SOA Security Programming Model - Software Summitsoftwaresummit.com/2005/speakers/NadalinSOASecurity.pdf · 2008. 1. 3. · Anthony Nadalin — SOA Security Programming Model Page

Colorado Software Summit: October 23 – 28, 2005 © Copyright 2005, IBM Corporation

Anthony Nadalin — SOA Security Programming Model Page 1

SOA Security ProgrammingModel

Anthony NadalinDistinguished EngineerIBM Corporation

Presented by Mike Perks



Agenda

• Securing an on demand business

• Business requirements

• on demand security infrastructure

• Service Oriented Architecture andSecurity

• Federation and trust management

• Business driven application security



Helps Secure Business Applications

Affects Business Strategy

Needed to Secure theInfrastructure

Impacts Business Processes andOperations

Security is a BusinessRequirement that …



Manage identity within and acrossenterprise(s)

Protecting privacy and security of customer andemployee information

Manage security policies to mitigate risks

Ensure integrity of the environment (delegated,federated)

Securing exchange of business criticalinformation

Customer Pain Points



Understanding the pain pointslead to ..



on demand security infrastructure

Secure Business Process and collaboration

Secure Systems and Networks

Identity and Access

Management

Data protection and disclosure

control

Security Monitoring and audit

Secure Transactions



Identity and Access

Management


control


Secure Transactions

Business Controls, Risk and Security Compliance Management



Identity and Access

Management


control

Business Controls, Risk and Security Governance



Identity and Access

Management


control


Secure Transactions

on demand security fabric

Toolin

g for

model driven security

infr

astr

uctu

re

on demand security management disciplines



that help secure an on demandenvironment ..



So as to achieve …

Enterprise Integration and Virtualization• Security Services• Security components• Pluggability and customizability• Consistent and coherent model

Based on• Service Oriented Architecture• Componentization• Standards based interoperability and integration• Loose coupling and virtualization• Adapters to legacy applications

Using• Security policies from executives to IT staff• End to end tools from modeling to infrastructure management• Governance model and delegation of authority



.. Using Security Fabric that isStandards Based and Pluggable

3rd Party

3rd Party3rd Party3rd Party

Authentication

SPI

Kerberos, RACF

3rd Party

Authorization SPI

Authz provider

Cred Mapping SPI

Management

provider

Identity

Management

Mapping provider

User Registry

LDAP, OS registry

Policy, Audit,

Intrusion

Detection, Privacy

Operating Environment Security Runtime - Credential propagation, authentication, context establishment, authorization checks, audit, privacy,

Runtime Security APIs

(login, authorization, etc)

Administrative Security APIs

(create user, change policy,..)

Vendor API extensions

(J2EE, Unix, …)

Enterprise Service BusUtility Business ServicesBusiness Application Services

On Demand Applications

…

WS-Authorization WS-Trust WS-Attribute ServiceWS-Trust

WS-Federation

WS-Policy

WS-Privacy

WS-Attribute Service

Security Services Infrastructure

3rd Party

3rd Party3rd Party3rd Party

Authentication

SPI

Kerberos, RACF

3rd Party

Authorization SPI

Authz provider

Cred Mapping SPI

Management

provider

Identity

Management

Mapping provider

User Registry

LDAP, OS registry

Policy, Audit,

Intrusion

Detection, Privacy

Operating Environment Security Runtime - Credential propagation, authentication, context establishment, authorization checks, audit, privacy,

Runtime Security APIs

(login, authorization, etc)

Administrative Security APIs

(create user, change policy,..)

Vendor API extensions

(J2EE, Unix, …)

Enterprise Service BusUtility Business ServicesBusiness Application Services

On Demand Applications

…

WS-Authorization WS-Trust WS-Attribute ServiceWS-Trust

WS-Federation

WS-Policy

WS-Privacy

WS-Attribute Service

Security Services Infrastructure



Agenda

• Securing an on demand business

• Business requirements

• on demand security infrastructure

• Service Oriented Architecture andSecurity

• Federation and trust management

• Business driven application security



Federated Lifecycle Management

Partner

Enrollment

Partner-Role-

Attribute

Management

Business

Driven

Trust

Agreements

Partner-User

Enrollment

Security

& Identity

Agreements

User Life cycle

Management

Partner

Enrollment

Transaction/Data

Agreements

Technical

Policies

Operational

Best

Practices

Credentials

Management

Audit

Agreements

Privacy

Agreements

Role/Permission

Management

Attribute change

Management

Federation/

De-federation

Provisioning/

Deprovisioning

Scenario

Management

Scenario

Realization

Identity

Relationship

Management

Audit and compliance



Federations Require Trust

TrustReflects business relationshipNeeds governance modelImplemented using technology

