Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unissons nos Talents T O G E T H E RT A L E N T E D 1 Web Services Security – Challenges & Trends Magan Pal Singh Technical Architect, Sopra Group

Published byAlize Maltman Modified over 9 years ago

Similar presentations

Presentation on theme: "Unissons nos Talents T O G E T H E RT A L E N T E D 1 Web Services Security – Challenges & Trends Magan Pal Singh Technical Architect, Sopra Group"— Presentation transcript:

1 Unissons nos Talents T O G E T H E RT A L E N T E D 1 Web Services Security – Challenges & Trends Magan Pal Singh Technical Architect, Sopra Group mpsingh@in.sopragroup.commpsingh@in.sopragroup.com - www.sopragroup.com +91 120 4056100

2 2 Agenda Web Services Introduction Web Services Security Elements Web Services Security Dimensions Web Services Security Standards Threats Facing Web Services Threats Mitigation

3 3 Web Services Introduction Increasingly becoming SOA implementation of choice Distributed stand alone services Platform independence Heterogeneous environments and technologies Spread across geographies Publicly published interfaces – Service Contract Discoverable universally – UDDI Rate Service Loan Service UDDI 1 2 3

4 4 Web Services Introduction Web services Messaging – SOAP Web Portal Loan Service Rate ServiceCredit Service 1 2 3 4 5 6 End User

5 5 Web Services Introduction Web Services Coordination Orchestration – Within the Organization (BPEL) Choreography – Between Organizations Loan Service Credit Service Credit Bureau Service Rate Service Internal Rate Service1 Internal Rate Service2 Internal Rate Service3 Federal Rate Service

6 6 Web Services Security Elements Applications must be secure and reliable to truly meet SOA goals Web Services rely on HTTP and common web based architecture Key security elements are: Identification and Authentication Verification of Identity of the requestor service Authorization Ascertaining the authority of the requestor service to access the resources Integrity Ensuring that un-authorized alterations do not happen to the data, while in transit, processing or storage Non-repudiation The provider is able to ascertain the identity of the requestor and gets the proof of the delivery from requestor Confidentiality Preserving authorized access and disclosure of sensitive information; e.g. personal or proprietary information Privacy Restricting the resources access in accordance to the organization policy or Federal laws

7 7 Web Services Security Dimensions Security dimensions encompass the security elements Each dimension affects a different layer of web service Five Security Dimensions Secure Messaging SOAP messages traversing over networks are not viewed/ modified by attackers Protecting Resources Ensure that individual web service is adequately protected through appropriate identification, authentication and access control mechanism Negotiation of Contracts Web services should be capable of negotiating the business contracts as well as QoP and QoS Trust Relationships Entities involved in a business transaction must trust each other Security Properties Ensure effective enforcement of service policy, security policy and availability of services

8 8 Web Services Security Standards DimensionRequirementSpecifications Messaging Confidentiality & IntegrityWS-Security SSL/ TLS AuthenticationWS Security Tokens SSL/TLS X.509 Certificates Resource AuthorizationXACML XrML RBAC, ABAC PrivacyEPAL XACML AccountabilityNone Negotiation RegistriesUDDI ebXML Semantic DiscoverySWSA OWL-S Business ContractebXML

9 9 Web Services Security Standards DimensionRequirementSpecifications Trust EstablishmentWS-Trust XKMS X.509 Trust ProxyingSAML WS-Trust FederationWS-Federation Liberty IDFF Shibboleth Security Properties PolicyWS-Policy Security PolicyWS-SecurityPolicy ReliabilityWS-ReliableMessaging WS-Reliability

10 10 Threats Facing Web Services Message Alteration Un-authorized insertion/ deletion/ modification of information in message in transit to deceive the receiver Loss of Confidentiality Un-authorized discloser of message information to un-intended recipient Falsified Messages Fictitious messages that are intended to make the receiver to believe are sent by valid sender Man in the Middle Un-authorized interception and forwarding of message to third party Principal Spoofing Malicious message that is constructed with credentials that appear to be from a different, authorized principal Forged Claims Message created with false credentials that appear to be valid to the receiver Replay of Messages Attacker resends a previously sent message Replay of Message Parts Attacker includes part of previously sent message(s) in a new message Denial of Service Attacker causes the system to expand its resources disproportionately so that valid requests can not be honored

11 11 Threats Mitigation W3C XML Encryption Used to encrypt and provide confidentiality of part or all of SOAP message W3C XML Signature Used to digitally sign the SOAP message and provide message integrity and senders authentication WS Security Tokens Used to include senders credentials to aid the receiver to authenticate the sender User Name/ Password OASIS SAML Assertion IETF X.509 certificate ISO Rights Expression Language W3C WS-Addressing IDs Allows message sender to supply a unique identifier for each message IETF SSL/TLS Secures HTTP protocol that is used to exchange SOAP messages SSL/TLS with client authentication Both sender and receiver should authenticate each other before securing HTTP protocol IETF HTTP authentication Allows user name and password or password digest to be sent as part of HTTP header

12 12 Threats Mitigation Threats Addressed By Current Web Services Standards Message AlterationLoss of ConfidentialityFalsified MessageMan in the MiddlePrincipal SpoofingForged ClaimsReplay of Message PartReplay of MessageDenial of Service XML EncryptionXXXXX XML SignatureXXXXXX WS-Security TokensXXX WS-AddressingX SSL/ TLSXXX*X X SSL/ TLS with Client CertificatesXXXXXXX HTTP AuthenticationXXX

13 13 Conclusions Variety of specifications and standards available – Mostly developed by individual/ group of organizations Specifications contradict to each other Certain areas of concern, like Contract Negotiation and Trust Management etc, are still not addressed fairly Web Services standards organizations like OASIS and W3C are working to standardize the specifications Coordinated effort and research is needed to define commonly acceptable specifications and to provide their implementations

14 14 Q & A

15 15 Thank You

Download ppt "Unissons nos Talents T O G E T H E RT A L E N T E D 1 Web Services Security – Challenges & Trends Magan Pal Singh Technical Architect, Sopra Group"

Similar presentations

Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Authentication & Kerberos

Authentication & Kerberos
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.

SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Core Web Service Security Patterns

Core Web Service Security Patterns
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Web services security I

Web services security I
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju
Review security basic concepts IT 352 : Lecture 2- part1 Najwa AlGhamdi, MSc – 2012 /1433.

Review security basic concepts IT 352 : Lecture 2- part1 Najwa AlGhamdi, MSc – 2012 /1433.
Web Service Standards, Security & Management Chris Peiris www.ChrisPeiris.com.

Web Service Standards, Security & Management Chris Peiris
Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

Similar presentations

Ads by Google