Upload
zubin67
View
375
Download
3
Tags:
Embed Size (px)
Citation preview
Das SOA-Referenzmodell Identity & Access Management der Deutschen Telekom Deutsche Telekom Laboratories / T-Systems Enterprise Services GmbHBitkom: SOA & Security 12.03.2008
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 2
Agenda.
2 AAA & IdM Reference Architecture
1 Introduction
2.2 Digest of Concepts
2.1 Essentials
3 Characteristic SOA Security Questions
4 AAA & IdM Reference Architecture based Answers
5 Conclusions
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 3
Agenda.
2 AAA & IdM Reference Architecture
1 Introduction
2.2 Digest of Concepts
2.1 Essentials
3 Characteristic SOA Security Questions
4 AAA & IdM Reference Architecture based Answers
5 Conclusions
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 4
Introduction – SOA and Security.The T-Systems Approach.
A secure SOA solution combines general SOA architecture/governance rules, security and project demands.Our approach: Generally independent process model for SOA and security – project specific fusion.
ProjectDemands
Secure SOA Solution
ConceptionAnalysis Transformation
Governance
Security
RetireTransformationConceptionAnalysis Transformation
Governance
Security
RetireTransformation
T-Systems SOA Process Model
AAA & IdM Reference Architecture
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 5
Agenda.
2 AAA & IdM Reference Architecture
1 Introduction
2.2 Digest of Concepts
2.1 Essentials
3 Characteristic SOA Security Questions
4 AAA & IdM Reference Architecture based Answers
5 Conclusions
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 6
AAA & IdM Reference Architecture –Essentials.Challenges.Identity silos with poor interoperability.
Service Provider Domain A Service Provider Domain B
Network Access Provider Domain A Network Access Provider Domain B
Mobile ApplicationsDigital Content
SIM Card Authentication
Web ApplicationsDigital Content
ISP Network Access
ISP
Acc
ess
3G A
cces
s
Roaming
Streaming
Contracts
Privacy
Roles
Cost Control
Identities
Roaming
Preferences
Access Rights Credentials
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 7
Courtesy of Francis Shanahan (http://www.francisshanahan.com/detail.aspx?cid=641)
AAA & IdM Reference Architecture –Essentials.Challenges from the user perspective.Identity fragmentation, plethora of passwords and identity theft.
Courtesy of Francis Shanahan (http://www.francisshanahan.com/detail.aspx?cid=641)
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 8
AAA & IdM Reference Architecture –Essentials.Challenge from the business perspective.Mergers & acquisitions, reorganizations and changing business alliances.
Domain centric Identity Management
Federated Identity Management
Corp. Corp.
Corp.Corp.
SSO, SLOAttributes
CoT
NoInterop.
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 9
AAA & IdM Reference Architecture –Essentials.Mission – Provide guidance and blueprints for seamless and overarching AAA & IdM functionalities by means of defining an AAA & IdM Reference Architecture.
AAA & IdM Reference
Architecture
Service Provider Domain A Service Provider Domain B
Network Access Provider Domain A Network Access Provider Domain B
Federation
Single Sign On/Off
IdentityManagement
Privacy
AttributeExchange
Authentication
AccountingCharging
Authorization
Mobile ApplicationsDigital Content
SIM Card Authentication
Web ApplicationsDigital Content
ISP Network Access
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 10
Guidance
AAA & IdM Reference Architecture -Essentials. Reference Model & Reference Architecture. Terminology.
Realization
Reference Model
Reference Architecture Reference Architecture
System ImplementationSystem
ImplementationSystem Implementation
System ImplementationSystem
ImplementationSystem Implementation
Software ArchitectureSoftware
Architecture
Software ArchitectureSoftware
Architecture
conceptual guidance
domain specific derivations domain specific derivations
technology specific derivations technology specific derivations
Abstract Framework with a minimal set of unifying concepts, axioms and relationships.
Independent of standards, technologies, implementations and details
acc. to OASISGeneralized Architecture of several end systems that share one or more commonalities.
