SOA Security Challenges, Patterns and Solutions Click to edit Master title style Martin Borrett Lead Security Architect Technical Staff Member NE Europe IBM SWG.
Download ReportTranscript SOA Security Challenges, Patterns and Solutions Click to edit Master title style Martin Borrett Lead Security Architect Technical Staff Member NE Europe IBM SWG.
SOA Security Challenges, Patterns and Solutions Click to edit Master title style Martin Borrett Lead Security Architect Technical Staff Member NE Europe IBM SWG What is different now? Trends Increased focus on compliance and governance Service oriented architecture Web 2.0 and collaboration models User centric identity Trusted identity Implications Porous perimeter with trust extending beyond traditional ‘boundaries’ Composite applications and business process transformation challenge traditional approaches to define and manage security policies Empowering users to make selection – sharing of identity info, who they trust,.. Need to factor in reputation, trust models, and information leakage New identity and access management challenges Composite application and mash-ups adoption Compliance driving a need for closed-loop solution Need consistent enforcement of policies Requires enterprise to ensure consistent and integration identity management, access control and data security Need unified identity & access management with delegation & change control Audit accountability needs to relate activities to ‘end users’ not just ids or systems Deployment of heterogeneous IT infrastructures creates costly islands of security administration Mature standards exist today (WS-Policy, WS-Trust, XACML) Need common, pluggable framework (authentication, authorization) Architectural principles Consistent policy enforcement (Runtime)* Externalization of policies from applications Security as a service - Service orientation Federation through mediation Flexibility to deal with change Does not mean applications need to be re-written, necessarily Consistent policy management (Administration) –* note: enforcement in this context is inclusive of decision points Interoperability and integration Open approach – open standards and open source Consistent runtime enforcement - Example Proxy/ Intermediary Firewall Client System (browser, rich client) Firewall Enterprise Information System Web Application Server/Portal Server Centralized Security Services ‘Security as a Service’ Existing Application Challenge: How to apply policy consistently? The corporate policy is to protect disclosure of social security numbers Message encryption policy Integration Architect Security Officer Compliance Officer Service Service policy Registry Corporate Intranet Service Manage and enforce the policies IT Operations Operations Console Should I code entitlements into the application Developer Policies and configurations are currently specific to the various products, with tool-specific definitions. How do you check compliance across all of them? Solution Pattern - Components & Interaction For Policy Administration, Decision and Enforcement 1 Discovery Policy Administration Point Publish (PAP) 3 Policy Enforcement Point (PEP) 7 4 Policy Information Point (PIP ) 2 Policy decision Policy Decision Point (PDP) Information Message Security Policy for Authentication & Identity Propagation What assertions are needed? What is the trust policy? How to secure messages for integrity & confidentiality? How to authenticate, validate and transform identity claims/tokens across boundaries z42 Jon Client System (browser, rich client) Firewall Applications need end user’s identity for controlling access and compliance Identity information needs to be mediated for access Authentication service Firewall Proxy/ Intermediary Web Application Server/Portal Server Enterprise Information System Existing Application <Jdoe_token> [email protected] [email protected] WS-Trust Authentication Services Mapped to z42 IT Security Runtime Services Identity Services What identity token? Trust policy? Policy Enforcement Message confidentiality & integrity policies What to sign? Encrypt? Authorization Policy for Access & Entitlements Access decisions to take following into considerations Identity context. resource context, Request context Need an efficient way to externalize access control out of application logic Authorization service Centralized decision point for access and entitlements Enterprise Information System Can Jon access apps Obtain identity information, attributes to make decisions Proxy/ Intermediary Firewall Client System (browser, rich client) Firewall Jon Web Application Server/Portal Server Existing Application Can Jon access finance apps Authorization Services Identity Services Can Jon access Alice’s investment record, given Jon is Alice’s financial advisor? IT Security Runtime Services Access Decisions; Entitlements; Use claims Policy Enforcement Security Policy Management Multiple heterogeneous enforcement points Potential inconsistency in managing policies and configuration across those Unified security policy management Federate policies to enforcement points (including decision points/services) Canonical form of policy expressions – and local transformations as necessary Manage authorization policies & entitlements Manage trust relationships across domains Service Registry Trust policies Identity policies Author Transform Enforce Canonical form (e.g., WS-SecurityPolicy, XACML) Policy lifecycle Monitor Local transformation Firewall Firewall Proxy/ Intermediary Policy management Canonical form (e.g., WS-SecurityPolicy, XACML) Local transformation Client System (browser, rich client) Authorization policies Web Application Server/Portal Server Local transformation Existing Application Enterprise Information System Logical Architecture Business Security Services Compliance & Reporting Data Protection, Privacy & Disclosure Control Identity & Access Trust Management Author Transform Authentication Services Proxy/ Intermediary Local transformation Firewall Firewall Policy lifecycle Monitor Canonical form (e.g., WS-SecurityPolicy, XACML) Local transformation Identity Services Secure Systems & Networks Enforce Canonical form (e.g., WS-SecurityPolicy, XACML) Client System (browser, rich client) Non-repudiation Services Web Application Server/Portal Server IT Security Runtime Services Authorization & Privacy Services Confidentiality & Integrity Services Local transformation Existing Application Audit Services Non-repudiation Services Enterprise Information System … and Interoperability & integration with open standards Service interfaces Policy expressions WS* - WS-Trust, XACML Java – Declarative model in J2EE; programming APIs through Java Authentication and Authorization service (JAAS), Java Authorization Contract for Containers (JACC) Collaborators on open standards Authorization policies - XACML Message protection policies – e.g., WS-SecurityPolicy Programming model Token exchange and authorization - WS-Trust Identity service – IdAS (open source effort in progress - Project Higgins @ Eclipse) Microsoft, Oracle, SAP, Sun, and others Open source – Project Higgins at Eclipse.org IBM Product Capability Tivoli Federated Identity Manager Identity transformation/propagation Token Attributes Tivoli Security Policy Manager Author, administer, transform and distribute security policies