soa security2

7/26/2019 Soa Security2

http://slidepdf.com/reader/full/soa-security2 1/31

®

IBM Software Group

© 2004 IBM Corporation

Integrated Security Architecture

James Andoniadis

IBM Canada



IBM Software Group | Tivoli software

CEO View: Increased Collaboration Brings Rewards




Layers of security

Perimeter DefenseKeep out unwanted with• Firewalls

• Anti-Virus

• Intrusion Detection, etc.Perimeter Defense

Control Layer

Assurance Layer

Control Layer• Which users can come in?

• What can users see and do?

• Are user preferences supported?

• Can user privacy be protected?

Assurance Layer• Can I comply with regulations?

• Can I deliver audit reports?

• Am I at risk?

• Can I respond to security events?




Pre SOA Security: Enforcement & Decision Points

Access Enforcement Functionality (AEF)

Access Decision Functionality (ADF)

Reverse

ProxyServer

.Net /

3rd Party

Apps

Portal Server

Application Server

Business Processes

Data

StoreWeb

Servers

CICSIMS

...

Data

Store

Data

Store

AEF

Access Decision Functionality

SecurityDecision

Services

J2EE

Container

J2EE

Apps

AEF

Audit Infrastructure

AEF

HTTP

Other

Security

Decision

Services

ADF

Proxy

AEF




Directory Management View

Web Access

Control

Network AccessControl

Customer

Employee

TransactionalWeb

Presentation

InformationalWeb

Presentation

CertificateStatus

Responder

External

Directory

TransactionalWeb

Integration

ExternalSMTP

Gateway

InternalSMTP

Gateway

NetworkDispatcher

Delegated User

Management

InternalePortal, LDAP-enabled apps

Single Sign On

Application

Access Control

Network

Authentication

& Authorization

Internal

Directory

LOB Applications

Databases

ApplicationDirectory

NetworkOperatingSystems

Identity

Management

Certifcate

Authority

Web

Single Sign On

Messaging

CRM/ ERP(PeopleSoft)

Meta-DirectoryLDAP Directory

Proxy

ExternalePortal




Identity and Access Management Portfolio Apps/Email

UNIX/Linux

NOS

Databases & Applications

MF/Midrange

Identity

Stores

HRCRM,

Partners

Security Mgmt

Objects

ITIM:Provisioning

• Policies

• Workflow• Password

Self-service

• Audit trails

Enterprise Directory

•Personal Info

•Credentials

•Entitlements

ITFIM:

Federated Identity

Web Services Security

PortalPresentation

Personalization

ITAM:Web AccessManagement

SSO, Authentication, Authorization

ITDIDirectory

Integration

ITDSDirectory

Server

TAM forESSO




Collaboration

Services (Lotus)

Operational Deployment Pattern - Security Zones

Web

Browser

HTTP/S

Websphere

Portal

(WPS)vReverse

Proxy

(Webseal)

Access

Policy

Server

(ITAM)

Internal Directories:

- MS AD- Enterprise LDAP

- BP DB Table

protocol

firewall

domain

firewall

Enterprise

External Web

Applications

Internet

Identity

Management,

MetaDirectory,

Directory Sync

Directory

Server

(ITDS)

Customers

Employees

Business Partners

Load

Balancer

Content

Management

Operational Security Tools:

- Host IDS, Network IDS - Auditing scanners - weak password crackers

- AntiVirus - Vulnerability scanners (host, network, web) - Intrusion prevension

- Tripwire - Audit/logging, event correlation - ...

Server Production Zone

(restricted)Intranet (Controlled)

Internet DMZ

(Controlled)Internet (Uncontrolled)

Management (secured)

Web

Browser

Reverse

Proxy(Webseal)

Employees

Contractors

Federated

Identity

Mgmt

(ITFIM)




Governments as Identity Providers

“TRUST provides

ACCESS”

The United States is an “Identity Provider”

