literature SourcesLiterature Sources
►BooksBooks►Web SitesWeb Sites►ACM digital libraryACM digital library► IEEE digital libraryIEEE digital library► IEEE ExploreIEEE Explore►PublicationsPublications
Q & AQ & A