Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid & Web Service Security: Issues from the Private Sector

Published byDaniel Quentin Oliver Modified over 6 years ago

Similar presentations

Presentation on theme: "Grid & Web Service Security: Issues from the Private Sector"— Presentation transcript:

1 Grid & Web Service Security: Issues from the Private Sector
Michael Abbott Founder Composite Software September 18

2 Outline Problem Domain Web Services and Security
Use Cases Introduction to Composite Information Server Web Services and Security New Issues Standards Review Areas of Current Research September 18 copyright 2003, Composite Software

3 Two upfront comments We are still learning what customers are really requiring vs. standards dictating Issue/Challenge arose as byproduct of initial product focus September 18 copyright 2003, Composite Software

4 COMPOSITE INFORMATION SERVER
Enterprise Information Integration (EII) Domain Users CEO Marketing Analyst CFO J2EE .NET Client Application Developer Client COMPOSITE VIEWS EII Server COMPOSITE INFORMATION SERVER Directory Enterprise Entitlement Composite Software enables the composition of Information Applications to deliver the right data to the right users at the right time. Composite Views provide an abstraction layer over multiple disparate data sources so that all the data appears like it exists in a single location to users. Composite Views run in an EII Server, which enables the creation of Information Applications, in much the same fashion that application servers enable the creation of transactional applications. Once Composite Views are created, they can be consumed through popular desktop applications – Microsoft Excel, Portals, BI desktop tools, or other Client software that users may want to use. Composite Views are developed and run in the Composite Information Server. Inter/Intra Enterprise Data External Data Services September 18 copyright 2003, Composite Software

5 COMPOSITE CUSTOMER VIEWS
Customer Case Study: Users Fitness Agent Using custom application Business Analyst Using Brio Customer Care Representative Using Siebel EII SERVER COMPOSITE CUSTOMER VIEWS Web Services (XML/HTTP) and Relational data Web Services external Internal/External security Issues Café POS System Situation: Lifetime Fitness operates state-of-the-art health club facilitates across 8 US states Recent expansion into nutritional products, wellness products, personal-care products, spa services. Planned expansion into financial services Corporate initiative to give customers a uniform multi-channel experience across spa and café POS systems, and central Member Management Systems. Features include ability to charge-to-card-on-file. Solution: Get a “global customer view” into related data that is spread across multiple systems Access “customer view” from multiple client systems such as Brio, Siebel and the Member Management System Benefits of Composite Software to Lifetime Fitness: Ability to cross-sell and up-sell products to members Higher customer satisfaction and retention Increased spend at spa and café due to convenience Spa POS System Enterprise Data Member Management System (OLTP) Member Management System (Historical) Return On Information: Higher Spend per Customer September 18 copyright 2003, Composite Software

6 Key Observations Joining vertically partitioned data across relational and xml sources via web services (ws) Existing authentication/authorization information in LDAP directory Widely varied datasource security models Fine-grained resource management required Data privacy driven by stds (ie HIPAA) September 18 copyright 2003, Composite Software

7 WS Security vs Traditional (Network) security
Traditional Security: Host-to-host or point-to-point security Client/server oriented Connection or connectionless oriented Generically single/common trust domain/association WS Security Document oriented approach Security tokens/assertions and policies can be associated with the document or its parts Intended to be cross-domain Potentially for virtual and dynamic trust domains (security associations) September 18 copyright 2003, Composite Software

8 WS introduce new security risks
Interoperability Multiple stds, applications with multiple authentication and access control schemes Scalability Centralized Management Single-sign on (sso) allows for credential mapping across diverse systems Malicious Attack September 18 copyright 2003, Composite Software

9 Potential Malicious Attacks
Denial of Service Replay Attack Buffer Overflow Dictionary Attack SQL Injection Cross-site scripting Virus detection September 18 copyright 2003, Composite Software

10 XML Security - Components
XML Signature XML Encryption Security Assertion SAML (Security Assertion Mark-up Language) XrML (XML Right Mark-up Language) XACML (XML Access Control Mark-up Language) XKMS (XML Key Management Specification) September 18 copyright 2003, Composite Software

