ca soa security manager technology brief

TECHNOLOGY BRIEF: CA SOA SECURITY MANAGER

CA SOA Security Manager: Securing SOA/Web Services BasedIT Architectures

Copyright © 2007 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document “As Is” without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or non-infringement. In no event will CA beliable for any loss or damage, direct or indirect, from the use of this document including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages.

Table of Contents

Executive Summary

SECTION 1: CHALLENGE 2Introduction

SECTION 2: OPPORTUNITY 3The March to SOA

Understanding SOA Security

SOA Security Layers

What’s Missing from SOA/WS Security?

SECTION 3: BENEFITS 8CA SOA Security Manager

Key Benefits

CA SOA Security Manager Product Architecture

CA SOA Security Manager Key Features

SECTION 4: CA ADVANTAGE 13Adding Value at Every Layer of the SOAEnvironment

Cross-industry Applicability

SECTION 5: CONCLUSIONS 15

ABOUT CA Back Cover

TECHNOLOGY BRIEF: CA SOA SECURITY MANAGER 1

Executive SummaryChallenge

Service Oriented Architectures and Web services (SOA/WS) are emerging as the nextmajor wave of application architectures for IT-intensive enterprises. Organizations arelooking to SOA/WS to improve the speed, flexibility, and cost of building and deployingapplications for both internal and external uses. However, as with all new IT architectures,in particular those that are highly distributed, security management can be a significantchallenge. Without a proper architecture, application security is often created in silos whichlead to increased risk of information leakage, cost of security administration and complexityof complying with IT impacting regulations.

Opportunity

With centralized security management organizations can manage the security of theirenterprise SOA/WS deployments no matter how many Web services or differentinfrastructural technologies are deployed. Providing centralized, policy-based security as anintegral part of the SOA/WS service infrastructure enables the externalization of securityfrom the Web Services themselves, thus easing the administrative burden and cost ofproviding consistent and reliable enterprise security for SOA/WS.

Benefits

CA SOA Security Manager provides the industry’s most comprehensive SOA/WSsecurity platform, providing both identity-based Web services security — authentication,authorization, and audit (AAA) — as well as XML threat-centric security in a singleintegrated solution. The solution can thus reduce the time and cost devoted to servicedevelopment and maintenance as well as help reduce IT risk through greater control andmonitoring. In addition, when CA SOA Security Manager is used in conjunction withCA SiteMinder® Web Access Manager, the combined solution provides a comprehensiveWeb security solution that secures both traditional Web applications/portals as well asXML-based Web services — Leveraging the same agent, proxy and policy server-based architecture.

IntroductionService Oriented Architectures (SOA) have emerged as the newest and often best approachto build and deploy IT applications. Typically embracing Internet standards through the use ofXML-based Web services (WS), the SOA approach holds the promise of greater IT flexibilityand agility by enabling organizations to “publish” their services for the multitudes of potentialinternal and external service consumers. This service-based approach fundamentally changesthe way applications are designed and constructed and can support an infinite variety ofbusiness processes, but simultaneously challenges the way IT organizations govern, manageand secure applications and data.

Just as with the first arrival of secured Web applications and portals in the 1990s, the arrival ofSOA/WS-based applications creates a number of IT and security management challenges thatmust be addressed before they can be deployed at scale. Given that SOA/WS can be deployedfor internal use, external use, or a mix of both “who gets access to what” matters intrinsicallyfor SOA/WS. In addition, SOA/WS can be vulnerable to a new type of XML-focused malware.In short SOA/WS need the equivalent functionality that has become standard with websitesand portals – firewalls and Web access management (WAM) systems. Leveraging the generalapproach and philosophy that is so proven for website security, but adapting it in particular toservice orientation and XML-based Web services.

Security management for SOA/WS does not require a reinvention of the wheel, as securityrequirements with SOA/WS are largely consistent with those of web-based applications. Forexample with both Websites and SOA/WS it is important to, keep private data confidential,make sure that messages have not been tampered with (integrity), discern the identity of therequester (authentication), decide the level of entitlement the requesting application or user isgranted (authorization), track what has and is happening from a security point of view in theenvironment (auditing/reporting), and dump requests that are looking to disrupt the usage ofservices or steal private data (malware threats).

