SOA Security

1. SOA Security <Iris Levari> <OWASP role> <Amdocs> <irisl@amdocs.com> <12/3/07>

2. Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard

3. Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard

4. SOA Example

5. SOA Key Terms

6. SOA - Service Oriented Architecture Business processes oriented architecture Decomposing business processes into discreet functional units = services Existing or new business functionalities are grouped into atomic business services Evolution of distributed computing and modular programming driven by newly emergent business requirements Application development focused on implementing business logic

7. Service Properties Service is Loosely coupled High-level granularity Self describing Hardware or software platform interoperability Discoverable Service can be composed of other services Context-independent

8. Service Oriented Architecture - Advantages & Disadvantages Advantages Maximize reuse Reduce integration cost Flexible & easily changed to reflect business process change Shortcomings Message handling and parsing Legacy application services wrapping Complex service design and implementation

9. SOA Example

10. Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard

11. Business-Driven Development Methodology

12. Security Encompasses all life cycle aspects

13. Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard

14. New Security Threats SOA Introduces the following new security threats: Services to be consumed by entities outside of the local trust domain Confidential data passes the domain’s trust boundaries Authentication and authorization data is communicated to external trust domains Security must be enforced across the trust domain Managing user and service identities

15. Security Considerations The propagation of users and services across domain trust boundaries The need to seamlessly connect to other organizations on a real-time transactional basis Security controls for each service and service combinations Managing identity and security across a range of systems and services with a mix of new and old technologies Protecting business data in transit and at rest Compliance with corporate industry & regulatory standards Composite services

16. New Techniques In Integration Security SOA introduces new techniques In integration security Message level security vs. transport level security Converting security enforcement into a service Declarative & policy-based security

17. Message Level Security vs. Transport Level Security Transport level security (SSL/VPN) Point-to-point message exchange Encrypts the entire message Sender must trust all intermediaries Restricts protocols that can be used (i.e. https) Message level security End-to-end security Different message fields within the same message should be read by different entities

18. Transport Layer Security

19. Security Context | | | Security Context | | | Sender Intermediary Receiver Receiver Security Context Sender Intermediary Receiver Receiver Security in the Message • HTTP security (SSL) is point-to-point • WS-Security provides context over multiple end points.

20. Transport Security For Web Services Pros and Cons

21. Message Security For Web Services Pros And Cons

22. Message Level Security (example) integration of a brokerage and a bank. An investor securely attaches authorization to withdraw funds from a bank account to the trading request submitted to the brokerage. The attached authorization is secured from everyone, including the brokerage. Only the bank read it and make use of it.

23. Converting Security into a Service Security services provide service such as: Authentication Authorization Message services Encryption decryption Signing Verification Signatures Log messages scrub messages Facilitates integration Reduces development cost

24. SOA Security Reference Model

25. Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard

26. Traditional SSO Security is hard coded into each application User credentials are transmitted across enterprise boundaries

27. SOA SSO Federation

28. SOA SSO Federation Cont’ Traditional limited implementation using 3rd party SSO solutions No easy integration with applications that have not been written by the same 3rd party SSO manufacturer SOA solution Managing security interaction between applications Clients and servers dynamically negotiate security policies Easy implementation

29. Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard

30. WS-security Standard SOAP security (securing the web service messages) SOAP header extension Standard Feb. 2007 Ver 1.1 (OASIS) Any combination of In Request/Response Authentication Encryption Digital Signature

31. Web Services Stack

32. Web Services Security Architecture

33. “WS –Security” Building Blocks Security Tokens Username Token Username Token with Password Digest Binary Security Token X.509 Version 3 certificates Kerberos tickets Signatures signs all or part of the soap body Reference List or Encrypted Key

34. Structure of a Basic Web Services Security SOAP Header

35. Structure of a Basic Web Services Security SOAP Header (cont.)

36. XML Encryption in WS-Security Use of a <ReferenceList> in the Security Header Pointing to the Parts of the Message Encrypted with XML Encryption

37. Providing Integrity XML Signature in Web Services Security XML Signature Verify a security token or SAML assertion Message integrity XML syntax Explicit <reference> element points to what is being signed One or more XML signatures Overlapping is possible