Date post: | 07-Dec-2014 |
Category: |
Documents |
Upload: | bruceodell |
View: | 825 times |
Download: | 0 times |
Unlock the Business Potential of Service-Oriented Architectures via Identity
Management
BRUCE O'DELLSENIOR CONSULTANT, RISK MANAGEMENT
AERITAE CONSULTING GROUP [email protected]
1
Agenda
What is a service-oriented architecture (and why should security people care)?
Prehistoric SOAs... primitive security Modern SOAs... point-to-point protocols Internet SOAs... novel products and services Future SOAs... “security” disappears And what to watch for next
2
Wikipedia• SOA separates functions into distinct units, or
services, which developers make accessible over a network in order to allow users to combine and reuse them in the production of applications.
Key concepts– Encapsulation, composition, discoverability,
abstraction... and, of course, re-use– Limitless scope for SOA design pattern• Component, application, organization,
enterprise, consortium, nation, planet...
3
Defining an SOA
SOA sounds like a great idea... but– In practice, results seldom matched the hype – Basic security requirements (authentication,
authorization, confidentiality, non-repudiation, integrity, denial of service...) have been key dis-enablers of SOA
– Paradoxically security is also about to the catalyst for an SOA renaissance
To understand why... let's take a little trip through SOA history
4
But... why bother perfectly nice security people about SOA?
Platforms that time forgot
Fossil records show (long ago) distributed object protocols fought to rule the world
5
The OMA - Object Management Architecture - categorizes objects into four categories: the CORBAservices™, CORBAfacilities™, CORBAdomain™ objects, and Application Objects.
Here is the classic OMA diagram:
Source: OMG, http://www.omg.org/gettingstarted/specintro.htm
DCOM sits right in the middle of the components of your application; it provides the invisible glue that ties things together
Source: http://msdn.microsoft.com/en-us/library/ms809311.aspx
CORBA (IIOP) DCOM (DCE RPC)
The rise of web services
Both DCOM and CORBA were for all intents and purposes wiped out by the same “asteroid”... the Internet
• XML over HTTP worked fine across firewalls• Free of platform-specific security hooks• Bridges Java, COM (and .NET) services + more
A SOAP inventor's view – “low-tech wire protocols based on the standards of the Internet...
I went on a private tour of execs in the industry, but none of them (I think) had a clue what I was talking about.” - Dave Winer
6
Web services challenges
No XML security standards for a very long time – Security interoperability = standards, but– Multiple vendors + consensus =
What was available …– Transport-layer security• Confidentiality• Basic or cert authentication
Proliferation of roll your own solutions
7
WS-* to the rescue?
Web services security standardization– Gradual emergence of security standards– More gradual adoption by vendors– Even more gradual interoperability
Key standards WS-Security– How to pass credentials
WS-Trust– The birth of the security token
8
Unbearable coolness of security tokens
Good answer to hard questions– Standard way to pass identity attributes• Arbitrary assertions• Attributes sound basis for RBAC
– Digitally signed XML• Authentication, integrity, non-repudiation
– Self contained and verifiable • Enables delegation of trust• Eliminates identity management by daily
“batch file” transfer
9
Anatomy of a security token10
<saml:Assertion <saml:Conditions> metadata </saml:Conditions> <saml:AuthenticationStatement <saml:Subject> <saml:NameIdentifier>subject</saml:NameIdentifier> <saml:SubjectConfirmation> metadata </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier>name</saml:NameIdentifier> </saml:Subject> <saml:Attribute AttributeName="name"> <saml:AttributeValue>value</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <ds:Signature … digital signature & metadata... </ds:Signature></saml:Assertion>
Internet SOAP web services?
Vendor products began to support WS-Security– SAML token binding– Digital signatures are fragile– Cross-vendor compatibility – Heavyweight protocol– Token lifetime & renewal
Web browser SOAP client? – B2B niche, but SOAP seldom direct to end-users
11
RESTful evolution
Web 2.0 – a lightweight way to browse REST = SOAP - except inside out– SOAP • complex request • obfuscated scope• “heavyweight” XML security parameters
– REST • simple request, self-evident scope• “lightweight” query string security params
12
OpenID and OAuth
Modeling identity as URI resources Identity providers + relying parties – Internet single sign on– Application to application permissioning– User control of attribute sharing
13
OpenID OAuth
Web 2.0 threat model
Deliberately break scripting “sandbox” JSON – render objects from content stream Asynchronous XML data transactions Cross-site request forgery Phishing OpenID 1.0 Spoofing OAuth 1.0 XML injection and DOS Domino effect - if federated IDP (Facebook) is
compromised, so are FacebookConnect sites
14
Federated Identity and SSO
15Identity Provider Site Service Provider Site
1.Receive the “token”
2.Verify its digital signatures
3.Create a valid user session on SP site using attributes passed from IDP
1.Authenticate the user
2.Generate a digitally-signed “token”
3.Include one or more attributes needed by a service provider
16
| Page 16
Federated account linking
Identity Provider Site A
Service Provider Site B
Identity ARecognizeuser is part
of IDP A
Invite user tolink site B identity to site Aidentity
• Identity Provider Recognition: the Service Provider needs some mechanism to recognize that a Service Provider user is also registered with an Identity Provider within their circle of trust. • Service Provider Enrollment: the user is invited to link their SP account to their IDP identity, and logs in (one last time) to the SP. The linkage is registered on the IDP end, and the SP login is bypassed in future
User-centric identity17
Claims-based architecture
Abstract authentication from authorization
18
Source: http://download.microsoft.com/download/7/D/0/7D0B5166-6A8A-418A-ADDD-95EE9B046994/Claims-Based%20Identity%20for%20Windows.pdf
Internet-scale SOA
Combine... – large-scale consumer IDPs – affiliated, linked service providers – portable consumer identity tokens– composable, RESTful web services– mobile, location-aware hardware– REST-SOAP gateways to corporate services
… for ubiquitous, SOA internet applications
19
Today, RBAC...tomorrow, ABAC?
RBAC is the best idea seldom implemented– Role based access controls are great– Role based access controls are awful
Attribute based access control (ABAC)– A subject (an attending physician)– An action (wants to read)– A resource (a patient's test result)– A context (in the ER at 2:00 AM)
Practical considerations– Avoid RBAC complications– Limited choice of platforms for now
20
XACML as a design pattern
XACML standard for ABAC
Abstraction of IAM complete: authentication, authorization and policy metadata
21
XACML as a real platform
More academic interest than industrial products– Example: Axiomatics product architecture
22
Internet 3.0 web services
Internet 3.0 – Web 2.0 + semantics + federated identity
Interoperable attribute authorities – STS-mediated circles of trust– Semantic attribute mapping
Multiple levels of assurance Ubiquitous ABAC Strong privacy safeguards...– Which many will choose to ignore to gain
benefits of transparency within social networks
23
Long road to invisibility
Evolution of SOA as driven by evolution of security – Before 1990 – monolithic platform SOAs,
monolithic security (ACF2, RACF)– 1990 – 2000: distributed object SOAs, DCOM and
CORBA security wrappers– 2000 – 2010: point to point SOAP with TLS– 2010 – 2015: consumer identity federation with
portable identity– 2015 – 2020: ABAC and semantics for compliance
and management of complexity– 2020 – SOA ubiquitous, “security” declarative
24
Questions?
Bruce O'Dell Senior Consultant, Risk Management Aeritae Consulting Group Limited [email protected] (651) 229-0300 www.aeritae.com
Leaders in bringing innovation, balance, and performance to IT organizations
25
YOUR LOGO