11 Web Services security - standards
The main driving consortiums have been W3C and OASIS W3C for its development of specifications such as: XML Signature (W3C Recommendation 12 February 2002) XML Encryption (W3C Recommendation 10 December 2002) XML Key Management Specification 2.0 (XKMS, W3C Working Draft 18 April 2003) OASIS for its development of specifications such as: WS-Security (3 OASIS TC approved specifications, in public review until 19 October 2003) SAML 1.1 (Security Assertion Markup Language, OASIS Standard, September 2003) XACML (Extensible Access Control Markup Language, OASIS Standard, February 2003)

12 Web Services security is being addressed in multiple functional areas
Specification Description Overall Framework OASIS WS-Security Provides a standard mechanism for associating “security tokens” with message content Authentication/Identity Management/Single Sign-On OASIS Security Assertion Markup Language (SAML) Defines an XML-based framework for exchanging security information Access Control OASIS Extensible Access Control Markup Language (XACML) Enables standard expression of policies for information access over the World Wide Web

13 WS-Security addresses end-to-end security where trust domains need to be crossed
HTTP and its security mechanisms (SSL/TLS) address only point- to-point security WS-Security addresses how to maintain a secure context over a multi-point message path Security Context | Security Context | Sender Intermediary Receiver Receiver Security Context Sender Intermediary Receiver

14 Web Services Security Model
WS-Security model provides end-to-end security (as contrary to point-to-point) allowing intermediaries A Web service can require that an incoming message prove a set of claims (e.g., name, key, permission, capability, etc.). Set of required claims and related information is referred as a Policy. A requester can send messages with proof of the required claims by associating security tokens with the messages. Messages both demand a specific action and prove that their sender has the claim to demand the action. When a requester does not have the required claims, the requester or someone on its behalf can try to obtain the necessary claims by contacting other Web services. Security token services broker trust between different trust domains by issuing security tokens. September 18 copyright 2003, Composite Software

15 Web Services Security Architecture
WS-Policy SOAP Foundation WS Security WS-SecureConversation WS-Trust WS-Privacy WS-Authorization WS-Federation WS-Security: describes how to: attach signature and encryption headers to SOAP messages describes how to attach security tokens, including binary security tokens such as X.509 certificates, SAML, Kerberos tickets and others, to messages Defines the ‘how’ September 18 copyright 2003, Composite Software

16 Web Service Security – other specifications
WS-Policy WS-Trust WS-Privacy WS-SecureConversation WS-Federation WS-Authorization September 18 copyright 2003, Composite Software

17 XACML – extensible access control markup language
Define core schema/namespace for authorization policies in XML Closely aligned with SAML Policy decision points (pdps) in SAML may consult policies encoded in XACML to determine if access granted Use case: patient record – with psychiatric note September 18 copyright 2003, Composite Software

18 SAML – security assertions markup language
Define an XML framework for exchanging authentication and authorization information XML-encoded security *assertions* XML-encoded request/response protocol Rules on using assertions with standard transports/protocols Use cases: Single sign-on Authorization service XACML used to define access control/policy as a basis for handling SAML assertion request Defines the ‘what’ September 18 copyright 2003, Composite Software

19 COMPOSITE INFORMATION SERVER
Enterprise Information Integration (EII) Domain Users CEO Marketing Analyst CFO J2EE .NET Client Application Developer Client COMPOSITE VIEWS EII Server COMPOSITE INFORMATION SERVER XML Signature XML Encryption WS-Security XACML SAML Directory Enterprise Entitlement Composite Software enables the composition of Information Applications to deliver the right data to the right users at the right time. Composite Views provide an abstraction layer over multiple disparate data sources so that all the data appears like it exists in a single location to users. Composite Views run in an EII Server, which enables the creation of Information Applications, in much the same fashion that application servers enable the creation of transactional applications. Once Composite Views are created, they can be consumed through popular desktop applications – Microsoft Excel, Portals, BI desktop tools, or other Client software that users may want to use. Composite Views are developed and run in the Composite Information Server. Inter/Intra Enterprise Data External Data Services September 18 copyright 2003, Composite Software

