SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

Slides:



Advertisements
Similar presentations
0 McLean, VA August 8, 2006 SOA, Semantics and Security.
Advertisements

GT 4 Security Goals & Plans Sam Meder
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.
Lecture 23 Internet Authentication Applications
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Web Services, SOA and Security May 11, 2009 Michael Burnett.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Core Web Service Security Patterns
6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
Automated Policy Enforcement Adam Vincent, Layer 7 Federal Technical Director
Stephen S. Yau CSE , Fall Security Strategies.
Web services security I
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Cloud Computing Cloud Security– an overview Keke Chen.
CS 4720 Security CS 4720 – Web & Mobile Systems. CS 4720 The Traditional Security Model The Firewall Approach “Keep the good guys in and the bad guys.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Chapter 13 – Network Security
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Computer Science and Engineering 1 Service-Oriented Architecture Security 2.
X-Road – Estonian Interoperability Platform
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Secure Systems Research Group - FAU Using patterns to compare web services standards E. Fernandez and N. Delessy.
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
XML Web Services Architecture Siddharth Ruchandani CS 6362 – SW Architecture & Design Summer /11/05.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
An XML based Security Assertion Markup Language
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
Semantic Web Technologies Research Topics and Projects discussion Brief Readings Discussion Research Presentations.
Secure Systems Research Group - FAU A Trust Model for Web Services Ph.D Dissertation Progress Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.
Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras.
Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
Technical Support to SOA Governance E-Government Conference May 1-2, 2008 John Salasin, Ph.D. DARPA
Web Services Security Patterns Alex Mackman CM Group Ltd
© Drexel University Software Engineering Research Group (SERG) 1 The OASIS SOA Reference Model Brian Mitchell.
Chapter 40 Network Security (Access Control, Encryption, Firewalls)
Presented by: Sonali Pagade Nibha Dhagat paper1.pdf.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
SOA-37: SOA Management with Actional ® for Sonic ™ Unplugged - Live at work… Jiri De Jagere Senior Solution Engineer.
Cloud Security– an overview Keke Chen
Chapter 17 Risks, Security and Disaster Recovery
Presentation transcript:

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure

© 2008 Progress Software Corporation2 SOA-39: Securing Your SOA Agenda  The Fundamental Shift  SOA Security Challenges  The Standards  The Progress ® Security Solution

© 2008 Progress Software Corporation3 SOA-39: Securing Your SOA SOA Security – The Fundamental Shift In Traditional applications the backend is dedicated to the application which provides the security. Application

© 2008 Progress Software Corporation4 SOA-39: Securing Your SOA SOA Security – The Fundamental Shift Application Silo Security Application  Single (simple) security model  Security policies apply to the application only  Trustworthiness is not an issue  Security decisions have local impact only  Hard Coding Security Common  Security context commonly sent in the clear

© 2008 Progress Software Corporation5 SOA-39: Securing Your SOA SOA Security – The Fundamental Shift In SOA the backend is exposed as Services that are shared across applications. Application Service Provider Application

© 2008 Progress Software Corporation6 SOA-39: Securing Your SOA Application Service Provider  Developers can’t account for all interactions  Cannot hard-code security into applications  Security policies must apply to entire processes  Sensitive information may not be intended for all parties consuming the same service  The typical transport protocol is HTTP(S) which is open on most firewalls SOA Security – The Fundamental Shift SOA Business Processes Span Applications

© 2008 Progress Software Corporation7 SOA-39: Securing Your SOA SOA Security – Challenges Functional Aspects of Security INTEROPERABILITY

© 2008 Progress Software Corporation8 SOA-39: Securing Your SOA SOA Security – TRUST Trust in a SOA  Traditional There is typically a concept of a trusted computing base. The TCB provides mechanisms for enforcing security policy that protects resources in a controlled environment  SOA No more security perimeter. Application functions are abstracted and location- independent. This open environment makes it difficult to distinguish legitimate requests from malicious ones Service Provider Who do I trust?

© 2008 Progress Software Corporation9 SOA-39: Securing Your SOA SOA Security – AUTHENTICITY Authenticity (Authentication) for SOA  Traditional Applications No matter how the user authenticates to the application, the onus of validating and authorizing the user typically falls on the application, regardless of what the application is using to do the access control  SOA Services are accessed on behalf of users. Service developers don’t know all the different contexts in which their services will be used Service Provider Application Who is this data for?

© 2008 Progress Software Corporation10 SOA-39: Securing Your SOA SOA Security – INTEGRITY Data Integrity/Confidentiality Strategy for SOA  Traditional Transport layer security (SSL/TLS) is used for secure communications between points SSL  SOA SSL everywhere is not practical Message data is relayed from service to service Some data is intended for services further down the chain Integrity of relayed data is questionable Did the user really send this data?

