Click to edit Master title style

Martin BorrettLead Security ArchitectTechnical Staff MemberNE EuropeIBM SWG

SOA Security Challenges, Patterns and Solutions

What is different now? Trends

Increased focus on compliance and governance Service oriented architecture Web 2.0 and collaboration models User centric identity Trusted identity

Implications Porous perimeter with trust extending beyond traditional ‘boundaries’ Composite applications and business process transformation challenge traditional

approaches to define and manage security policies Empowering users to make selection – sharing of identity info, who they trust,.. Need to factor in reputation, trust models, and information leakage

New identity and access management challenges Composite application and mash-ups

adoption Need consistent enforcement of policies Requires enterprise to ensure consistent and integration identity

management, access control and data security

Compliance driving a need for closed-loop solution

Need unified identity & access management with delegation & change control

Audit accountability needs to relate activities to ‘end users’ not just ids or systems

Deployment of heterogeneous IT infrastructures creates costly islands of security administration

Mature standards exist today (WS-Policy, WS-Trust, XACML) Need common, pluggable framework (authentication,

authorization)

Architectural principles Consistent policy enforcement (Runtime)*

Security as a service - Service orientation Federation through mediation

Externalization of policies from applications Flexibility to deal with change Does not mean applications need to be re-written, necessarily

Consistent policy management (Administration)

Interoperability and integration Open approach – open standards and open source

–* note: enforcement in this context is inclusive of decision points

Consistent runtime enforcement - Example

Client System (browser, rich client) F

irew

all

Proxy/Intermediary F

irew

all

Web Application Server/Portal

Server

ExistingApplication

EnterpriseInformation

System

Centralized Security Services

‘Security as a Service’

Policies and configurations are currently specific to the various products, with tool-specific definitions. How do you check compliance across all of them?

Compliance Officer

Corporate Intranet

The corporate policy is to protect disclosure of

social security numbers

SecurityOfficer

Message encryption policy

Integration Architect

Service Registry

Service policy

DeveloperShould I code entitlements into the application

Service

Manage and enforce the policies

Operations ConsoleIT Operations

Challenge: How to apply policy consistently?

Solution Pattern - Components & InteractionFor Policy Administration, Decision and Enforcement

Policy Administration Point

(PAP)

Policy Enforcement Point (PEP)

Policy Decision Point (PDP)

Policy decision

DiscoveryPolicy Information

Point (PIP )Publish

Information

7

1

3 2

4

Message Security Policy for Authentication & Identity Propagation

Client System (browser, rich client) F

irew

all

Proxy/Intermediary F

irew

all

Web Application Server/Portal

Server

ExistingApplication

Authentication Services

IT Security Runtime Services

Identity Services

Policy Enforcement

Jon

jdoe@us.ibm.com

<Jdoe_token>

EnterpriseInformation

Systemz42

jdoe@us.ibm.com Mapped toz42

Message confidentiality & integrity policies -

What to sign? Encrypt?

What identity token? Trust

policy?

WS-Trust

Applications need end user’s identity for controlling access and compliance Identity information needs to be mediated for access Authentication service

What assertions are needed? What is the trust policy? How to secure messages for integrity & confidentiality? How to authenticate, validate and transform identity claims/tokens across boundaries

Authorization Policy for Access & Entitlements

Client System (browser, rich client) F

irew

all

Proxy/Intermediary F

irew

all

Web Application Server/Portal

Server

ExistingApplication

Authorization Services

IT Security Runtime Services

Identity Services

Policy Enforcement

Jon

Can Jonaccess apps

Can Jonaccess financeapps

EnterpriseInformation

System

Can Jon access Alice’sinvestment record, givenJon is Alice’s financial advisor?

Access Decisions;Entitlements;Use claims

Obtain identity information,

attributes to make decisions

Access decisions to take following into considerations Identity context. resource context, Request context

Need an efficient way to externalize access control out of application logic Authorization service

Centralized decision point for access and entitlements

Security Policy Management

Client System (browser, rich client) F

irew

all

Proxy/Intermediary F

irew

all

Web Application Server/Portal

Server

ExistingApplication

Policy lifecycle

Identity policies

Transform MonitorAuthor Enforce

EnterpriseInformation

System

Manage trust relationships

across domains

Authorization policies

Manage authorization policies &

entitlements

Canonical form(e.g., WS-SecurityPolicy, XACML)

Canonical form(e.g., WS-SecurityPolicy, XACML)

Policy management

Local transformation Local transformation Local transformation

Trust policies

Multiple heterogeneous enforcement points Potential inconsistency in managing policies and configuration across those Unified security policy management

Federate policies to enforcement points (including decision points/services) Canonical form of policy expressions – and local transformations as necessary

Service Registry

Logical Architecture

Client System (browser, rich client) F

irew

all

Proxy/Intermediary F

irew

all

Web Application Server/Portal

Server

ExistingApplication

Policy lifecycleTransform MonitorAuthor Enforce

EnterpriseInformation

System

Canonical form(e.g., WS-SecurityPolicy, XACML)

Canonical form(e.g., WS-SecurityPolicy, XACML)

Local transformation Local transformation Local transformation

Authentication Services

IT Security Runtime Services

Authorization &Privacy Services

AuditServices

Identity Services

Confidentiality & Integrity Services Non-repudiation

Services

Business Security Services

Identity & Access

Data Protection, Privacy& Disclosure Control

Secure Systems & Networks

Compliance &Reporting

Trust Management

Non-repudiationServices

… and Interoperability & integration with open standards

Service interfaces Token exchange and authorization - WS-Trust Identity service – IdAS (open source effort in progress - Project Higgins @

Eclipse) Policy expressions

Authorization policies - XACML Message protection policies – e.g., WS-SecurityPolicy

Programming model WS* - WS-Trust, XACML Java – Declarative model in J2EE; programming APIs through Java

Authentication and Authorization service (JAAS), Java Authorization Contract for Containers (JACC)

Collaborators on open standards Microsoft, Oracle, SAP, Sun, and others

Open source – Project Higgins at Eclipse.org

IBM Product Capability

Tivoli Federated Identity Manager Identity transformation/propagation

Token Attributes

Tivoli Security Policy Manager Author, administer, transform and

distribute security policies