Presentation is loading. Please wait.

Presentation is loading. Please wait.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

Published byNatalie Sparks Modified over 8 years ago

Similar presentations

Presentation on theme: "SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure."— Presentation transcript:

1 SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure

2 © 2008 Progress Software Corporation2 SOA-39: Securing Your SOA Agenda  The Fundamental Shift  SOA Security Challenges  The Standards  The Progress ® Security Solution

3 © 2008 Progress Software Corporation3 SOA-39: Securing Your SOA SOA Security – The Fundamental Shift In Traditional applications the backend is dedicated to the application which provides the security. Application

4 © 2008 Progress Software Corporation4 SOA-39: Securing Your SOA SOA Security – The Fundamental Shift Application Silo Security Application  Single (simple) security model  Security policies apply to the application only  Trustworthiness is not an issue  Security decisions have local impact only  Hard Coding Security Common  Security context commonly sent in the clear

5 © 2008 Progress Software Corporation5 SOA-39: Securing Your SOA SOA Security – The Fundamental Shift In SOA the backend is exposed as Services that are shared across applications. Application Service Provider Application

6 © 2008 Progress Software Corporation6 SOA-39: Securing Your SOA Application Service Provider  Developers can’t account for all interactions  Cannot hard-code security into applications  Security policies must apply to entire processes  Sensitive information may not be intended for all parties consuming the same service  The typical transport protocol is HTTP(S) which is open on most firewalls SOA Security – The Fundamental Shift SOA Business Processes Span Applications

7 © 2008 Progress Software Corporation7 SOA-39: Securing Your SOA SOA Security – Challenges Functional Aspects of Security INTEROPERABILITY

8 © 2008 Progress Software Corporation8 SOA-39: Securing Your SOA SOA Security – TRUST Trust in a SOA  Traditional There is typically a concept of a trusted computing base. The TCB provides mechanisms for enforcing security policy that protects resources in a controlled environment  SOA No more security perimeter. Application functions are abstracted and location- independent. This open environment makes it difficult to distinguish legitimate requests from malicious ones Service Provider Who do I trust?

9 © 2008 Progress Software Corporation9 SOA-39: Securing Your SOA SOA Security – AUTHENTICITY Authenticity (Authentication) for SOA  Traditional Applications No matter how the user authenticates to the application, the onus of validating and authorizing the user typically falls on the application, regardless of what the application is using to do the access control  SOA Services are accessed on behalf of users. Service developers don’t know all the different contexts in which their services will be used Service Provider Application Who is this data for?

10 © 2008 Progress Software Corporation10 SOA-39: Securing Your SOA SOA Security – INTEGRITY Data Integrity/Confidentiality Strategy for SOA  Traditional Transport layer security (SSL/TLS) is used for secure communications between points SSL  SOA SSL everywhere is not practical Message data is relayed from service to service Some data is intended for services further down the chain Integrity of relayed data is questionable Did the user really send this data?

11 © 2008 Progress Software Corporation11 SOA-39: Securing Your SOA SOA Security – CONTROL Control Procedures for SOA  Traditional Controls are tightly coupled to applications and thus can be managed directly from the application itself  SOA Need the ability to centrally and consistently enforce and audit policy and procedures across disparate applications

12 © 2008 Progress Software Corporation12 SOA-39: Securing Your SOA SOA Security – INTEROPERABILITY Interoperability in a SOA  Traditional As interoperability between applications was itself not guaranteed, interoperability of security implementations was traditionally no a topic of great interest as most applications could handle this on a one-to-one basis  SOA Must support multiple security mechanism because there is little control over service consumers

13 © 2008 Progress Software Corporation13 SOA-39: Securing Your SOA SOA Security – Challenges Summary  Authenticity (Access Control) Services are accessed on behalf of users –User identity must be propagated The service consumers are not homogeneous –Different credentials must be supported  Integrity / Privacy Data is relayed from service to service –Some data must be passed but should only be accessed by specific backend services  Encrypt part of the message –Some data has to be passed in the clear but it’s origin verified  Sign part of the message  Controls and Interoperability Harder to manage as the number of applications involved in a process increases

14 © 2008 Progress Software Corporation14 SOA-39: Securing Your SOA SOA Security – The Standards  The new challenges of SOA Security require both new technology as well as new standards.  Standards help with security interoperability  Two standards have been very broadly adopted  WS-Security  SAML

