soa security2
TRANSCRIPT
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 1/31
®
IBM Software Group
© 2004 IBM Corporation
Integrated Security Architecture
James Andoniadis
IBM Canada
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 2/31
IBM Software Group | Tivoli software
CEO View: Increased Collaboration Brings Rewards
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 3/31
IBM Software Group | Tivoli software
Layers of security
Perimeter DefenseKeep out unwanted with• Firewalls
• Anti-Virus
• Intrusion Detection, etc.Perimeter Defense
Control Layer
Assurance Layer
Control Layer• Which users can come in?
• What can users see and do?
• Are user preferences supported?
• Can user privacy be protected?
Assurance Layer• Can I comply with regulations?
• Can I deliver audit reports?
• Am I at risk?
• Can I respond to security events?
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 4/31
IBM Software Group | Tivoli software
Pre SOA Security: Enforcement & Decision Points
Access Enforcement Functionality (AEF)
Access Decision Functionality (ADF)
Reverse
ProxyServer
.Net /
3rd Party
Apps
Portal Server
Application Server
Business Processes
Data
StoreWeb
Servers
CICSIMS
...
Data
Store
Data
Store
AEF
Access Decision Functionality
SecurityDecision
Services
J2EE
Container
J2EE
Apps
AEF
Audit Infrastructure
AEF
HTTP
Other
Security
Decision
Services
ADF
Proxy
AEF
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 5/31
IBM Software Group | Tivoli software
Directory Management View
Web Access
Control
Network AccessControl
Customer
Employee
TransactionalWeb
Presentation
InformationalWeb
Presentation
CertificateStatus
Responder
External
Directory
TransactionalWeb
Integration
ExternalSMTP
Gateway
InternalSMTP
Gateway
NetworkDispatcher
Delegated User
Management
InternalePortal, LDAP-enabled apps
Single Sign On
Application
Access Control
Network
Authentication
& Authorization
Internal
Directory
LOB Applications
Databases
ApplicationDirectory
NetworkOperatingSystems
Identity
Management
Certifcate
Authority
Web
Single Sign On
Messaging
CRM/ ERP(PeopleSoft)
Meta-DirectoryLDAP Directory
Proxy
ExternalePortal
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 6/31
IBM Software Group | Tivoli software
Identity and Access Management Portfolio Apps/Email
UNIX/Linux
NOS
Databases & Applications
MF/Midrange
Identity
Stores
HRCRM,
Partners
Security Mgmt
Objects
ITIM:Provisioning
• Policies
• Workflow• Password
Self-service
• Audit trails
Enterprise Directory
•Personal Info
•Credentials
•Entitlements
ITFIM:
Federated Identity
Web Services Security
PortalPresentation
Personalization
ITAM:Web AccessManagement
SSO, Authentication, Authorization
ITDIDirectory
Integration
ITDSDirectory
Server
TAM forESSO
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 7/31
IBM Software Group | Tivoli software
Collaboration
Services (Lotus)
Operational Deployment Pattern - Security Zones
Web
Browser
HTTP/S
Websphere
Portal
(WPS)vReverse
Proxy
(Webseal)
Access
Policy
Server
(ITAM)
Internal Directories:
- MS AD- Enterprise LDAP
- BP DB Table
protocol
firewall
domain
firewall
Enterprise
External Web
Applications
Internet
Identity
Management,
MetaDirectory,
Directory Sync
Directory
Server
(ITDS)
Customers
Employees
Business Partners
Load
Balancer
Content
Management
Operational Security Tools:
- Host IDS, Network IDS - Auditing scanners - weak password crackers
- AntiVirus - Vulnerability scanners (host, network, web) - Intrusion prevension
- Tripwire - Audit/logging, event correlation - ...
