520 likes | 833 Views
SOA Security. <Iris Levari> <OWASP role> <Amdocs> <irisl@amdocs.com>. <12/3/07>. Agneda. What Is SOA SOA life cycle & Security SOA Generated Security Concerns / opportunities SSO & SSO Federation WS Security Standard. Agneda. What Is SOA SOA life cycle & Security
E N D
SOA Security <Iris Levari> <OWASP role> <Amdocs> <irisl@amdocs.com> <12/3/07>
Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard
Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard
SOA - Service Oriented Architecture Business processes oriented architecture Decomposing business processes into discreet functional units = services Existing or new business functionalities are grouped into atomic business services Evolution of distributed computing and modular programming driven by newly emergent business requirements Application development focused on implementing business logic
Service Properties Service is Loosely coupled High-level granularity Self describing Hardware or software platform interoperability Discoverable Service can be composed of other services Context-independent
Service Oriented Architecture - Advantages & Disadvantages Advantages Maximize reuse Reduce integration cost Flexible & easily changed to reflect business process change Shortcomings Message handling and parsing Legacy application services wrapping Complex service design and implementation
Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard
Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard
New Security Threats SOA Introduces the following new security threats: Services to be consumed by entities outside of the local trust domain Confidential data passes the domain’s trust boundaries Authentication and authorization data is communicated to external trust domains Security must be enforced across the trust domain Managing user and service identities
Security Considerations The propagation of users and services across domain trust boundaries The need to seamlessly connect to other organizations on a real-time transactional basis Security controls for each service and service combinations Managing identity and security across a range of systems and services with a mix of new and old technologies Protecting business data in transit and at rest Compliance with corporate industry & regulatory standards Composite services
New Techniques In Integration Security SOA introduces new techniques In integration security Message level security vs. transport level security Converting security enforcement into a service Declarative & policy-based security
Message Level Security vs. Transport Level Security Transport level security (SSL/VPN) Point-to-point message exchange Encrypts the entire message Sender must trust all intermediaries Restricts protocols that can be used (i.e. https) Message level security End-to-end security Different message fields within the same message should be read by different entities
Security Context | | | Security Context | | | Sender Intermediary Receiver Receiver Security Context Sender Intermediary Receiver Receiver Security in the Message • HTTP security (SSL) is point-to-point • WS-Security provides context over multiple end points.
Message Level Security (example) integration of a brokerage and a bank. An investor securely attaches authorization to withdraw funds from a bank account to the trading request submitted to the brokerage. The attached authorization is secured from everyone, including the brokerage. Only the bank read it and make use of it.
Converting Security into a Service Security services provide service such as: Authentication Authorization Message services Encryption decryption Signing Verification Signatures Log messages scrub messages Facilitates integration Reduces development cost
Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard
Traditional SSO Security is hard coded into each application User credentials are transmitted across enterprise boundaries
SOA SSO Federation Cont’ Traditional limited implementation using 3rd party SSO solutions No easy integration with applications that have not been written by the same 3rd party SSO manufacturer SOA solution Managing security interaction between applications Clients and servers dynamically negotiate security policies Easy implementation
Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard
WS-security Standard SOAP security (securing the web service messages) SOAP header extension Standard Feb. 2007 Ver 1.1 (OASIS) Any combination of In Request/Response Authentication Encryption Digital Signature
“WS –Security” Building Blocks Security Tokens Username Token Username Token with Password Digest Binary Security Token X.509 Version 3 certificates Kerberos tickets Signatures signs all or part of the soap body Reference List or Encrypted Key
Structure of a Basic Web Services Security SOAP Header (cont.)
XML Encryption in WS-Security Use of a <ReferenceList> in the Security Header Pointing to the Parts of the Message Encrypted with XML Encryption
Providing Integrity XML Signature in Web Services Security XML Signature Verify a security token or SAML assertion Message integrity XML syntax Explicit <reference> element points to what is being signed One or more XML signatures Overlapping is possible