Trust between Identity Provider and Service ProvidersThis can be implemented using technologyTrust can be provided by WS-Trust, WS-Security, WS-SecureConversation

Trust between users and Identity ProvidersThis can be facilitated by technologyRequires business, legal and “faith based” solutions

Trust by users of how IdP will user their informationThis can be mitigated by WS-Policy familyAlso requires business, legal and “faith based” solutions



SOAPHTTPS, JMS, MQ

WS-Security Family(Kerberos,X.509, SAML)

Authentication

Authorization

Provisioning

SSO

Users

Web Services Security Model

End to End Security model simplifies integration between companies

Each Web Services message can be individually authenticated, integrity &

confidentiality protected and authorized

Web Services

Security

Gateway

Web Services

Client Requestor Service Provider

B2B

B2B 2 C

Audit



Security

Checkpoint

Web Services Security

SuppliersApplications

Legacy

Applications

SOAP/HTTP

SOAP Web Services

Web Services

Non Web

ServicesPartners

Services Driven Interactions

How do we identify and authenticate the service requester ?

How to we identify and authenticate the source of the message ?

Is the client authorized to send this message?

Can we ensure message integrity & confidentiality ?

How can I audit the access to Web Services?

Multiple layers of enforcement – perimeter, gateway, app server,

application

CompanyPortal

Remote

Portals

Web Services

Remote Portlets

Web Services



End to End Message Security

(trust relationship) (trust relationship)

(trust relationship)



Managing Trust

Audit



Managing IntegrityManage trust

Use Infrastructure componentsMay be sharedNeed to be trusted components (they are the enforcement points)Interaction (with partners, etc) and role played by infrastructure is managedDelegated authority to LOBs

Application specific policiesShared infrastructure but different policies (specific to LOB, application, etc)Gives flexibility and control

ComplianceAudit and monitoringAccountability and integrity



Web Services Security Roadmap

SOAP Foundation

WS-Security

WS-SecureConversation

WS-Trust WS-Privacy

WS-Policy

WS-PolicyFramework

WS-PolicyAttachments WS-PolicyAssertions

WS-AuthorizationWS-Federation

Polic

y

Layer

Fe

de

ratio

n

Layer

SOAP Foundation

WS-Security

WS-SecureConversation

WS-Trust WS-Privacy

WS-Policy

WS-PolicyFramework

WS-PolicyAttachments WS-PolicyAssertions

WS-AuthorizationWS-Federation

Polic

y

Layer

Fe

de

ratio

n

Layer

Today

Tim

e

Today

Tim

e

Implementations Available Today

Specifications Announced

TBA

Spec: 8 May 2000

Spec: 5 Apr 2002

OASIS Standard

Spec: 18 Dec 2002

Spec: 8 July 2003

Spec: 28 M

ay 2

003

Spec: 18 Dec 2002



Application lifecycle and securitypolicies

Corporate policies and line of business/domain specificpolicies

Relevance to business process and business applications

Platform specific models

Impact on IT infrastructure

Compliance and monitoring



Analyze &

DesignManage &

Monitor

Model

Business

ImplementDeploy

Develop Iteratively

Focus on Architecture

Continuously Ensure Quality

Manage Change & Assets

Model security requirementsand application security

Declare application

security policies;

Build and test secure applications

Configure infrastructure for

application security;

Subscribe and customize security policies

Manage security of the business application;Monitor behavior and

change policies as necessary

Security policy officer

Security auditor

Business analyst

Security architects

Application architects

Application programmer

Security developer

Application administrator

Security administrator

IT administrator

Security administrator

Operator

Business driven application

securityDefine businessand corporate

securitypolicies



Business application policies

Analyzing relevance to business processesand applications

Translating intent/goals into enforceablepolicies

Business vocabulary vs. implementation



Application modeling andsecurity policies



Programming model:Infrastructure vs. application managed

Infrastructure managed (gateways, application container)Let application concentrate on business logic