15 © 2008 Progress Software Corporation15 SOA-39: Securing Your SOA SOA Security Standards to the Rescue WS-Security  Specifies how integrity and confidentiality can be enforced on Web services messaging  Describes how to attach signatures and encryption headers to SOAP message Did the user really send this data?  Helps with interoperability  Supports signing/encrypting message fields

16 © 2008 Progress Software Corporation16 SOA-39: Securing Your SOA SOA Security Standards to the Rescue WS-Security - it’s a protocol, not a toolset HFLP MIGfMa0GCSq:LKFSJDLSDJ....

17 © 2008 Progress Software Corporation17 SOA-39: Securing Your SOA SOA Security Standards to the Rescue SAML  Standard for exchanging authentication and authorization data between security domains  Back end service can verify what user was authenticated by the gate keeper  Equivalent to Single Sign-On (SSO) for Web Services Service Provider Application Who is this data for?

18 © 2008 Progress Software Corporation18 SOA-39: Securing Your SOA SOA Security Standards to the Rescue SAML – It’s a protocol, not a toolset test urn:oasis:names:tc:SAML:1.0:cm:sender-vouches YQIsRZPBnfEMkehIvuq/WueeGzo= [encoded signature] [encoded public key certificate]

19 © 2008 Progress Software Corporation19 SOA-39: Securing Your SOA SOA Security - Did Standards Save Us? Application Service Provider

20 © 2008 Progress Software Corporation20 SOA-39: Securing Your SOA SOA Security – Challenge and Opportunity Separating policies from the service lifecycle  Centralize policy definitions and enforcement  No per-service work as policies change Policy Groups Security and Compliance Officers

21 © 2008 Progress Software Corporation21 SOA-39: Securing Your SOA SOA Security – Challenge and Opportunity Separating policies from the service lifecycle

22 © 2008 Progress Software Corporation22 SOA-39: Securing Your SOA SOA Security – Challenge and Opportunity Security Contracts User Credentials Authentication Authorization Encryption/Signature Schema Validation Policy Groups Shared Message Processing Blocks Applications Managed Service Security Settings Load Balancing Failover

23 © 2008 Progress Software Corporation23 SOA-39: Securing Your SOA SOA Security – Challenge and Opportunity Separating policies from the service lifecycle Security Proxy First Mile Security Last Mile Security

24 © 2008 Progress Software Corporation24 SOA-39: Securing Your SOA Protecting the Last Mile  Having a security enforcement point is one thing, ensuring all service consumers use it is another. Authorized consumer Service Unauthorized consumer

25 © 2008 Progress Software Corporation25 SOA-39: Securing Your SOA Trust Zones Protect the Last Mile Normal Path CONSUMER TRUST ZONE X INTERNAL CONSUMER Last-mile Security Attack Service

26 © 2008 Progress Software Corporation26 SOA-39: Securing Your SOA Visibility is critical to Security If you can’t see it: You can’t measure it You can’t secure it You can’t control it You can’t manage it

27 © 2008 Progress Software Corporation27 SOA-39: Securing Your SOA Visibility is critical to SOA Security  Discover Dynamic service discovery Automatic service delivery flow mapping End-to-end multi-protocol support Service network visualization Discover  Monitor  Evaluate Policy  Alert  Resolve

28 © 2008 Progress Software Corporation28 SOA-39: Securing Your SOA Questions ?

29 © 2008 Progress Software Corporation29 SOA-39: Securing Your SOA Thank You

30 © 2008 Progress Software Corporation30 SOA-39: Securing Your SOA

Download ppt "SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure."

Similar presentations

0 McLean, VA August 8, 2006 SOA, Semantics and Security.

0 McLean, VA August 8, 2006 SOA, Semantics and Security.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.

CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.

SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Web Services, SOA and Security May 11, 2009 Michael Burnett.

Web Services, SOA and Security May 11, 2009 Michael Burnett.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Core Web Service Security Patterns

Core Web Service Security Patterns
6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.

6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
Automated Policy Enforcement Adam Vincent, Layer 7 Federal Technical Director

Automated Policy Enforcement Adam Vincent, Layer 7 Federal Technical Director
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Web services security I

Web services security I

Similar presentations

Ads by Google