Defines infrastructure, components, interfaces and proposes technologies and standards.
acc. to Carnegie Mellon University, Software Engineering Institute
Structure of systems, which comprise software elements, the externally visible properties of those elements
and the relationship among them.
acc. to Carnegie Mellon University, Software Engineering Institute
GuidanceRealization
Reference Model
Reference Architecture Reference Architecture
System ImplementationSystem
ImplementationSystem Implementation
System ImplementationSystem
ImplementationSystem Implementation
Software ArchitectureSoftware
Architecture
Software ArchitectureSoftware
Architecture
conceptual guidance
domain specific derivations domain specific derivations
technology specific derivations technology specific derivations
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 11
AAA & IdM Reference Architecture –Essentials.Reference Model: AAA & IdM Ecosystem.
Authentication Authorization
Identity Management Identity Provisioning
Identity AuditingAccounting and Charging
Authentication
AuthorityAuthorization Authority
AccountingProvider
ChargingProvider
Identity Provisioning
Provider
Identity AuditingProvider
Identity Provider
Attribute Provider
Principal
RelyingParty
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 12
Agenda.
2 AAA & IdM Reference Architecture
1 Introduction
2.2 Digest of Concepts
2.1 Essentials
3 Characteristic SOA Security Questions
4 AAA & IdM Reference Architecture based Answers
5 Conclusions
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 13
AAA & IdM Infrastructure
Relying Party
AAA & IdM Reference Architecture – Concepts.Simplified version.
User Agent(Principal)
Relying Party
Identity Provider AuthenticationEnforcement
AuthenticationValidation
AuthorizationEnforcement
AuthorizationDecision
AccountingProvider
ChargingProvider
Identity Provisioning
Identity Auditing
Attribute Provider
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 14
AAA & IdM Reference Architecture – Concepts.Some selected concepts with regards to Service oriented Architectures.
AAA & IdM Infrastructure
Relying Party
User Agent(Principal)
Relying Party
Identity Provider AuthenticationEnforcement
AuthenticationValidation
AuthorizationEnforcement
AuthorizationDecision
AccountingProvider
ChargingProvider
Identity Provisioning
Identity Auditing
Attribute Provider
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 15
AAA & IdM Reference Architecture – Concepts.Trust: Security Tokens, Claims & Assertions
AAA & IdM Infrastructure
Relying Party
User Agent(Principal)
Relying Party
Identity Provider AuthenticationEnforcement
AuthenticationValidation
AuthorizationEnforcement
AuthorizationDecision
AccountingProvider
ChargingProvider
Identity Provisioning
Identity Auditing
Attribute Provider
X.509, PKI KerberosSAML WS-Trust
Basic Building Block of an IdM & AAA infrastructure
… can be distributed over any fixed or mobile network and
interchanged between network and service layer without further requirement
on security
Security Token Service
Trust Validation
Security Token(Issuer)
Information(about someone)
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 16
AAA & IdM Reference Architecture – Concepts.Delegated authorization based on attributes.
AAA & IdM Infrastructure
Relying Party
User Agent(Principal)
Relying Party
Identity Provider AuthenticationEnforcement
AuthenticationValidation
AuthorizationEnforcement
AuthorizationDecision
AccountingProvider
ChargingProvider
Identity Provisioning
Identity Auditing
Attribute Provider
Delegated AuthZ Decision …
AuthZ PolicyAuthZ Decision
Security Token(AuthZ Decision)
User attributes
User Session User AuthN Context
User entitlements
Resource attributes
Context attributes
… based on AuthZ Policy
can be distributed to other parties …
AuthZ Delegation
Token
OASIS XACML & SAMLOther policy languagesWS-Trust
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 17
AAA & IdM Reference Architecture – Concepts.Access control requires consistent and accurate identity data.
AAA & IdM Infrastructure
Relying Party
User Agent(Principal)
Relying Party
Identity Provider AuthenticationEnforcement
AuthenticationValidation
AuthorizationEnforcement
AuthorizationDecision
AccountingProvider
ChargingProvider
Identity Provisioning
Identity Auditing
Attribute Provider
AuthN Credentials
… reuse of Identity InformationFederation & SSO
Security tokens(with identity information) AuthN Policy
Identities, Personas, Profiles
Identity AttributesPrivacy Policies AuthZ Policies
ProvisioningPolicy
OASIS SPML
Entitlements
… accurate & up-to-date provisioning of
Identity Information
Delegated AuthZ Decision …
Security Token(AuthZ Decision)
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 18
Agenda.