A typical, first phase SOA/WS deployment today often combines a traditional portaldeployment on the “front end” for the human user and a Web service call on the “back end”acting on behalf of that user at Web services either hosted internally or by partners externally.Given this scenario many organizations want to preserve the identity and security contextseamlessly in all steps of this application. In effect organizations want the user’s sessioninitiated the traditional way via a user login to be carried over to one or more Web servicetransactions on the “back end”. Along these same lines since many of these Web service“hops” often involve separate internal or external security domains, trust needs to be enforced(through federation) across these security domains in a standards-based and scalable way.

CA SOA Security Manager (CA SOA SM) was developed by CA to address these issues byproviding an identity-centric SOA/WS security software product that secures access toservices by inspecting the security information contained in the XML documents submitted bythe service consumers. Leveraging a core set of SOA/WS standards; CA SOA SecurityManager uses centralized security policies bound to user identities to provide XML threatprevention, authentication, authorization, federation, session management, and securityauditing services. CA SOA SM fits into a heterogeneous SOA/WS deployment by providingboth agent and proxy server-based policy enforcement points (PEPs) controlled and managedby centralized policy decision points (PDPs) or policy servers.

SECTION 1: CHALLENGE

2 TECHNOLOGY BRIEF: CA SOA SECURITY MANAGER

This paper discusses the reasons why SOA/WS are gaining traction in enterprises, whatsecurity issues result from their use, and finally how CA SOA SM addresses the issues inherentin protecting and managing enterprise-scale SOA/WS deployments.

The March to SOAIt is estimated that the majority of large organizations around the world have either startedto use Service Oriented Architectures/Web services (SOA/WS) or are planning to do so inthe near future. The attraction of SOA/WS largely rests on its ability to increase applicationdevelopment and deployment speed, reusability and flexibility while reducing IT costs.Extending gains already realized by leveraging traditional Web portals and Web applications,SOA/WS takes the model of cross-domain applications focused on serving human users andgeneralizes this concept to computer-driven applications, that may or may not be acting underthe direct control of a person. SOA/WS directly leverage the benefit of the Internet andInternet technology to provide application integration flexibility no matter whether the serviceconsumer resides on the Internet or Intranet/Extranet of the enterprise. The SOA/WSapproach both eases internal application integration, while leveraging standards to open upthe same services to the world at large, whether they are customers, partners, or other thirdparty organizations.

Using IT to enable and speed these third-party relationships is not a new phenomenon. Fixedformat data structures like electronic data interchange (EDI) have traditionally been used tosend data back and forth between trading partners. Yet in this new generation of trulyintegrated global business processes, EDI is a highly constrained communications system thatis not open to the infinite types of communications/transactions that organizations need.However, EDI provides a useful example of what is possible and can be considered the firstgeneration of relatively wide-scale, cross-organizational digital information exchange. What isneeded is a set of open, standards-based interfaces that any organization can use to integratebusiness systems in a secure, reliable fashion.

As with all new technologies there are challenges with SOA/WS which must be addressedbefore this technology can be used widely. Given the massive scale and flexibility inherent toSOA/WS, any solution deployed must be reliable, available, scalable, manageable, and securewhile ensuring the environment can be effectively monitored. These key IT management issuesrequire an evolution in thinking. While this paper focuses on the new security managementchallenges that SOA/WS bring to the forefront, it is important to remember that security isonly one part of the IT management challenges raised by SOA/WS.

First, it is important to note that the definition of “public” needs to evolve in a SOA/WS-basedworld. Historically the “bad guys” were attackers from outside of your organization, trying tolaunch attacks like denial-of-service, message spoofing and DNS poisoning to impact theability of the application to function. This is no longer a good assumption, as “insiders” areincreasingly both the consumers of a SOA/WS application and a legitimate threat vector,stealing sensitive data and bringing down business processes, regardless of the insider’s trueintent. At best the concept of “insiders” and “outsiders” gets extremely fuzzy when thought offrom a SOA/WS perspective.

SECTION 2: OPPORTUNITY


Because of this “fuzziness” the traditional approach of deploying security in multiple layers,where different products and processes have secured the network, data center, applicationsand end points is no longer sufficient. In an environment where “services” are requested by arequestor that can be either internal or external to the organization (or by an inside applicationacting on behalf on an outsider), security services like authentication and authorization aremore important than ever. SOA/WS enable a new generation of open, integrated and accessibleapplications, but also require a consistently enforced set of usage policies which can scale toprovide management services at a scale and granularity beyond what has been seen in theIT world to date.

