1 / 17

Web Services Security

Web Services Security. June 8, 2004. Kerry Champion CTO, Westbridge Technology. Successful Internet Standards. Person. Person. Person. Program. Program. Program. XML Schema SOAP WSDL WS-Security. HTML DHTML Applets. SMTP S/MIME Instant Messaging.

nia
Download Presentation

Web Services Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Web Services Security June 8, 2004 Kerry Champion CTO, Westbridge Technology

  2. Successful Internet Standards Person Person Person Program Program Program • XML Schema • SOAP • WSDL • WS-Security • HTML • DHTML • Applets • SMTP • S/MIME • Instant Messaging Broadly Accepted Loosely Coupled Cross Organization Extensible

  3. Service-Oriented Architecture (SOA) organizing business systems as reusable components not fixed processes SOA= standards based + loosely-coupled + robust Reusable=

  4. Diverse Web Services XML allows all to play Legacy applications, Packaged applications, Specialized devices New code written with current version of J2EE and .NET Most heavily used Services have most primitive standards support. Systems doing billions in transactions today began development 18+ months ago

  5. Diverse Service Consumers OutsourcedCall Center Accounts Receivable Common CustomerData Repository On-line MarketingPrograms Independent Agents Employees’ Contact Managers

  6. OutsourcedCall Center AccountsReceivable Common CustomerData Repository On-line MarketingPrograms Independent Agents Employees’ Contact Managers Key Characteristics • Identity of human that triggered the request is commonly used in program-to-program communication Thousands of distinct consumers • With different tools and IT teams. In practice it is unknowable to service what tools will be used by consumer. Spread over hundreds of organizations • XML Schema, SOAP, WSDL, WS-Security, WS-Policy At different levels of standards support

  7. OutsourcedCall Center AccountsReceivable Common CustomerData Repository On-line MarketingPrograms Independent Agents Employees’ Contact Managers Key Characteristics With different network architectures and transports in use HTTP, HTTPS, MQ, TIBCO, JMS • Authentication, encryption, signature, content scanning, malicious attack protections, message validation With different security mechanisms deployed • Directories, ID management systems, certificates supported by PKIs, single sign-on systems, etc. With identity data in multiple non-federated systems

  8. Key Question How do you secure all Web Services while enabling appropriate access, given diversity of security mechanisms and policies?

  9. What to do • Make every endpoint behave the same way • Make single repository for all shared data • Make every endpoint capable of behaving every way • Negotiate preferences at runtime • Have federated sharing across multiple repositories • Use infrastructure to define Service Views • Services and consumers stay as is • Service View abstraction layer mediates between them Naïve Response Elegant Response Practical Response

  10. Service Views Present Secure Interfaces Auth Directory Identity Mgmt PKI Service View Service View Network Mgmt UDDI ESB, MQ,JMS Packaged App Legacy System System Mgmt .NET J2EE Composite Services Requires No Change of Base Services Security for SOA Infrastructure Each Service View • Provide instant security, interoperability, monitoring, routing, and auditing • Enables contracts between consumer and provider supporting local and global policies • Automatically supports latest standards • Support instant interoperability • Leverage existing infrastructure • Hide back end complexity Security Management Standards Interoperability XML Acceleration SOA Related Infrastructure Flexible Deployment Scalable Administration

  11. Advantages of Service Views design • Base web service does not change • Consumer does not change • Service View appears as native web service to consumer • Allows different security mechanism assumptions at service and consumer • Allows different standards assumptions at service and consumer • Allows different transport assumption at service and consumer • Offloads from service developer need to support full range of security standards and mechanisms • Is deployable today • Implements loose-coupling while satisfying practical requirements

  12. Implementation of Secure Service Views • Needed Web Services infrastructure goes by many names:Service Virtualization, Web Services Management Platform, XML Firewall, SOAP Gateway, Web Service Gateway, etc. etc. • Multiple vendors provide offerings • Key Review Criteria: Security Monitor, Report, Alert Interoperability Interface Management

  13. Security Authentication, Access Control Encryption, Signature Malicious Attack, Content Inspection Schema Validation, Standards Service Consumer Westbridge XMS Web Service Service Consumer Existing Security Infrastructure Network Firewall Authentication, Access Control Authorities, RSA, Oblix, Netegrity, LDAP, SAML,X.509, HTTP, Authentication, Active Directory, PKI Infrastructure, CRL, OCSP, 3DES, SHA, XML Encryption, XML Signature, WS Security Network Attack HTTP JMS MQ HTTPS Existing Security Infrastructure Application Attack

  14. Monitor, Report, Alert Monitoring Reporting Alerting Example Benefits Variety of status notifications can be utilized Last Request Latency Messages per Second Avg. Message Size Failed Requests SLA Monitoring Troubleshooting Perf. Monitoring Real-time View Malicious Attacks Requests > $10,000 Authorization Failed Weekend Activity Audit Trails Regulatory Debugging SLA Reporting Service Tracker Malicious Attack Paging Exceed Message Rate sends SNMP Trap Triggers Exceptions Debugging SLA Enforcement Service Tracker Monitors connected services Mainframe PeopleSoft MS Excel SAP .NET J2EE

  15. Interoperability Standards Support XML, SOAP, WSDL .NET, SunOne, IBM, WS-I, Oasis, W3C, BEA, Oracle, Microsoft, etc. Transport • HTTP, HTTPS (SSL), JMS, MQ, Tibco Security • XML Signature, signatures (RSA-SHA1, DSA SHA1), XML Encryption, encryption (RSA Keys, 3DES, AES, 128/192/256 bit keys), • SAML, LDAP, WS-Security, HTTP-based authentication • Active Directory, XKMS, OCSP, PKI Infrastructure (including PKCS#7, #10, #11, #12), CRL, X.509 Certificates, XML • XML Schema, DTD • XPath, XSLT • Alerting: SNMP and SMTP Transport Mediation XMS Gateway Web Service Web Services XMS Gateway Web Services Routing Service Consumer XMS Gateway Credential Mapping X.509 Liberty SAML LDAP WS Sec. Etc… XMS Gateway Data Transformation Web Service Web Services

  16. Interface Management Stage Test Configure Publish XMS Manager Web Service Customers Service View Web Service Partners • Publishing Workflow • Service Upgrades • Provisioning • Versioning Service View Sales Web Service

  17. Summary • Real-world considerations create barriers to the loosely-coupled vision of Web Services and SOA, while maintaining required security. • The “naïve” response creates tight-coupling and does not scale up • The “elegant” response requires a couple more generations of standards and tools development • The “practical” response uses current tools to implement Service Views.

More Related