2 AAA & IdM Reference Architecture
1 Introduction
2.2 Digest of Concepts
2.1 Essentials
3 Characteristic SOA Security Questions
4 AAA & IdM Reference Architecture based Answers
5 Conclusions
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 19
A typical SOA Architecture and Security.A collaborative SOA approach, based on a typical large scale architecture.
Complex and structured enterprise architecture for a global business partnerSOA access from various independent external partners via internetPossible multi location service delivery
loca
l ESB
Rev
Pr
oxy
WS
Gat
eway
Por
tal
glob
al E
SB
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 20
SOA and Security – Questions (1). Details inside one global service location.
DWH
Datenbankzone
Legacy Zone
LegacySysteme
Portal
BPEE
App. 1
Portalzone
App. 2
ESB(z.B. MQ)
WS Gateway
Reverse Proxy
Security Service Zone
DirectoryService
Authenti-cation
Service
TokenService
PolicyServer
Internet
ClientDB
ESB Zone
BAM
Repository. Transformation (z.B. XSLT)
DMZ
Security Rules
Functional Descr.
Non-Func. Descr.
Security Rules
Wrapper
Applikationszone
1. Security information within the repository
2. Repository and security directory
3. security questions within the app-zone
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 21
SOA and Security – Questions (1). Details inside one global service location.
1. Which security information is required within the service repository and how should this information be structured?
2. How should security information be shared between the security directory and the service repository? – Which system should be the leading one?
3. Which security is necessary within the service providers? Do we need some additional security architecture structures there? (see question #3 and the following scenario)
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 22
A typical SOA Architecture and Security.A collaborative SOA approach, based on a typical large scale architecture.
loca
l ESB
Rev
Pr
oxy
WS
Gat
eway gl
obal
ESB
Por
tal
loca
l ESB
Rev
Pr
oxy
WS
Gat
eway
Por
tal
glob
al E
SB
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 23
SOA and Security – Questions (2). Questions about global multi domain service delivery.
4. Security between global domains
5. Security and global service finding
6. Replication of security repository
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 24
SOA and Security – Questions (2). Questions about global multi domain service delivery.
4. Which security rules should be applied between different regional locations (domains) of one global service provider?
5. Which security rules should be applied during the global servicediscovery? How should this task be distributed between the global ESB modules (e.g. repositories, content based security, service implementation)
6. Which distribution policy and rules should be applied for the global security information (within the repositories and the security dictionaries)
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 25
Agenda.
2 AAA & IdM Reference Architecture
1 Introduction
2.2 Digest of Concepts
2.1 Essentials
3 Characteristic SOA Security Questions
4 AAA & IdM Reference Architecture based Answers
5 Conclusions
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 26
SOA and Security – Answers. Based on the AAA & IdM Reference Architecture.
DWH
Datenbankzone
Legacy Zone
LegacySysteme
Portal
BPEE
App. 1
Portalzone
App. 2
ESB(z.B. MQ)
WS Gateway
Reverse Proxy
Security Service Zone
DirectoryService
Authenti-cation
Service
TokenService
PolicyServer
Internet
ClientDB
ESB Zone
BAM
Repository. Transformation (z.B. XSLT)
DMZ
Security Rules
Functional Descr.
Non-Func. Descr.
Security Rules
Wrapper
Applikationszone
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 27
SOA and Security – Answers. Usage of security tokens.
DWH
Datenbankzone
Legacy Zone
LegacySysteme
Portal
BPEE
App. 1
Portalzone
App. 2
ESB(z.B. MQ)
WS Gateway
Reverse Proxy
Security Service Zone
DirectoryService
Authenti-cation
Service
TokenService
PolicyServer
Internet
ClientDB
ESB Zone
BAM
Repository. Transformation (z.B. XSLT)
DMZ
Security Rules
Functional Descr.
Non-Func. Descr.
Security Rules
Wrapper
Applikationszone
Security Token Service
Identity Provider
AuthenticationAuthority
Attribute Provider
Security Token(Issuer)
Information(about someone)
Basic Building Block of an IdM & AAA infrastructure
… can be distributed over any fixed or mobile network and
interchanged between network and service layer without further requirement
on security
Principal(User Agent)
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 28
SOA and Security – Answers. Authorization based on policies and security tokens.
DWH
Datenbankzone
Legacy Zone
LegacySysteme
Portal
BPEE
App. 1
Portalzone
App. 2
ESB(z.B. MQ)
WS Gateway
Reverse Proxy
Security Service Zone
DirectoryService
Authenti-cation
Service
TokenService
PolicyServer
Internet
ClientDB
ESB Zone
BAM
Repository. Transformation (z.B. XSLT)
DMZ
Security Rules
Functional Descr.