Another security management risk for SOA/WS is the practice of building security logic(confirming the identity of the requester and what they can access, for example) directly anduniquely into each service as opposed to providing this as a shared security service. AsSOA/WS deployments continue to scale this tendency toward building security silos isincreasingly impractical for organizations that have services that could easily number into thehundreds and potentially thousands. Redundant security silos are not only expensive to buildand maintain, but also increase risk and make regulatory compliance more challenging to attain.

Ultimately, it gets down to accountability and control. As SOA/WS-based applicationsproliferate, organizations must figure out how to provide at least the same level (and hopefullybetter) of security that is available for the current generation client/server and Web-basedapplications. This is further complicated due to increasingly stringent regulatory requirements,which directly impacts IT and requires corporate executives to vouch for the sanctity oftransactions and related financial reporting as well as to provide protection of privatepersonal information.

Understanding SOA SecurityIn trying to understand the security requirements inherent in a SOA/WS-based environment,it makes sense to turn back the clock and look to how enterprises dealt with (and are stilldealing with) the movement to Web-based applications over the last ten years or so. The firstgeneration of web-applications built security directly into the applications themselves. Theseso called “security silos” involved implementing a user directory, access control lists (ACLs) —and sets of access policies for each application. Basically each application in a fully siloedarchitecture literally handled its own user authentication, authorization, and auditing (AAA)at some level.

As organizations moved beyond having only a handful of Web applications this silo-basedapproach to web-application security didn’t scale and ultimately proved to be insecure andcostly to manage. So in the 90’s a whole new class of security applications were introduced toenable applications to “externalize” authentication, authorization, audit, and user administrativefunctions into a centrally managed, highly scalable security infrastructure that could be used byall the web applications in the enterprise. At the same time, a standard technology for userdirectories called LDAP started to proliferate to provide the centralized repositories critical toscaling this externalized security infrastructure.


There are many parallels between Web applications and SOA/WS-based applications,including the fact that both can be deployed on an intranet (for company use), an extranet (forbusiness partners), or even the public Internet (for consumers). The main difference is that the“user” in a SOA world can be another machine talking the language of XML, WSDL and SOAP,as opposed to a person seeing a web page rendered in a browser. But many of the securitychallenges are basically the same and can be mitigated using a similar security managementapproach.

Before jumping into possible solutions let’s take a more detailed look at the security require -ments of SOA/WS. While being mostly consistent with the security requirements of traditionalWeb applications, there are some differences that will also be highlighted.

Security requirements for SOA/WS-based applications include:

• Threat/Malware Prevention XML traffic is no different than Web traffic or email traffic inthat it can be used to carry a malicious payload to its destination. As is best practice withother traffic types, there is a need to screen all the incoming XML traffic at the edge/DMZ tomake sure there is no malware or other targeted attacks on business services, includingviruses, denial of services, spoofed messages, etc.

• Authentication Who is the other party that is trying to access a service? Regardless ofwhether the other party is a computer process or other Web service, before anything can bedone, the identity of requester needs to be confirmed. No one just lets anyone into a highprofile Web application without a positive authentication. SOA/WS-based applicationsshould be no different.

• Authorization Once the service consumer is authenticated, what can it do with theorganization’s Web services? What services are they allowed to access? What data can beaccessed and what transactions and/or business functions can be used? Just as users getentitlements to use certain functions in a Web portal, the web service provider needs togrant similar entitlements on behalf of a service consumer, whether they are from the insideor from the outside.

• Auditing and Reporting Given serious regulatory requirements to log every materialtransaction and closely monitor business operations in case of a data breach or otherproblem, the SOA/WS environment must provide the ability to track each transaction andreconstitute business activities in a forensically sound way. Similarly, it’s critical to be ableto provide enterprise-wide reports of activity.

• Identity administration Organizations need to manage identities, credentials andentitlements for SOA/WS-based applications, just as they do today in traditional ITarchitectures. Since Web services often act on behalf of users or other applications ortechnology processes, single sign-on and the provisioning of credentials and access rightsare critical to allowing the environment to scale securely.