Server Production Zone
(restricted)Intranet (Controlled)
Internet DMZ
(Controlled)Internet (Uncontrolled)
Management (secured)
Web
Browser
Reverse
Proxy(Webseal)
Employees
Contractors
Federated
Identity
Mgmt
(ITFIM)
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 8/31
IBM Software Group | Tivoli software
Governments as Identity Providers
“TRUST provides
ACCESS”
The United States is an “Identity Provider”
because it issues a Passport as proof of
identification
USA Vouches for its Citizens
Users
Users
Germany:Identity Provider
Users
USA:Identity Provider
China:Identity Provider
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 9/31
IBM Software Group | Tivoli software
Roles: Identity Provider and Service Provider
1. Issues Network / Login credentials
2. Handles User Administration/ ID Mgmt
3. Authenticates User
4. “Vouches” for the user’s identity
Service Provider controls access to services
Third-party user has access to services forthe duration of the federation
Only manages user attributes relevant to SP
Identity
Provider
“Vouching” party in transaction “Validation” party in transaction
Service
Provider
Mutual TRUST
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 10/31
IBM Software Group | Tivoli software
Federated Identity Standards
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 11/31
IBM Software Group | Tivoli software
Agenda
Enterprise Security Architecture – MASS Intro
Identity, Access, and Federated Identity
Management
SOA Security
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 12/31
IBM Software Group | Tivoli software
Custom
Application
Packaged
Application
Packaged
Application
Custom
Application
consumers
business processes process choreography
services atomic and composite
S er v i c e C on s um er
S er v i c eP r ov i d er
1 1
2 2
3 3
4 4
55
OO
ApplicationCustom
ApplicationOutlook
SAP Custom
Application
business processes process choreography
Services (Definitions) atomic and composite
Service
components
S er v i c e C on s um er
S er v i c eP r ov i d er
1 1
2 2
3 3
4 4
55
OO
ApplicationISV
Custom Apps
Platform
Operational
systems Supporting Middleware
MQ DB2Unix OS/390
SOA Security Encompass all Aspects of Security
SOA Security
Identity
Authentication
Authorization
Confidentiality,
Integrity
Availability
Auditing &
Compliance
Administration andPolicy Management
SCA Portlet WSRP B2B Other
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 13/31
IBM Software Group | Tivoli software
Message-based Security : End-to-End Security
Message-based security does not rely on secure transport message itself is encrypted message privacy
message itself is signed message integrity
message contains user identity proof of origin
HTTPS HTTPS
SOAP Message
Connection
Integrity/PrivacyConnection
Integrity/Privacy
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 14/31
IBM Software Group | Tivoli software
Web Service Security Specifications Roadmap
WSS – SOAP Security
SecurityPolicy
SecureConversation
Trust
Federation
Privacy
Authorization
SOAP Messaging
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 15/31
IBM Software Group | Tivoli software
SOAP Message Security: Extensions to Header
SOAP Header allows for extensions
OASIS standard “WS-Security: SOAP Message Security”
defines XML for Tokens, Signatures and Encryption
defines how these elements are included in SOAP Header
Envelope
Body
Header
<application data>
Security Element
Security Token
Signature
Encrypted Data
Security Element
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 16/31
IBM Software Group | Tivoli software
Security Drill Down
Transport Layer Security
SSL/TLS Termination
1st Layer Message Security
Signature Validation/
Origin Authentication
Message Level Decryption
2nd Layer Message Security
Requestor Identification &
Authentication & Mapping
Element Level Decryption
Application Security
(Authorization with ESB
asserted identifier)
Security Policy
Security Token Service
Key Store, Management
Authorization
Edge Security(Transport
Layer)
Reverse Proxy
XML FW/GWESB
SES (incl Trust Client)
ESB
SES (incl
Trust Client)
Apps
SES (incl
Trust Client)
Security Decision Services
(Trust Services)
ESB
SES (incl
Trust Client)
Nth Layer Message Security
Requestor Identification &
Authentication & Mapping
Message Level Encryption
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 17/31
IBM Software Group | Tivoli software
Gateway
SES
SOAP
Reverse
Proxy
Server
.Net/ 3rd
Party
Apps
Portal Server
Application Server
Business Processes
Data
StoreWeb
Servers
CICS
IMS
...
Data
Store
Data
Store
SES
Security Decision Services
Security
Decision
Services
J2EE
Container
J2EE
Apps
SES
Audit Infrastructure
SES
HTTP
MSFT
Security
Decision
Services
SDS
Proxy
SES
SOAP
Moving to SOA – Accommodate Web Services
HTTP
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 18/31
IBM Software Group | Tivoli software
Gateway
SES
SOAP
Reverse
Proxy
Server
.Net/ 3rd
Party
Apps
Portal Server
Application Server
Business Processes
Data
StoreWeb
Servers
CICS
IMS
...
