Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Overcoming the SOA Network Fallacy Roberto Medrano.

Similar presentations


Presentation on theme: "Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Overcoming the SOA Network Fallacy Roberto Medrano."— Presentation transcript:

1 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Overcoming the SOA Network Fallacy Roberto Medrano Executive Vice President

2 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 2 February 15, 2014 SOA Transcends the Network If you listen to SOA advocates, you might get the idea that a Service-Oriented Architecture transcends the network: –Web services consumers and providers have a logical relationship to one another – to the consumer, the Web Service is a URL, which could be anywhere, on any network segment –One of the major advantages of SOA as an architectural paradigm is the concept of network transparency – to work, an SOA does not need any specific network configuration. The Web can be your new corporate network In others, when youre thinking SOA, forget the network. The network doesnt matter…

3 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 3 February 15, 2014 The SOA Network Fallacy Dont get lulled into a false sense of network irrelevancy Based on the ideas of network transparency and the logical relationship between consumer and provider, some people in the EA field (sometimes SOA Vendors) conclude that the network does not matter in an SOA. This is exactly wrong. We call this the SOA Network Fallacy In an SOA, the network is perhaps more important than in any earlier EA paradigm: Web Services are network-based application components Consumers Providers Discovery of Web Services through the network UDDI/Registries are network-based Movement of SOAP messages, and WSDL documents over the network Security and governance for Web Services rely on network transports Movement of SAML tokens, PKI, etc. across network SOA relies on the network. Period.

4 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 4 February 15, 2014 Getting into it: SOA Deployments Data Centers Distributed Enterprise/Branch Campus Extended Enterprise IP Network Converged IP Network Private WAN or VPN SOA Apps SOA Consumers Customers Teleworkers Road warriors Partners

5 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. General Security Characteristics of Web Services and SOA

6 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 6 February 15, 2014 SOA security risks - Enterprise Monolithic applications used perimeter security Componentization (separating data, business logic and presentation layers) increases the number of potential attack points

7 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 7 February 15, 2014 Security/compliance Related Characteristics of Web Services Web services (often) use Web protocols. i.e. A Web service invocation is an RPC that goes through Port 80 –Security issues Critical and/or confidential software functions may be exposed to unauthorized access Existing perimeter controls may not be effective to prevent unauthorized access Integrity/confidentiality of data exposed as Web services may be at risk Web services use XML, which is open and text-based –Security issues: Eavesdropping Lack of confidentiality Malicious modification of messages in transit Accidental or malicious disclosure of sensitive information Web services are machine to machine i.e. The user (consumer) of Web service is another application –Security Issues Access management Identity management Web services lead to new application structures and development processes –Composite applications –Service bus –Increased and faster-paced inter-company and inter-divisional development projects –Security issues: SLDC and change management Governance

8 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 8 February 15, 2014 More issues with Web Services and SOA security Authentication –Asserting and verifying the identity of all the parties involved Original requester Requesting application Intermediary(s) Service provider Authorization –Determining if the requesting party(s) is/are authorized to access the requested resource (service/operation) –Determining if the authorization is valid for this transaction (date/time, number of requests, etc.) Auditing –Provide a record of who did what and when they did it Privacy –Ensure that messages are safe from eavesdropping Non-repudiation –Ensure that the senders cannot deny sending, and the receivers cannot deny receiving messages

9 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. The Importance of SOA Infrastructure

10 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 10 February 15, 2014 SOA Infrastructure SOA Infrastructure: - The complete set of tools and processes to assure security, management, mediation, and governance of Web services in an enterprise environment

11 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 11 February 15, 2014 SOA Infrastructure Reference Model SOA Infrastructure provides core infrastructure services to the SOA and XML applications and messaging layer Service providers, consumers, enterprise service bus platforms along with other service proxies, leverage these infrastructure services either directly, or via delegates and agents Infrastructure services include: –Management Application Implements management standards like WS-DM to provide central performance and health monitoring and reporting capabilities –Security Service Implements standards like WS-Trust and XACML as well as common PKI features –Registry UDDI services for core service discovery –Metadata Repository Serves policies, WSDLs, Schema, virtual service definitions and many other key meta-data items

12 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 12 February 15, 2014 SOA Infrastructure Reference Model SOA Infrastructure as an enabler of Risk Mitigation Countermeasures –Intermediaries between Web service consumers and providers –Centralized repository of policy meta data –Dynamic definition, implementation and enforcement of policy for consumers, providers, and intermediaries –Future-proofs SOA against vulnerabilities caused by changes as services evolve through the SDLC

13 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 13 February 15, 2014 Secure Services Ensure the security of services –Authentication SAML Kerberos X.509 Basic Auth https –Authorization –Privacy (XML-Encryption) –Non-repudiation (XML-Signature) –Audit Ensure that consumers can comply with required security policies

14 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 14 February 15, 2014 Infrastructure Security Services Security Token Server –Authentication –Token Exchange e.g. HTTP cookie for SAML assertion –Federation Standards WS-Trust WS-Federation Authorization Services –Who can access which parts of a service –XACML –Delegate to existing access management solutions SiteMinder TAM Oblix, etc. PKI Services –Key pair generation –Certificate Management –Key distribution

15 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 15 February 15, 2014 Key Web Services security standards WS-Security - security token enveloping SAML - authentication (and authorization) XML-Encryption (XML element privacy) XML-DigitalSignature (XML element signing) WS-Policy (asserting policies for services and operations) WS-Trust (building trust relationships and executing trust transactions) WS-Federation (formal federated identity services)