• Enterprise Manageability/Centralized Policy Management With the sheer number ofpotential services available via a SOA/WS-based approach, how can an organization get anenterprise-wide view of what is going on with potentially hundreds or thousands of distinctSOA-based applications running? Moreover, it’s critical to be able to build and enforcecentralized security policy that can change quickly depending on business requirements,without impacting or changing the underlying business service.


• Session Management Similar to Web application single sign-on (Web SSO), Web servicescan be part of business processes where sessions need to be maintained across multipleWeb services for an entire transaction. This can be thought of as a type of SSO for Webservices.

• Support of Heterogeneous Infrastructure A key advantage of web and now Web-servicesbased applications is that specific hardware, network or applications are not required as longas they adhere to a standard set of interchange technologies. Web services can be deployedin many different ways and no doubt will be in many large organizations. So the ability toprotect them consistently given this heterogeneous world is critical.

• Performance, Reliability, Availability and Scalability Having all of these aspects of anenterprise-class computing environment goes without saying. Many web applications needto be able to scale to the millions or ten millions of users… with five 9s uptime. Likewise,SOA-based applications, where reusability is a key benefit, may have an order of magnitudehigher level of usage with the same five 9’s availability requirements. Moreover, theinterdependent nature of SOA/WS-based applications means an issue in one componentservice could adversely impact many other services.

• Standards-support SOA/WS are driven by standards (such as XML, WSDL, SOAP etc),including a set of security standards (WS-Security, et al), which need to be supported as ameans of providing the requisite interoperability that enables eased deployment andmanagement both for internal as well as externally facing services.

The above security requirements must be delivered in a flexible, enterprise–class environmentthat enables an organization to achieve the promise of SOA/WS. Given that many largeorganizations will ultimately have thousands of SOA-based Web services comprised of manydifferent, self-contained components, the idea of building security capabilities into eachcomponent is not practical. Thus, SOA security (just as Web access management before it)needs to be delivered as a centralized infrastructure or service to maintain the highest level offlexibility and efficiency.

SOA Security LayersSecurity for SOA/WS can be deployed in a variety of places depending on the applicationarchitecture. SOA/WS security is often implemented on the edge (or perimeter) of thenetwork, within a SOA platform, or in a SOA application container as depicted in the diagrambelow. Given that to date there has been little integration between these disparate securityareas, this has resulted in a tremendous amount of duplication in functionality. Thusenterprises have often had to manage similar security policies at different parts of theSOA/WS architecture.

Managing these multiple security policies can be problematic for a number of reasons. It’smore resource intensive, can result in security gaps, and also may duplicate similar defenses.Best practices dictate a layered defense for SOA Security, but those layers must be consistent,coordinated and managed within a centralized policy.


Ultimately, a SOA/WS security solution should support the application developers withoutburdening them with details of how each component service should be secured. But at thesame time, a centralized and structured way of enforcing organizational policy across alldeployed Web services that ensures proper end-to-end reporting is also critical. It is thatbalance that is driving many organizations to look to a SOA/WS security system that canprovide the needed flexibility, while offering world-class centralized management. Let’s lookinto each layer in a bit more detail.

SOA SECURITY LAYERS

EDGE (PERIMETER) SECURITY Offered via hardware or software form factors that reside withinthe demilitarized network zone of an organization, these edge-based systems, also commonlyknown as XML security gateways or XML firewalls, are focused on being the first line ofdefense for SOA/WS applications. These systems are usually deployed as reverse proxies forXML traffic so all inbound messages are inspected and processed to ensure security policycompliance.

These XML security gateways check for XML-based malware and other threats in inboundtraffic, including viruses and denial of service attacks. Protocol translation can also happen atthe perimeter to ensure compatibility with deployed applications and other standards.

FIGURE A

SOA security layers and theimportance of centralized securitypolicy management, auditing, andreporting.


SOA PLATFORM SECURITY Given the large number of services that are deployed in a largeenterprise many have implemented a SOA/WS “platform” that acts as an intermediary toconnect, mediate and manage the available services. SOA/WS developers have the option ofusing some of the integrated security capabilities within the SOA platforms, but at the risk ofboth duplicating defenses, potentially leaving security gaps and creating security silos to addto management and compliance challenges down the road.

The SOA platforms tend to use SOA/WS security standards (including WS-*) to be able toissue entitlements and support federation between different systems either internal or externalto the organization.