because it issues a Passport as proof of

identification

USA Vouches for its Citizens

Users

Users

Germany:Identity Provider

Users

USA:Identity Provider

China:Identity Provider




Roles: Identity Provider and Service Provider

1. Issues Network / Login credentials

2. Handles User Administration/ ID Mgmt

3. Authenticates User

4. “Vouches” for the user’s identity

Service Provider controls access to services

Third-party user has access to services forthe duration of the federation

Only manages user attributes relevant to SP

Identity

Provider

“Vouching” party in transaction “Validation” party in transaction

Service

Provider

Mutual TRUST




Federated Identity Standards




Agenda

Enterprise Security Architecture – MASS Intro

Identity, Access, and Federated Identity

Management

SOA Security




Custom

Application

Packaged

Application

Packaged

Application

Custom

Application

consumers

business processes process choreography

services atomic and composite

S er v i c e C on s um er

S er v i c eP r ov i d er

1 1

2 2

3 3

4 4

55

OO

ApplicationCustom

ApplicationOutlook

SAP Custom

Application

business processes process choreography

Services (Definitions) atomic and composite

Service

components

S er v i c e C on s um er

S er v i c eP r ov i d er

1 1

2 2

3 3

4 4

55

OO

ApplicationISV

Custom Apps

Platform

Operational

systems Supporting Middleware

MQ DB2Unix OS/390

SOA Security Encompass all Aspects of Security

SOA Security

Identity

Authentication

Authorization

Confidentiality,

Integrity

Availability

Auditing &

Compliance

Administration andPolicy Management

SCA Portlet WSRP B2B Other




Message-based Security : End-to-End Security

Message-based security does not rely on secure transport message itself is encrypted message privacy

message itself is signed message integrity

message contains user identity proof of origin

HTTPS HTTPS

SOAP Message

Connection

Integrity/PrivacyConnection

Integrity/Privacy




Web Service Security Specifications Roadmap

WSS – SOAP Security

SecurityPolicy

SecureConversation

Trust

Federation

Privacy

Authorization

SOAP Messaging




SOAP Message Security: Extensions to Header

SOAP Header allows for extensions

OASIS standard “WS-Security: SOAP Message Security”

defines XML for Tokens, Signatures and Encryption

defines how these elements are included in SOAP Header

Envelope

Body

Header

<application data>

Security Element

Security Token

Signature

Encrypted Data

Security Element




Security Drill Down

Transport Layer Security

SSL/TLS Termination

1st Layer Message Security

Signature Validation/

Origin Authentication

Message Level Decryption

2nd Layer Message Security

Requestor Identification &

Authentication & Mapping

Element Level Decryption

Application Security

(Authorization with ESB

asserted identifier)

Security Policy

Security Token Service

Key Store, Management

Authorization

Edge Security(Transport

Layer)

Reverse Proxy

XML FW/GWESB

SES (incl Trust Client)

ESB

SES (incl

Trust Client)

Apps

SES (incl

Trust Client)

Security Decision Services

(Trust Services)

ESB

SES (incl

Trust Client)

Nth Layer Message Security

Requestor Identification &

Authentication & Mapping

Message Level Encryption




Gateway

SES

SOAP

Reverse

Proxy

Server

.Net/ 3rd

Party

Apps

Portal Server

Application Server

Business Processes

Data

StoreWeb

Servers

CICS

IMS

...

Data

Store

Data

Store

SES


Security

Decision

Services

J2EE

Container

J2EE

Apps

SES


SES

HTTP

MSFT

Security

Decision

Services

SDS

Proxy

SES

SOAP

Moving to SOA – Accommodate Web Services

HTTP




Moving to SOA, Adding the ESB… (Mandatory Scary Picture)

E

S

B

ESB

GatewaySOAP

Reverse

ProxyServer

Portal Server

Application Server

Business Processes

Data

StoreWeb

Servers

J2EE

Container

J2EE

Apps

SES


SESHTTP

SES

SES

SES

.Net/ 3rd

Party

Apps

CICS

IMS

...Data

Store

Data

Store

Security

Decision

Services

MSFT

Security

Decision

Services

SDS

Proxy

SES





Further Reading

On Demand Operating Environment: Security Considerations in an

Extended Enterprise

http://publib-b.boulder.ibm.com/abstracts/redp3928.html?Open

Web Services Security Standards, Tutorials, Papers

http://www.ibm.com/developerworks/views/webservices/standards.jsp

http://www.ibm.com/developerworks/views/webservices/tutorials.jsp

http://webservices.xml.com/

Websphere Security Fundamentals / WAS 6.0 Security Handbook

http://www.redbooks.ibm.com/redpieces/abstracts/redp3944.html?Open

http://www.redbooks.ibm.com/redpieces/abstracts/sg246316.html?Open

IBM Tivoli Product Home Page

http://www.ibm.com/software/tivoli/solutions/security/
















Summary

End-to-end Security Integration is complex Web Services and SOA security are emerging areas

Moving from session level security to message level security

Identity Management incorporates several security services, but other

security services need to be integrated as well

Audit and Event Management, Compliance and Assurance

Etc.

Security technology is part – process, policy, people are the others

and often harder to change

Only Constant is Change, but evolve around the fundamentals

Establish separation of application and security management

Use of open standards will help with integration of past and future

technologies




Questions?