Non-Func. Descr.
Security Rules
Wrapper
Applikationszone
Security Token(Issuer)
Information(about someone)
Flexible and scalable access control for all kind of resources
(e.g. portal, WS gateway, applications, engines)
… based on authorization policies and security tokens.
Relying Party
AuthorizationEnforcement
Relying PartyAuthorizationEnforcement
Relying Party
AuthorizationEnforcement
AuthorizationDecision
Authorization Policies
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 29
SOA and Security – Answers. Provisioning of accurate and consistent security data.
DWH
Datenbankzone
Legacy Zone
LegacySysteme
Portal
BPEE
App. 1
Portalzone
App. 2
ESB(z.B. MQ)
WS Gateway
Reverse Proxy
Security Service Zone
DirectoryService
Authenti-cation
Service
TokenService
PolicyServer
Internet
ClientDB
ESB Zone
BAM
Repository. Transformation (z.B. XSLT)
DMZ
Security Rules
Functional Descr.
Non-Func. Descr.
Security Rules
Wrapper
Applikationszone
Security Token Service
Identity Provider
AuthenticationAuthority
Attribute Provider
Security Token(Issuer)
Information(about someone)
AuthorizationDecision
Accurate & up-to-date provisioning of identity information
and security policies
… enables secure service delivery based on reliable security tokens.
Identity Provisioning
Authorization Policies
Entitlements
Authentication PoliciesIdentities, Profiles Identities Attributes
Authentication Credentials
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 30
SOA and Security – Answers. Put it all together ...
DWH
Datenbankzone
Legacy Zone
LegacySysteme
Portal
BPEE
App. 1
Portalzone
App. 2
ESB(z.B. MQ)
WS Gateway
Reverse Proxy
Security Service Zone
DirectoryService
Authenti-cation
Service
TokenService
PolicyServer
Internet
ClientDB
ESB Zone
BAM
Repository. Transformation (z.B. XSLT)
DMZ
Security Rules
Functional Descr.
Non-Func. Descr.
Security Rules
Wrapper
Applikationszone
Relying Party
AuthorizationEnforcement
Relying PartyAuthorizationEnforcement
Relying Party
AuthorizationEnforcement
AuthorizationDecision
Authorization Policies
Security Token Service
Identity Provider
AuthenticationAuthority
Attribute Provider
Security Token(Issuer)
Information(about someone)
Principal(User Agent)
Authentication Policies
Authentication Credentials
Identities, Profiles Identities Attributes
Identity Provisioning
Authorization Policies
Entitlements
… and you are close to an
Enterprise Identity Bussupporting
IdM and AAA as a Service.
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 31
SOA and Security – Answers. The good news is, it works in global multi domain service delivery too.
Identity Provisioning
Security Token(Issuer)
Information(about someone)
Relying PartyAuthorizationEnforcement
… due to the characteristics of the security token.
.
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 32
Agenda.
2 AAA & IdM Reference Architecture
1 Introduction
2.2 Digest of Concepts
2.1 Essentials
3 Characteristic SOA Security Questions
4 AAA & IdM Reference Architecture based Answers
5 Conclusions
March 12th, 2008
Dietmar Krüger / Dr. Bert Klöppel 33
Conclusions.
A well designed security architecture within the enterprise’s SOA application zone eases transition into global scale ESB implementations (e.g. due to reorganizations, changing business alliances, mergers and acquisitions).
The security architecture must be flexible and scalable due to SOA’s characteristics of fine-grained services with a multiplicity of interfaces.
SOA requires an “Enterprise Identity Bus” approach supporting identity management, authentication and authorization as services (IdM & AAA as a Service).
Originally, the AAA & IdM reference architecture was developed independent of SOA in order to be applicable in almost every context (e.g. Telco, Web 2.0). However, SOA and the AAA & IdM reference architecture match perfectly.
Contacts.Dietmar Krüger, T-Systems Enterprise Services [email protected]+49 30 3497 3108
Dr. Bert Klöppel, T-Systems Enterprise Services [email protected]+49 561 5893 430
Jörg Heuer, Deutsche Telekom [email protected]+49 30 83535 8422