SOA CONTAINER SECURITY SOA/WS applications are deployed within “containers,” whichtypically are built using either the Java J2EE or the Microsoft’s .NET specification. SinceSOA/WS are standards-based, the development environment isn’t material to the deploymentof the services themselves, but it does make a difference when trying to secure the environment.As with the SOA platforms, J2EE and .NET offer certain security capabilities that can be builtdirectly into the application at the developer’s discretion, but having the same risks ofduplicating functions, creating security silos adding to management and compliance challengesand/or leaving security gaps within the application.

What’s Missing from SOA/WS Security?As mentioned above, duplicating security functions across the different SOA domains (Edge,Platform and Container) clearly is inefficient and requires significant additional managementand developer resources resulting in increased IT costs. Besides the overlap, it is difficult toimplement a consistent SOA security policy across all layers and all of the disparateapplications running in the environment.

A parallel can be drawn to Web access management, where initially there were many disparatelevels of security implemented (edge, container, within the application), which were thenconsolidated into a common security infrastructure to both increase the level of security anddecrease the amount of time and resources needed to secure those applications. The goodnews is that this problem was solved in the Web-based application domain and many of thosesame techniques are directly applicable in the world of SOA/WS.

SOA-based applications will likely follow the same evolutionary path as Web-based appli -cations before it. This sets the stage for a new generation of SOA/WS security solutions toappear to enforce centralized security across all layers of the application, bringing together thebest of both worlds. Today’s demanding SOA/WS applications require best of breed security ateach layer, while using a common management interface, consistent policy enforcement, andintegrated reporting for audit and compliance across the entire SOA ecosystem.

CA SOA Security ManagerCA SOA Security Manager is uniquely positioned to offer end-to-end security for SOA/WS byproviding centralized policy management, policy enforcement for different security layers andcentral auditing to an enterprise SOA/WS deployment. By abstracting security from theservices themselves, CA SOA SM helps customers to significantly reduce the administrativeburdens and other costs associated with providing security for SOA/Web services.

SECTION 3: BENEFITS


CA SOA SM inspects the security information contained in XML documents submitted byservice consumers and uses this information to determine access. It provides enterprise-levelfunctionality for SOA/Web services that are exposed internally and externally, keeping XMLthreats out while simultaneously controlling access for legitimate service consumers. Like Webaccess management before it, CA SOA SM largely abstracts security from the sphere of theapplication developer, thus enabling the developer to focus on the application logic and thesecurity professional to focus on security and risk mitigation.

CA SOA SM brings a shared-services security vision to previously disparate SOA security silos.Built on top of a centralized policy server, every transaction and message is checked to preventthreats/malware and enforce authentication and authorization policies. Additionally inboundand outbound messages can be transformed and/or secured depending on the organization’spolicy. With agents running on the major application servers, within leading SOA containers,and soon within SOA platforms, CA SOA SM offers the first comprehensive, end-to-end modelto secure SOA/Web services from the edge to the container.

Key Benefits• Consistent Security As opposed to disparate security implemented in many places without

common security policies, CA SOA SM provides a single point for threat mitigation, accesscontrol, and audit consistently enforcing the organization’s security policies

• Reduced Development Costs Developers no longer have to build security into the respectivecomponents of their SOA/WS applications. Externalizing security provides significantdeveloper efficiencies, and results in faster time to market of business services.

• Centralized Management of SOA Security Policy Security policies implemented oncentralized policy servers are checked at each stage of the transaction to ensure propercontrols are implemented at every step of the transaction process. This also allows forcentral reporting to address auditing and compliance requirements.

• Session Management and Single Sign-On Centralized management of security also enablessingle sign-on (SSO) where once authenticated, Web service requests don’t need to bere-authenticated as the transactions move through multiple service steps (whether providedby the organization or by a third party) that make up a typical business process. Sessions canbe configured to be valid for certain durations, providing more flexibility.

• Reliability and High-Availability for Web Services Web services never sleep and neitherdoes CA SOA SM, providing unparalleled reliability and uptime for even the most industrialstrength, 24x7 business processes.

• Leverages Standards in an Open, Platform Neutral Environment CA SOA SM supportsapplicable Web services standards, including XML, SOAP, REST, WSDL, SSL, WS-Security,XML encryption and XML Signature.

• Can Make Use of Existing Web Access Management Environment Built on the same policyserver and agent-based architecture as CA’s industry leading Web access managementoffering — CA SiteMinder WAM, CA SOA SM can leverage the same deploymentenvironment as CA SiteMinder WAM. Thus in combination providing comprehensive Websecurity for both websites/applications as well as Web services.