Data
Store
Data
Store
SES
Security Decision Services
Security
Decision
Services
J2EE
Container
J2EE
Apps
SES
Audit Infrastructure
SES
HTTP
MSFT
Security
Decision
Services
SDS
Proxy
SES
SOAP
Moving to SOA – Accommodate Web Services
HTTP
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 19/31
IBM Software Group | Tivoli software
Moving to SOA, Adding the ESB… (Mandatory Scary Picture)
E
S
B
ESB
GatewaySOAP
Reverse
ProxyServer
Portal Server
Application Server
Business Processes
Data
StoreWeb
Servers
J2EE
Container
J2EE
Apps
SES
Audit Infrastructure
SESHTTP
SES
SES
SES
.Net/ 3rd
Party
Apps
CICS
IMS
...Data
Store
Data
Store
Security
Decision
Services
MSFT
Security
Decision
Services
SDS
Proxy
SES
Security Decision Services
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 20/31
IBM Software Group | Tivoli software
Further Reading
On Demand Operating Environment: Security Considerations in an
Extended Enterprise
http://publib-b.boulder.ibm.com/abstracts/redp3928.html?Open
Web Services Security Standards, Tutorials, Papers
http://www.ibm.com/developerworks/views/webservices/standards.jsp
http://www.ibm.com/developerworks/views/webservices/tutorials.jsp
http://webservices.xml.com/
Websphere Security Fundamentals / WAS 6.0 Security Handbook
http://www.redbooks.ibm.com/redpieces/abstracts/redp3944.html?Open
http://www.redbooks.ibm.com/redpieces/abstracts/sg246316.html?Open
IBM Tivoli Product Home Page
http://www.ibm.com/software/tivoli/solutions/security/
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 21/31
IBM Software Group | Tivoli software
Summary
End-to-end Security Integration is complex Web Services and SOA security are emerging areas
Moving from session level security to message level security
Identity Management incorporates several security services, but other
security services need to be integrated as well
Audit and Event Management, Compliance and Assurance
Etc.
Security technology is part – process, policy, people are the others
and often harder to change
Only Constant is Change, but evolve around the fundamentals
Establish separation of application and security management
Use of open standards will help with integration of past and future
technologies
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 22/31
IBM Software Group | Tivoli software
Questions?
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 23/31
IBM Software Group | Tivoli software
Security 101 Definitions
Authentication - Identify who you are Userid/password, PKI certificates, Kerberos, Tokens, Biometrics
Authorization – What you can access
Access Enforcement Function / Access Decision Function
Roles, Groups, Entitlements
Administration – Applying security policy to resource protection Directories, administration interfaces, delegation, self-service
Audit – Logging security success / failures
Basis of monitoring, accountability/non-repudiation, investigation, forensics
Assurance – Security integrity and compliance to policy
Monitoring (Intrusion Detection, AntiVirus, Compliance), Vulnerability Testing
Asset Protection
Data Confidentiality, Integrity, Data Privacy
Availability
Backup/recovery, disaster recovery, high availability/redundance
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 24/31
IBM Software Group | Tivoli software
Agenda
Enterprise Security Architecture – MASS Intro
Identity, Access, and Federated Identity
Management
SOA Security
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 25/31
IBM Software Group | Tivoli software
MASS – Processes for a Security Management Architecture
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 26/31
IBM Software Group | Tivoli software
Access Control Subsystem
Purpose: Enforce security policies by gating access to, and execution of, processes and
services within a computing solution via identification, authentication, andauthorization processes, along with security mechanisms that use credentialsand attributes.