Let the infrastructure enforce the intended policies

Policies aligned with business goals and deployment patterns

Policies may come from

application artifacts (e.g., deployment descriptors),

system configuration (e.g., based on topology), and

published policies (based on target interactions e.g. ws-policy)

Application managedArchitected and standardized call-outs

Abstract out as a security provider (e.g., JAAS, JACC)



Deployment and management

Corporate, IT policies, etc

(e.g., use corporate LDAP)Application policy

(e.g., in deployment descriptors)

Solution Install

Subscription time changes

(e.g.,

High level security, Fabrikam as

certificate authority)

SubscribeRequestor

(consumer)

Service

Provider

Consumer

administrator

ERP

Travel app

Transform, persist and distribute policies to security provider

(e.g., Security XACML policies and coordinates with

Tivoli AccessManager )

Security Policy Manager

e.g. Tivoli AccessManager

Initial policies are ‘pushed ’ or stored;

updates are pushed or pulled:

XACML policy docs

Application Server runtime

Runtime Publication of Policies(e.g., WS -Policy)

(e.g., 128 bit SSL required,

X.509 certs from Verisign )

Administer policies

Manage/Administer & Runtime



Federated Identity

Management

(Federated User Lifecycle

Management)Web Single

Sign-On

SOA Security (Web Services

Security Management)Services View

Access Management

Existing Capability

New Capability

Identity Management

Identity Management Market “Identity”

Service Oriented Architecture (SOA)

“Services”

Enterprise Identity mgmt

Services Transformation

Identity transformation from a product-centric view to a service-centric view – move to adoption of service-oriented architectures with

federation characteristics for simplifying identity management and strengthening corporate compliance

“Identity”“Service”

Identity Management & ServiceOriented Architecture



Identity Integration Problem

Multi Protocol

Federation Gateway

Partners using

WS-Federation

Partners using

Liberty

Partners using

SAML in their

Portal or Web

Partners using

WS-Security

SAP Platform

WebSphere Platform

MS .NET Platform

“Identity”

“Identity”

“Identity”

“Identity”

“Identity”

“Identity”

“Identity”

How to share informationHow to share information

with trusted providers?with trusted providers?

Identity Management as a business

process for cross-enterprise

collaboration



Identity & Web Services -LandscapeIndustry leveraging Federation to “simplify” Service Delivery and providesuperior end user experience

New Service Enablers are driving need for identity sharing based on Webservices

Presence, Location, Group Management etc

HTTP Centric Services still a dominant delivery modeli.e. Services are Built and Delivered using normal HTTP to browser-based clientsE.g. Location-based Services, Third-Party ContentEnables Mobile Operator to assume the role of “Trusted Identity Provider/Authority” in mediatingvalue-add data services with third-partiesHTTP Identity Services Standards in Mobile Industry

• Current Deployments happening with Liberty ID FF 1.1/1.2• Role of SAML 1.0/1.1 very minimal in mobile industry (due to Liberty uptake)• SAML 2.0 will converge Liberty ID FF 1.1/1.2 and SAML 1.0/1.1 but adoption of SAML 2.0 not likely until 2006• WS-Federation becomes a critical strategy for integration with Microsoft Active Directory and Microsoft .NET

Services

Federation of Web Services is a dominant theme in “Service OrientedArchitecture”

i.e. Services are discovered using Web Services (WSDL)Dominant Web Services Security Platform is WS-SecurityWS-Security now an official OASIS standard and implementations available from leading middlewareplatforms from Microsoft .NET and IBM



Best Practice – Enterprise UserProvisioning

Administrator/CSR

Identity Management

HR Feed

DelegatedAdminWorkflow

PasswordSync/Reset

Enterprise

Identity

Foundation

PartnerUsers

Legacy

ERP

Portal

ERP

Portal

LDAP

Bi-directionalProvisioning

DAML/DSML

Directory

Self-

Care

Authoritative

Feeds

AccountProvisioning

Legacy



Best Practices – AccessManagement

Web Access /

Web SSO

Benefits Service Billing ServicePortal

Service

Web

SSOWeb SSO Web SSO

WS-Security/WS-

Federation/SAML/Liberty

Partners using

Microsoft®

Partners using

Liberty

Partners using

SAML

Micro

SSO/Authentication/Authorization

Third-party User

Partner

Third Party

Third-Party

Access

Federated ID

User

Federate

d Access

Direct

Access

WS-

Federation/SAML/Liberty



Deployment Patterns & Roles –Federated Web Services

C2B / E2B HTTP

C2B – Web Services

B2B – Web Services

Composite Patterns – C2B + B2B

Identity Provider, Service Provider

Web Services Client, WS Provider

Web Services Client, WS Provider

Identity Provider; WS Client,Service Provider; WS Provider

Patterns Roles

Consumer-2-Business (C2B)