Externalizing SOA security functions into a common infrastructure dramatically reducesdevelopment costs, as well as provides a single point of access control and administration forthe hundreds (or even thousands) of distinct services that will come into service at most largeenterprises. CA SOA SM provides best of breed functionality from the edge to SOA containers.Taken together to provide a consistent, policy-based SOA Security environment is a combi -nation that can’t be matched.

CA SOA Security Manager Product ArchitecturePOLICY SERVER — POLICY DECISION POINT (PDP) The CA SOA Security Manager Policy Serverprovides the policy decision point (PDP) for CA SOA SM and is the centerpiece of thecentralized, policy-based management platform. The policy server was built on top of CASiteMinder’s policy server, adding additional features designed to support XML-specificprocessing and security standards. The Policy Server uses the CA SOA Security Manager SOAAgents and the SOA Security Gateway as policy-enforcement points (PEPs) for Web serviceswherever they are hosted.

CA SOA SECURITY MANAGER ARCHITECTURE


FIGURE B

CA SOA Security Manager referencedeployment architecture. CA SOASecurity Manager is made of a highlydistributed architecture providing acombination of distributed policyenforcement points (SOA SecurityGateways and SOA Agents) andcentralized policy server based policydecision points.

1. Web service requests coming fromoutside into your network andsecured by SOA Security Gatewayrunning in the DMZ. Alternatively auser may also access the PortalServer which in turn makes a WebService request to a Web servicehosted behind the DMZ.

2. Web services deployed within anenterprise can also make requeststo each other as part of a particularbusiness process. This is secured bySOA Agents as part of the “LastMile” of SOA/WS security.

3. Common central Policy Serversecures both Web Service traffic andWeb Site traffic when CA SiteMinderWAM and CA SOA SecurityManager are used together.

Built on an extensible and scalable architecture, security services can be added and enhancedas the security and management needs for Web services evolve. Integrating with industrystandard LDAP directories, relational database systems, and mainframe identity stores forcentralized management of user identity and entitlement information, customers have theutmost in flexibility to implement CA SOA SM to meet their business requirements and extendexisting IT infrastructure, not vice-versa.

The Policy Server leverages the same technology used in CA SiteMinder WAM and CA IdentityManager and also complements other CA security products, including the CA SecurityCommand Center to provide event correlation, logging and centralized reporting to viewsecurity information in a context bigger than just the SOA environment.

SOA AGENTS — POLICY ENFORCEMENT POINTS (PEPs) CA SOA SM offers different policyenforcement points to ensure end-to-end security for the entire SOA/WS enterpriseinfrastructure. Agents are available for the leading .NET and J2EE containers. New SOA Agentsare regularly being developed such as those for additional ESB and SOA platforms. Pleasealways refer to the CA SOA Security Manager Product Brief that is posted on ca.com for thelatest information on supported platforms.

SOA SECURITY GATEWAY — PEP Another policy enforcement point available with the CA SOASM is the SOA Security Gateway. Residing in the perimeter of the network, the gateway actsas a secure reverse proxy for XML transactions to block XML attacks, protect againstvulnerabilities, and detect intrusions. The gateway additionally enforces identity-based securitypolicies, performs protocol translations and does XML message transformations.

SOA SECURITY MANAGER SDK — FOR CUSTOM BUILT PEPs This Java API enables partners andcustomers to write custom SOA Agents for their environment. This open API allows CApartners and customers to extend their existing integrations with SOA Security Manager, inwhich SOA platforms, XML Firewalls or other appliances use CA SOA SM to provide a centrallymanaged authentication and authorization environment.

CA SOA Security Manager Key FeaturesCA SOA Security Manager brings many important features to the market, including:

• Centralized SOA Security Policy Management Implementing a shared services modelCA SOA SM externalizes security from the underlying Web service, providing the ability toconsistently enforce security policy at all layers of the web service — including theedge/perimeter, on the SOA platform, and within the SOA container.

• Identity-aware Web Services CA SOA SM binds the XML flow to a user identity (whetherthat user is a human or another application), ensuring that proper authentication, authori -zation and entitlements are maintained throughout the transaction.

