1 / 19

Securing Service Oriented Architecture

Securing Service Oriented Architecture. Don Flinn Flint Security LLC flinn@alum.mit.edu www.flintsecurity.com. Agenda. Distributed security Traditional protocols SOA requirements What's next. Distributed Security Traditional Protocols. Security Principals. Protection of assets

venice
Download Presentation

Securing Service Oriented Architecture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Service Oriented Architecture Don FlinnFlint Security LLCflinn@alum.mit.eduwww.flintsecurity.com

  2. Agenda • Distributed security • Traditional protocols • SOA requirements • What's next

  3. Distributed SecurityTraditional Protocols

  4. Security Principals Protection of assets Security fundamentals Authentication, Authorization Audit, Administration, Cryptography Risk Management Never-ending contest

  5. Traditional Security Protocols Authentication HTTP Basic Auth SSL/TLS Kerberos VPN Authorization RBAC Limitations

  6. Distributed SecuritySOA Requirements

  7. SOA Scenario

  8. SOA Security Challenges Circuitous route Heterogeneous entities Untrusted intermediates Unlimited system size

  9. Message Based Security Security integral part of the message Integrity & Confidentiality End-to-end

  10. WS-Security SOAP header block Tokens Digital signatures XML encryption

  11. WSS Tokens Username X.509 Certificate Kerberos SAML Biometric XrML

  12. d-sig & XML Encryption Digital Signature (d-sig) Substitute for written signature Legal in Business (2000) XML encryption Fine-grained encryption

  13. XACML XML based access control Language for Access Control Rules & Policies XACML protocols

  14. Vendors .NET Microsoft Websphere IBM JWSDP Sun etc. Be careful of any proprietary moves

  15. What's Next

  16. Where Are We Today? Intranet & Extranet Internet Establish trust Federation Delegation Privacy

  17. Next Steps Complex scenarios Trusted third-parties Discovery & Access Higher level specifications

  18. Security & Law Recent security laws Recent court cases Need court defensible security

  19. Summary Abundance of tools Blind Use of Tools Complex scenarios Higher level specifications Experience with the protocols

More Related