190 likes | 316 Views
Securing Service Oriented Architecture. Don Flinn Flint Security LLC flinn@alum.mit.edu www.flintsecurity.com. Agenda. Distributed security Traditional protocols SOA requirements What's next. Distributed Security Traditional Protocols. Security Principals. Protection of assets
E N D
Securing Service Oriented Architecture Don FlinnFlint Security LLCflinn@alum.mit.eduwww.flintsecurity.com
Agenda • Distributed security • Traditional protocols • SOA requirements • What's next
Security Principals Protection of assets Security fundamentals Authentication, Authorization Audit, Administration, Cryptography Risk Management Never-ending contest
Traditional Security Protocols Authentication HTTP Basic Auth SSL/TLS Kerberos VPN Authorization RBAC Limitations
SOA Security Challenges Circuitous route Heterogeneous entities Untrusted intermediates Unlimited system size
Message Based Security Security integral part of the message Integrity & Confidentiality End-to-end
WS-Security SOAP header block Tokens Digital signatures XML encryption
WSS Tokens Username X.509 Certificate Kerberos SAML Biometric XrML
d-sig & XML Encryption Digital Signature (d-sig) Substitute for written signature Legal in Business (2000) XML encryption Fine-grained encryption
XACML XML based access control Language for Access Control Rules & Policies XACML protocols
Vendors .NET Microsoft Websphere IBM JWSDP Sun etc. Be careful of any proprietary moves
Where Are We Today? Intranet & Extranet Internet Establish trust Federation Delegation Privacy
Next Steps Complex scenarios Trusted third-parties Discovery & Access Higher level specifications
Security & Law Recent security laws Recent court cases Need court defensible security
Summary Abundance of tools Blind Use of Tools Complex scenarios Higher level specifications Experience with the protocols