• Secure Single Sign-On and Synchronized Session Management CA SOA SM managessession state and eliminates re-authentication of XML messages during multi-step andfederated transactions across multiple component services and organizational boundaries.


• Credential Mapping CA SOA SM not only authenticates and authorizes Web servicerequests, but also supports the generation of a new security token for that same requester,mapping identity in one security token to another security token — generally acting like aSecurity Token Service. Additionally, CA SiteMinder SMSESSION tokens can be mapped tostandards based WS-Security SAML Assertions to provider further openness andinteroperability.

• Support for Federation By supporting the WS-Security standard for security informationcontained in the XML/SOAP documents, inter-enterprise transactions can be managedacross security domains from a single authentication. In fact, a typical use case for CA SOASM is to provide a Web service based authentication service that can be leveraged as theenterprise’s shared authentication service.

• Dynamic Authorization Based on XML Content in the Request As part of the authorizationprocess a security policy can be created to dynamically compare XML content against userattributes stored in user store.

• Software-based SOA Security Gateway By packaging the SOA Security Gateway assoftware, as opposed to shipping on dedicated hardware, customers have the utmost inflexibility to deploy gateways where they are needed and can scale the gateway usingindustry-standard hardware.

• Deployment Flexibility for Enforcement Points CA SOA SM provides agents for the leadingJ2EE and .NET containers and is fully interoperable with solutions from other SOA vendors,including .NET, J2EE and leading vendors including IBM, Microsoft, Sun, BEA, Oracle andmany others.

• Standards-compliant CA SOA SM supports all of the important Web services standardsensuring interoperability and future-proofing, including XML, SOAP, REST, WS-Security(SAML, Username, X509), XML Signature, XML encryption, WSDL and SSL.

• Extends the Proven CA SiteMinder WAM Platform CA SOA SM provides seamlessintegration with the CA SiteMinder WAM Web security platform, leveraging the same policystore and offering single sign-on to CA SiteMinder WAM protected applications, as wellas Web services. The product also leverages CA Security Command Center for eventcorrelation and reporting.


Adding Value at Every Layer of the SOA EnvironmentCA SOA SM adds value to every stage of the SOA/WS environment. As illustrated in thefollowing use cases, the true value of a secure SOA/WS environment can only be achieved byleveraging a centralized security policy and centralized logging and reporting that also providescomprehensive, enterprise-scale security services.

SSO FROM PORTAL TO INTERNAL AND EXTERNAL WEB SERVICES

Key Takeaways of this Use Case

• The user only needs to authenticate to the bank portal and the rest of the transaction is notvisible to them, however the user’s context is maintained at every step.

• The bank portal and the first-step (internal) Web service are secured by a single policy-based service enabled by a combination of CA SOA SM/CA SiteMinder WAM. This savesdevelopment and security administration time and money.

• Each application/service is protected to the “last mile” (via agents). Not receiving protectionfrom some distant security service that may or may not be used. With CA SOA SM there isno way to “go around” the security it provides.

• The credential mapping capability allows security context to be mapped to standardsbased security tokens, such as WS-Security SAML in this case, to complete the transaction.The Web services or portal itself didn’t need to worry about credential mapping as thesecurity system provided by CA SOA SM took care of that. The use of security standardsare particularly important, as in this case, when secure integration with third parties’ servicesis desired.

SECTION 4: CA ADVANTAGE


FIGURE C

1. User logs into the banking portalusing CA SiteMinder WAM andapplies for a credit card.

2. Portal-based application makes aSOAP call to internal credit cardservice using user’s security context.

3. The user’s session gets validatedand authorized by the SOA AgentPEP/Policy Server PDP that isprotecting the credit card service.

4. CA SOA Security Manager thengenerates a WS-Security/SAMLtoken and adds it to SOAP Headerof request for the next step in theWeb service — In this example tothe credit check Web service.

5. The Credit Card service sendsSOAP request with SAML token tothe external Credit Check serviceprovided by a partner.

6. The Credit Check serviceauthenticates the requester usingWS-Security SAML standard andprovides response to the Credit Cardservice, which in tern returns creditcard approval/denial to the user onthe portal-based application.

Cross-industry ApplicabilityNearly an infinite number of business scenarios can potentially be improved through the use ofSOA/WS and the security that makes flexible, cross-enterprise digital information exchangepossible. A few further brief vignettes should provide the reader with enough information toenvision how SOA/WS might apply to their organizations. In each case, note the importance ofhow a centralized, policy-based security system, such as CA SOA SM, dramatically streamlinesthe protection of these critical applications.