© 2008 Progress Software Corporation11 SOA-39: Securing Your SOA SOA Security – CONTROL Control Procedures for SOA  Traditional Controls are tightly coupled to applications and thus can be managed directly from the application itself  SOA Need the ability to centrally and consistently enforce and audit policy and procedures across disparate applications

© 2008 Progress Software Corporation12 SOA-39: Securing Your SOA SOA Security – INTEROPERABILITY Interoperability in a SOA  Traditional As interoperability between applications was itself not guaranteed, interoperability of security implementations was traditionally no a topic of great interest as most applications could handle this on a one-to-one basis  SOA Must support multiple security mechanism because there is little control over service consumers

© 2008 Progress Software Corporation13 SOA-39: Securing Your SOA SOA Security – Challenges Summary  Authenticity (Access Control) Services are accessed on behalf of users –User identity must be propagated The service consumers are not homogeneous –Different credentials must be supported  Integrity / Privacy Data is relayed from service to service –Some data must be passed but should only be accessed by specific backend services  Encrypt part of the message –Some data has to be passed in the clear but it’s origin verified  Sign part of the message  Controls and Interoperability Harder to manage as the number of applications involved in a process increases

© 2008 Progress Software Corporation14 SOA-39: Securing Your SOA SOA Security – The Standards  The new challenges of SOA Security require both new technology as well as new standards.  Standards help with security interoperability  Two standards have been very broadly adopted  WS-Security  SAML

© 2008 Progress Software Corporation15 SOA-39: Securing Your SOA SOA Security Standards to the Rescue WS-Security  Specifies how integrity and confidentiality can be enforced on Web services messaging  Describes how to attach signatures and encryption headers to SOAP message Did the user really send this data?  Helps with interoperability  Supports signing/encrypting message fields

© 2008 Progress Software Corporation16 SOA-39: Securing Your SOA SOA Security Standards to the Rescue WS-Security - it’s a protocol, not a toolset HFLP MIGfMa0GCSq:LKFSJDLSDJ....

© 2008 Progress Software Corporation17 SOA-39: Securing Your SOA SOA Security Standards to the Rescue SAML  Standard for exchanging authentication and authorization data between security domains  Back end service can verify what user was authenticated by the gate keeper  Equivalent to Single Sign-On (SSO) for Web Services Service Provider Application Who is this data for?

© 2008 Progress Software Corporation18 SOA-39: Securing Your SOA SOA Security Standards to the Rescue SAML – It’s a protocol, not a toolset test urn:oasis:names:tc:SAML:1.0:cm:sender-vouches YQIsRZPBnfEMkehIvuq/WueeGzo= [encoded signature] [encoded public key certificate]

© 2008 Progress Software Corporation19 SOA-39: Securing Your SOA SOA Security - Did Standards Save Us? Application Service Provider

© 2008 Progress Software Corporation20 SOA-39: Securing Your SOA SOA Security – Challenge and Opportunity Separating policies from the service lifecycle  Centralize policy definitions and enforcement  No per-service work as policies change Policy Groups Security and Compliance Officers

© 2008 Progress Software Corporation21 SOA-39: Securing Your SOA SOA Security – Challenge and Opportunity Separating policies from the service lifecycle

© 2008 Progress Software Corporation22 SOA-39: Securing Your SOA SOA Security – Challenge and Opportunity Security Contracts User Credentials Authentication Authorization Encryption/Signature Schema Validation Policy Groups Shared Message Processing Blocks Applications Managed Service Security Settings Load Balancing Failover

© 2008 Progress Software Corporation23 SOA-39: Securing Your SOA SOA Security – Challenge and Opportunity Separating policies from the service lifecycle Security Proxy First Mile Security Last Mile Security

© 2008 Progress Software Corporation24 SOA-39: Securing Your SOA Protecting the Last Mile  Having a security enforcement point is one thing, ensuring all service consumers use it is another. Authorized consumer Service Unauthorized consumer

© 2008 Progress Software Corporation25 SOA-39: Securing Your SOA Trust Zones Protect the Last Mile Normal Path CONSUMER TRUST ZONE X INTERNAL CONSUMER Last-mile Security Attack Service

© 2008 Progress Software Corporation26 SOA-39: Securing Your SOA Visibility is critical to Security If you can’t see it: You can’t measure it You can’t secure it You can’t control it You can’t manage it

© 2008 Progress Software Corporation27 SOA-39: Securing Your SOA Visibility is critical to SOA Security  Discover Dynamic service discovery Automatic service delivery flow mapping End-to-end multi-protocol support Service network visualization Discover  Monitor  Evaluate Policy  Alert  Resolve

© 2008 Progress Software Corporation28 SOA-39: Securing Your SOA Questions ?

© 2008 Progress Software Corporation29 SOA-39: Securing Your SOA Thank You

© 2008 Progress Software Corporation30 SOA-39: Securing Your SOA

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.