Employee-2-Business (E2B)

Business-to-Business (B2B, e.g. Portal to Portal)



C2B2B - Portal to Portal –Deployment

PORTAL

(Identity Provider)

Users

Service

Provider/WSP

Enterprise

Directory

local ID Token

WS

-Tru

st

Security

Service

Policy Service

Web Services Client

Security

Token

Web Services

Provider

Token local ID

WS

-Tru

st

Identity

Service Enterprise

Directory

Security

Service

Policy Service

Identity

Service

SOAP Request

WS-Security

To

kenThird-party

User

Third Party

XML/Web Services

Gateway

XML/Web Services

Gateway



Federated

Identity

Provider

(Liberty)

Web Services

Providers

(Remote

Portals)

Federated

Identity

Provider

(WS-Federation)

Identity

Services

Federated

Identity

Provider

(Liberty)

Federated

Identity

Provider

(SAML)

Security

Services

Identity Services

Enterprise ID

Gateway Liberty

SAML

WS-Federation SAMLWS-Security

WS-Trust/WS-

Security

Federated

Identity

Provider

(SAML)

Partner Spokes

Enterprise Web

Services Platforms

Web Services

Providers

(Remote

Portals)

Clients

Browser

Rich Client

Mobile Terminal

I “know” this subscriber from my

partner company”I “know” how to connect the

“user” to authorized services

SMB

Identity + Web Services -Architecture



Compliance – Auditing the Integrity ofMortgage Approval Business Process



SIMPLE IDENTITY & CHANGE AUDITFOR CONTINUOUS COMPLIANCE

Analytics/

Correlation

Engine

Analytics/

Correlation

Engine

SOX Basel II Visa CISPEU/Japan Privacy

Law

Corporate

Security PoliciesUS Patriot Act

Compliance Drivers

SOX Basel II Visa CISPEU/Japan Privacy

Law

Corporate

Security PoliciesUS Patriot Act

Compliance Drivers

SQL

Rational Requisite Pro

Network Remediation

TPM, TCM, TIM,

TAM, FIMChange

& Remediation

ProcessAbnormal

Events/Alerts Rational Requisite Pro

Network Remediation

TPM, TCM, TIM,

TAM, FIMChange

& Remediation

ProcessAbnormal

Events/Alerts

Workplace for

BCR

(Communicate,

Track)

CEI, CBE Events/State Changes

DB2

AlphaBlox

Dashboard

Business & IT

Reports

Workplace for

BCR

(Communicate,

Track)

CEI, CBE Events/State Changes

DB2

AlphaBlox

Dashboard

Business & IT

Reports

Central

Audit Service

Compliance

Data

(Security, Change,

Archive)

CARS

Central

Audit Service

Compliance

Data

(Security, Change,

Archive)

CARS

INPUT OUTPUT

CEI, CBE

Business Services

CCMDB/

Warehouse

Processes/

WBI

Change Events/

Alerts

Audit

Process

XML Policy

CEI, CBE

Business Services

CCMDB/

Warehouse

Processes/

WBI

Change Events/

Alerts

Audit

Process

XML Policy

CEI, CBE

Identity, Access

(Company & Partner)

TIM/TAM

FIM,SCM

ERP/

CRMDatabase

Security Events/AlertsAudit

Process

XML Security Policy

CEI, CBE

Identity, Access

(Company & Partner)

TIM/TAM

FIM,SCM

ERP/

CRMDatabase

Security Events/AlertsAudit

Process

XML Security Policy



SummarySecurity is about business, no longer just abouttechnology

SOA enables better Application Integration

Web Services Security standards optimizes thedevelopment, deployment and management ofComposite Applications

Federation is the “bridge” by which web servicessecurity integrates with Service Oriented Architectures

Documents

SOA Security Programming Model - Software Summitsoftwaresummit.com/2005/speakers/NadalinSOASecurity.pdf · 2008. 1. 3. · Anthony Nadalin — SOA Security Programming Model Page