Security 101 Definitions

Authentication - Identify who you are Userid/password, PKI certificates, Kerberos, Tokens, Biometrics

Authorization – What you can access

Access Enforcement Function / Access Decision Function

Roles, Groups, Entitlements

Administration – Applying security policy to resource protection Directories, administration interfaces, delegation, self-service

Audit – Logging security success / failures

Basis of monitoring, accountability/non-repudiation, investigation, forensics

Assurance – Security integrity and compliance to policy

Monitoring (Intrusion Detection, AntiVirus, Compliance), Vulnerability Testing

Asset Protection

Data Confidentiality, Integrity, Data Privacy

Availability

Backup/recovery, disaster recovery, high availability/redundance




Agenda

Enterprise Security Architecture – MASS Intro

Identity, Access, and Federated Identity

Management

SOA Security




MASS – Processes for a Security Management Architecture




Access Control Subsystem

Purpose: Enforce security policies by gating access to, and execution of, processes and

services within a computing solution via identification, authentication, andauthorization processes, along with security mechanisms that use credentialsand attributes.

Functions:

Access control monitoring and enforcement: Policy Enforcement Point/PolicyDecision Point/ Policy Administration Point

Identification and authentication mechanisms, including verification of secrets,cryptography (encryption and signing), and single-use versus multiple-useauthentication mechanisms

Authorization mechanisms, to include attributes, privileges, and permissions

Enforcement mechanisms, including failure handling, bypass prevention,banners, timing and timeout, event capture, and decision and loggingcomponents

Sample Technologies:

RACF, platform/application security, web access control




Identity and Credential Subsystem

Purpose:

Generate, distribute, and manage the data objects that convey identity andpermissions across networks and among the platforms, the processes, and thesecurity subsystems within a computing solution.

Functions:

Single-use versus multiple-use mechanisms, either cryptographic or non-cryptographic

Generation and verification of secrets

Identities and credentials to be used in access control: identification,authentication, and access control for the purpose of user-subject binding

Credentials to be used for purposes of identity in legally binding transactions

Timing and duration of identification and authentication

Lifecycle of credentials

Anonymity and pseudonymity mechanisms


Tokens (PKI, Kerberos, SAML), User registries (LDAP,AD,RACF,…), Administration consoles, Session management

IBM S ft G | Ti li ft




Information Flow Control Subsystem

Purpose: Enforce security policies by gating the flow of information within a computing

solution, affecting the visibility of information within a computing solution, and

ensuring the integrity of information flowing within a computing solution.

Functions:

Flow permission or prevention

Flow monitoring and enforcement

Transfer services and environments: open or trusted channel, open or trusted

path, media conversions, manual transfer, and import to or export between

domain

Encryption

Storage mechanisms: cryptography and hardware security modules


Firewalls, VPNs, SSL





Security Audit Subsystem

Purpose:

Provide proof of compliance to the security policy.

Functions:

Collection of security audit data, including capture of the appropriatedata, trusted transfer of audit data, and synchronization ofchronologies

Protection of security audit data, including use of time stamps, signingevents, and storage integrity to prevent loss of data

Analysis of security audit data, including review, anomaly detection,violation analysis, and attack analysis using simple heuristics orcomplex heuristics

Alarms for loss thresholds, warning conditions, and critical events


syslog, application/platform access logs





Solution Integrity Subsystem

Purpose:

address the requirement for reliable and correct operation of a computingsolution in support of meeting the legal and technical standard for its processes

Functions:

Physical protection for data objects, such as cryptographic keys, and physicalcomponents, such as cabling, hardware, and so on

Continued operations including fault tolerance, failure recovery, and self-testing

Storage mechanisms: cryptography and hardware security modules

Accurate time source for time measurement and time stamps

Alarms and actions when physical or passive attack is detected


Systems Management solutions - performance, availability, disaster recovery,storage management

Operational Security tools: , Host and Network Intrusion Detection Sensors(Snort), Event Correlation tools, Host security monitoring/enforcement tools(Tripwire, TAMOS), Host/Network Vulnerability Monitors/Scanners (Neesus),

Anti-Virus software





On Demand SolutionsOn Demand Solutions

On Demand Infrastructure –

Services and Components

Network

Security

Solutions

(VPNs,firewalls,

intrusion

detection

systems)

On Demand Infrastructure – OS, application, networkcomponent logging and security events logging; eventmanagement; archiving; business continuity

PolicyManagement(authorization,

privacy,

federation, etc.)

Identity

Management

Key

Management

Intrusion

Defense

Anti-Virus

Management

Audit & Non-Repudiation

Assurance AuthorizationIdentity

FederationCredentialExchange

Secure Networks and Operating Systems

Sec

ureLogging

TrustModel

Bindings Security and Secure Conversation(transport, protocol, message security)

Security Policy Expression

PrivacyPolicy

Virtual OrgPolicies

Mapping

Rules

Service/End-

point Policy

On Demand Security InfrastructureOn Demand Security Infrastructure

On Demand Security Architecture (Logical)

soa security2

Documents