16 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 16 February 15, 2014 What is Security Policy? Start with Registry –Service publishing –Service discovery –A system of record for information about services Add a repository –Store and manage metadata about the services in the registry –Define and manage policies for security, management, reliability, routing, etc. –Reference these policies in the service entries Repository objects can be shared by multiple registry entries (services) –Change policy once affect many services –Central management of policy At runtime providers and consumers can leverage the policy management infrastructure –Agents discover and enforce policies –Delegates discover and implement policies to ensure true loose-coupling

17 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 17 February 15, 2014 SOA Infrastructure Solutions SOA Infrastructure includes Governance, Management and Security linked together through SOA Policy Management Governance offers no value without a runtime solution to enforce policies and feed back metrics and compliance data Runtime solutions (security and management) offer minimal value without central policy control and value-added service governance capabilities

18 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 18 February 15, 2014 Standards-based Closed-loop SOA Infrastructure Closed loop means: –Defining and managing actionable policies in a governance solution at design-time –Enforcing these policies via deep integration with a management solution at run-time –Auditing that these policies are being enforced –Using industry standards (WS-Policy, WS- MEX) where appropriate for information exchange Closed loop infrastructure enables demand and Value Management –Collect performance, usage and exception statistics at run-time –Track these statistics via the governance solution –Use live, audited information to drive value- based decisions about the effectiveness of different services and organizations –Provide developers with up to the minute information about a service in runtime to inform their decisions about which services to use –Manage supply and demand to ensure maximum efficiency and benefit from SOA

19 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 19 February 15, 2014 SOA Infrastructure – Policy Management Use Cases Plan, analyze, design, implement, test, change, and retire design and runtime policies for services –Define and manage validation and conformance policies for service design and registration –Define and manage security, routing, reliability, mediation, and other runtime policies –NOTE: Without deep integration with an SOA management solution, these policies will be informational only, and will not be enforced –Define policies for services across all popular types of service containers including, Java and.NET app servers, ESBs, Mainframe, and packaged applications Ensure that policies are being effectively enforced with a comprehensive metric collection model –Capture performance and usage metrics according to policies –Statistically and algorithmically capture comprehensive message data –Track and manage security and other policy exceptions Compare and reconcile collected metrics with policies for audit purposes

20 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 20 February 15, 2014 SOA Infrastructure – Security Use Cases Enforce policies managed by a centralized governance solution –Consistent policy enforcement for all popular service containers including, Java and.NET app servers, ESBs, Mainframe, and packaged applications –Enforce and mediate policies in the network Ensure the end-to-end security (Au, Az, Privacy, Audit, Non-repudiation) of Web services messages Create, manage and distribute public/private key pairs through the SOA Decouple the security model from the development process –Allow developers to focus on their business logic and interfaces, allowing the infrastructure to implement and enforce security, reliability, and messaging policies Ensure the interoperability of Web services clients and service providers

21 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 21 February 15, 2014 Policy-based SOA Infrastructure

22 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 22 February 15, 2014 SOA and Impact on the Network Requirements around Scalability Performance Security Load balancing & failover SOA Applications SOAP XML WS* etc.

23 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 23 February 15, 2014 SOA and the Network: Security Network related risks –Access control risk –Endpoint integrity risks App related risks –Data integrity risks SOAP Messages modified in transit Data changed or deleted by unauthorized access to databases fronted by Web Services (XML Injection) –Data confidentiality risks Eavesdropping Improper access –Data availability risks Denial of Service through XML exploits Endless strings, XML logic bombs

24 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 24 February 15, 2014 Load balancing and failover Unpredictable load characteristics of SOA application traffic –Server side load balancing –Network scalability SOA apps are 24*7 High availability of network infrastructure is a fundamental assumption How do I ensure that my SOA apps are always available?

25 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 25 February 15, 2014 Scalability SOA can dramatically increase volume of network traffic (peaks and valleys) Packet sizes vary (small to large) – text based protocols How can/should you optimally engineer the network without adding substantial cost?

26 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 26 February 15, 2014 Real time responsiveness & performance SOA apps are built with LAN like performance as an assumption Composite apps – different modules from different systems working together to deliver on business process – increase performance demands of the network Delays and packet-loss can cause time-outs of SOA apps – poor end user experience Network managers need to support SLAs as SOA based apps get deployed How to manage network performance without too much cost?

27 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 27 February 15, 2014 Checking in Do you still think the network is irrelevant to SOA? How can you develop an SOA solution approach that makes the network a strategic asset that innovates businesses and business processes How can you deliver strategic and tactical business results should not require unreasonable infrastructure trade-offs? Best Practice: implement critical network elements with an SOA Governance oriented approach Think: Business speed and responsiveness Busines safety Business flexibility

28 Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Slide 28 February 15, 2014 Solving the SOA Network Challenges You can build network reliability and security into your SOA by merging best practices of SOA Governance and infrastructure with a best of breed approach to network infrastructure. –SOA and Network Infrastructure working in harmony Use SOA Infrastructure management tools to estimate SOA load and harmonize/optimize consumer and provider connections on the network Understand where mediation is necessary between incompatible links in the network that supports your SOA –ESB mediation –Transport protocol transformation –Routing paths Provide for version control, failover, load balancing as an SOA management issue, and integrate with underlying network infrastructure – you need both to succeed –Selecting the right SOA infrastructure and network solutions Understand where you need an XML firewall Work with network solution provider to optimize network performance characteristics for SOA Work with network solution provider to resolve potential security issues at the network level –Embedding Network aspects of the SOA into SOA Governance Web Service governance policy metadata can include network parameters Centralized SOA governance can provide SOA network management capabilities Work toward a closed loop of SOA Governance that enforces governance policies that are defined at design time – in that way, there is reduced risk of lapses in governance policy enforcement for Web services that are live on the network at runtime


Download ppt "Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Overcoming the SOA Network Fallacy Roberto Medrano."

Similar presentations


Ads by Google