Functions:
Access control monitoring and enforcement: Policy Enforcement Point/PolicyDecision Point/ Policy Administration Point
Identification and authentication mechanisms, including verification of secrets,cryptography (encryption and signing), and single-use versus multiple-useauthentication mechanisms
Authorization mechanisms, to include attributes, privileges, and permissions
Enforcement mechanisms, including failure handling, bypass prevention,banners, timing and timeout, event capture, and decision and loggingcomponents
Sample Technologies:
RACF, platform/application security, web access control
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 27/31
IBM Software Group | Tivoli software
Identity and Credential Subsystem
Purpose:
Generate, distribute, and manage the data objects that convey identity andpermissions across networks and among the platforms, the processes, and thesecurity subsystems within a computing solution.
Functions:
Single-use versus multiple-use mechanisms, either cryptographic or non-cryptographic
Generation and verification of secrets
Identities and credentials to be used in access control: identification,authentication, and access control for the purpose of user-subject binding
Credentials to be used for purposes of identity in legally binding transactions
Timing and duration of identification and authentication
Lifecycle of credentials
Anonymity and pseudonymity mechanisms
Sample Technologies:
Tokens (PKI, Kerberos, SAML), User registries (LDAP,AD,RACF,…), Administration consoles, Session management
IBM S ft G | Ti li ft
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 28/31
IBM Software Group | Tivoli software
Information Flow Control Subsystem
Purpose: Enforce security policies by gating the flow of information within a computing
solution, affecting the visibility of information within a computing solution, and
ensuring the integrity of information flowing within a computing solution.
Functions:
Flow permission or prevention
Flow monitoring and enforcement
Transfer services and environments: open or trusted channel, open or trusted
path, media conversions, manual transfer, and import to or export between
domain
Encryption
Storage mechanisms: cryptography and hardware security modules
Sample Technologies:
Firewalls, VPNs, SSL
IBM S ft G | Ti li ft
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 29/31
IBM Software Group | Tivoli software
Security Audit Subsystem
Purpose:
Provide proof of compliance to the security policy.
Functions:
Collection of security audit data, including capture of the appropriatedata, trusted transfer of audit data, and synchronization ofchronologies
Protection of security audit data, including use of time stamps, signingevents, and storage integrity to prevent loss of data
Analysis of security audit data, including review, anomaly detection,violation analysis, and attack analysis using simple heuristics orcomplex heuristics
Alarms for loss thresholds, warning conditions, and critical events
Sample Technologies:
syslog, application/platform access logs
IBM S ft G | Ti li ft
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 30/31
IBM Software Group | Tivoli software
Solution Integrity Subsystem
Purpose:
address the requirement for reliable and correct operation of a computingsolution in support of meeting the legal and technical standard for its processes
Functions:
Physical protection for data objects, such as cryptographic keys, and physicalcomponents, such as cabling, hardware, and so on
Continued operations including fault tolerance, failure recovery, and self-testing
Storage mechanisms: cryptography and hardware security modules
Accurate time source for time measurement and time stamps
Alarms and actions when physical or passive attack is detected
Sample Technologies:
Systems Management solutions - performance, availability, disaster recovery,storage management
Operational Security tools: , Host and Network Intrusion Detection Sensors(Snort), Event Correlation tools, Host security monitoring/enforcement tools(Tripwire, TAMOS), Host/Network Vulnerability Monitors/Scanners (Neesus),
Anti-Virus software
IBM S ft G | Ti li ft
7/26/2019 Soa Security2
http://slidepdf.com/reader/full/soa-security2 31/31
IBM Software Group | Tivoli software
On Demand SolutionsOn Demand Solutions
On Demand Infrastructure –
Services and Components
Network
Security
Solutions
(VPNs,firewalls,
intrusion
detection
systems)
On Demand Infrastructure – OS, application, networkcomponent logging and security events logging; eventmanagement; archiving; business continuity
PolicyManagement(authorization,
privacy,
federation, etc.)
Identity
Management
Key
Management
Intrusion
Defense
Anti-Virus
Management
Audit & Non-Repudiation
Assurance AuthorizationIdentity
FederationCredentialExchange
Secure Networks and Operating Systems
Sec
ureLogging
TrustModel
Bindings Security and Secure Conversation(transport, protocol, message security)
Security Policy Expression
PrivacyPolicy
Virtual OrgPolicies
Mapping
Rules
Service/End-
point Policy
On Demand Security InfrastructureOn Demand Security Infrastructure
On Demand Security Architecture (Logical)