20 Areas under research/direction
September 18

21 Computer Grids Originated from Distributing Supercomputing
To become “pluggable” computing resource Computer Grids -> Information Grids -> Semantic Grids Current de-facto standard – Globus Toolkits September 18 copyright 2003, Composite Software

22 Security Issues in Grid computing
General issues: Traditional systems are user/client/host centric Grid computing is data centric Traditional systems: Protect system from its users Protect data of one user from compromise In Grid systems: Protect applications and data from system where computation execute Stronger/mutual authentication needed (for users and code) Ensure that resources and data not provided by a attacker Different admin domains/Security policies September 18 copyright 2003, Composite Software

23 Authentication Traditional systems: Grid systems:
Authenticate user/client to protect system Grid systems: Mutual authentication required Ensure that resources and data not provided by a attacker Delegation of Identity Process that grants one principal the authority to act as another individual Assume another’s identity to perform certain functions E.g., in Globus: use gridmap file on a particular resource to map authenticated user onto another’s account, with corresponding privileges Data origin authentication September 18 copyright 2003, Composite Software

24 Authorization Traditional systems: Grid systems:
Determine whether a particular operation is allowed based on authenticated identity of requester and local information Grid systems: Determine whether access to resource/operation is allowed Access control list associated with resources, principal or authorized programs Distributed Authorization Distributed maintenance of authorization information One approach: Embed attributes in certificates Restricted proxy: authorization certificate that grants authority to perform operation on behalf of grantor Alternative: separate authorization server September 18 copyright 2003, Composite Software

25 Understanding OGSA/OGSI
Web Services Provide interoperability for services interaction XML, SOAP, WSDL Open Grid Service Architecture (OGSA) Integrates grid technologies with Web Services Defines the key components of the grid Open Grid Service Infrastructure (OGSI) Formal and technical specification of the services described in OGSA Defines interfaces for interaction with and between Grid Services ------ XML – STANDARD FOR MESSAGE CREATION AND DEFINITION SOAP – STANDARD FOR MESSAGE PASSING WSDL – STANDARD FOR SERVICE DEFINITION OGSA STARTED BY DEFINING THE COMMON FEATURES TO ALL SERVICES ON A GRID NOW IT STARTED A NEW EFFORT TO DEFINE HIGHER LEVEL SERVICES OGSI SPECIFIES HOW THE OGSA IDEAS SHOULD BE IMPLEMENTED BY EVERYONE PROVIDING GRID SERVICES INTERFACES FOR: ACCESSING SERVICE PROPERTIES INFORMATION FLOW LIFECYCLE MANAGEMENT GRID SERVICES OGSA OGSI WEB SERVICES EXTEND DEFINE SPECIFY September 18 copyright 2003, Composite Software

26 Challenges for Data Grid
Rights to resource utilization Query plan execution pushed to remote servers – authorization? Knowledge of *other* applications How manage grid security in usable manner by average IT manager Who defines rules? September 18 copyright 2003, Composite Software

27 Recap of *real* world issues
Data ownership and politics Data privacy Managing data across datasources with varying data models Most web services are internal, yet still experiencing security issues September 18 copyright 2003, Composite Software

28 Who We Are Management General Jim Green, CEO
Mike Abbott, Founder & CTO (Located in San Mateo, CA with 6 former CTO’s on staff General $17.35M raised in 2002 and 2003 from leading venture capital firms Revenue and customers  Still hiring September 18 copyright 2003, Composite Software

29 Thank you! – Questions/Comments
September 18

Download ppt "Grid & Web Service Security: Issues from the Private Sector"

Similar presentations

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.
Fujitsu Laboratories of Europe © 2004 What is a (Grid) Resource? Dr. David Snelling Fujitsu Laboratories of Europe W3C TAG - Edinburgh September 20, 2005.

Fujitsu Laboratories of Europe © 2004 What is a (Grid) Resource? Dr. David Snelling Fujitsu Laboratories of Europe W3C TAG - Edinburgh September 20, 2005.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.

1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Technical Architectures

Technical Architectures
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Understanding Active Directory

Understanding Active Directory
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google