• Healthcare A SOA/WS application can be used to provide real time referrals andauthorizations for appointments with specialists. A Web portal used by the primary carephysician can send a Web services request on the “back-end” to the referral Web service toverify whether the referral is allowed or not based on information from the physician and thehealth plan in which the patient is enrolled. A consistent security policy can be enforced atall stages of the transaction even though each side uses a different security solution – due tothe usage of common standards that facilitate interoperability. In this case CA SOA SM canbe used on either side of this scenario. However if it is assumed that it is used to protect thereferral service, not only can CA SOA SM review the validity of the security information inthe request for authentication purposes, but can also take part in the authorization decisionat multiple levels.

• Financial A thick application running on a trader’s desktop can call multiple Web servicesusing multiple protocols and formats to perform currency and options trading services.CA SOA SM, acting as the shared authentication service, can provide a WS-Security SAMLAssertion to the desktop client, which can be reused to get access to these and othersecured Web services, whether hosted inside or outside the organization. CA SOA SM canalso be used to secure any of these Web services, particularly most likely those hostedinternally, at the “last mile” of the service itself.

• Shipping A shipping company can expose real-time shipment tracking information via aweb service for integration with their customers’ particular applications. The SOA SecurityGateway component of CA SOA SM can be used to front-end the tracking web service toprevent hackers from sending attacks directly to the Web service, as well as the point forconsistent policy enforcement for authentication and authorization.

• Manufacturing A global auto manufacturer can rollout innovative informational services onan ongoing basis directly to their end customers in their cars, whether on a fee for servicebasis or as part of value-added product bundles. In this way access to services can bedetermined in part by the “identity” of the car itself and can include ongoing monitoring ofthe cars performance, need for servicing, as well as the provisioning of premium servicesthat were not purchased at the time of original acquisition or that weren’t available at thattime. When one imagines all of the services that might be useful while traveling in a car,really the skies the limit on what SOA/WS-based approach might be to provide. CA SOASM could take on the important role of protecting these various services from misuse ordirect attack.


Service Oriented Architectures and Web services are emerging as the next major wave ofapplication architecture. SOA/WS have as their goal improving the speed, flexibility and cost ofbuilding and deploying applications for both internal and external audiences. However, securitystrategies and architectures need to be planned in advance or organizations will be at risk ofrepeating the mistakes of the past with security constantly playing a game of “catch up” andbeing deployed as a patch work of technologies and processes.

It is not sufficient to address the SOA/WS security issues discussed in this paper based uponthe traditional approach of deploying many inconsistent, incompatible and overlapping layersof security. Security must be architected into the environment as an infrastructure service,enabling flexible and cost-effective deployment, from edge to container.

The good news is that the security issues we face for SOA/WS-based applications are verysimilar to those we dealt with as traditional Web-based applications became prevalent.Organizations need to centrally manage the security of their enterprise SOA/WS deployments,just as they do today for their Websites and portals, no matter how many Web services ordifferent infrastructural technologies are deployed. This can be accomplished by providingcentralized, policy-based security as an integral part of the SOA/WS infrastructure enablingthe abstraction of security from the services themselves.

CA SOA SM extends the proven CA SiteMinder WAM architecture to provide the industry’smost comprehensive SOA/WS security platform, providing both identity-based Web servicessecurity – authentication, authorization, and audit (AAA) — as well XML threat-centricsecurity in a single integrated solution. In addition, CA SOA SM when used in conjunction withCA SiteMinder WAM provides a comprehensive Web security solution that secures bothtraditional Web applications/portals as well as XML-based Web services, leveraging the sameagent, proxy, and policy server-based architecture.

To learn more about the CA SOA Security Manager please visit ca.com/solutions/iam.

SECTION 5: CONCLUSION


http://www.ca.com/solutions/iam

CA, one of the world’s largest information technology (IT)management software companies, unifies and simplifiescomplex IT management across the enterprise for greaterbusiness results. With our Enterprise IT Management vision,solutions and expertise, we help customers effectivelygovern, manage and secure IT.

TB05SOASM01E MP323321207

Learn more about how CA can help you transform your business at ca.com

ca soa security manager technology brief

Documents