1 / 21

Security and Identity Issues in Cross-Agency SOA

Security and Identity Issues in Cross-Agency SOA. Philip Walston Senior Product Manager pwalston@layer7tech.com. Agenda and Theme. Security and identity in SOA The challenges of security and identity What is federation about? Why federation of Web services is hard

kata
Download Presentation

Security and Identity Issues in Cross-Agency SOA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security and Identity Issues in Cross-Agency SOA Philip WalstonSenior Product Managerpwalston@layer7tech.com

  2. Agenda and Theme • Security and identity in SOA • The challenges of security and identity • What is federation about? • Why federation of Web services is hard • Breaking the problem down • Tactical, standards-based solutions Theme:A pragmatic approach to cross-agency SOA Security and federation for SOA is a complex problem, and the standards are still evolving. However, we can take a realistic look at what most services are being used for, we can build standards-compliant solutions today. Security and Identity Issues in Cross-Agency SOA

  3. Security in Cross-Domain Computing SecurityMechanisms Firewall • Encryption • Signing • Transport Layer • Certificates/PKI • Biometrics • Fobs • etc… Resource (Server) Directory Server Requestor (Client) Secure Zone Identities Internet or Intranet SecurityTechnologies • XML Encryption • XML Signing • X.509 • SSL/TLS • WS-Security • WS-SC • WS-Trust • XKMS • etc… Alex Sue Francis Security and Identity Issues in Cross-Agency SOA

  4. The Security Challenge of Cross-Agency SOA Issues • Coordinating common security policy • Granular (operation-level) security • Applying (coding) and testing security • Dealing with changes Firewall Resource (Server) Policy Application Point(s) Directory Server Requestor (Client) Secure Zone Identities Internet or Intranet Policy Enforcement Point Alex Mutual Security Policy Sue Program X Security and Identity Issues in Cross-Agency SOA

  5. Tactical Strategy Security Mechanisms • Security PEP intermediary (server proxy) • Spec-compliant toolkits • Plethora of WS-* and other specs • WS-Policy (soon) Firewall Resource (Server) Policy Application Point(s) Directory Server Requestor (Client) XML Gateway Secure Zone Identities Internet or Intranet Policy Enforcement Point Alex Mutual Security Policy Sue Program X Security and Identity Issues in Cross-Agency SOA

  6. Identity in Cross-Domain Computing Identity Validation Mechanisms Firewall • Username/password • Digest • Certificates/PKI • Biometrics • Fobs • etc… Resource (Server) Directory Server Requestor (Client) Secure Zone Identities Internet or Intranet Authentication and Authorization Technologies • LDAP • Active Directory • Radius • RACF • ACLs • IBM Tivoli Acess Mgr. • Netegrity Siteminder • RSA ClearTrust • etc… Alex Sue Francis Security and Identity Issues in Cross-Agency SOA

  7. What’s Single Sign On (SSO) Really About? Resource (Server) ID Server 1. Provide credentials Requestor (Client) Generate token Sue 2.-n. Provide Token Validate token Internet or Intranet Token Id=12345… Security and Identity Issues in Cross-Agency SOA

  8. Why Does SSO Work for Browsers? 1. HTTP Redirects Web Server This is a greatly simplified version of the actual request/response flow 1. Post 5. Post + Token 2. Redirect 3. Post Creds Web Browser-Based Client 4. Receive token Security Token Service Time Security and Identity Issues in Cross-Agency SOA

  9. Why Does SSO Work for Browsers? 2. A Client-side Persistence Model • Persist token: • In pages • As URL artifact • As cookie Security Token Service Security and Identity Issues in Cross-Agency SOA

  10. Why Does SSO Work for Browsers? 3. SSL Protection of Tokens X Malicious Third Party Security and Identity Issues in Cross-Agency SOA

  11. Alex Scott Francis The Identity Challenge of Cross-Agency SOA Blue’s Server Islands of Identity Blue’s Directory Server Green’s Directory Server Firewall Green’s Client AgencyBlue Need to share not only authentication and authorization information, but also identity attribute information Frank Sue Program X AgencyGreen Big privacy and confidentiality issues… Security and Identity Issues in Cross-Agency SOA

  12. What Hasn’t Worked in the Past Issues • Online access through firewall mazes • Latency in replication • People leave, fired, etc Blue’s Directory Server Green’s Directory Server Remote Directory Access Firewall AgencyBlue Directory Synchronization Frank Sue Program X AgencyGreen Security and Identity Issues in Cross-Agency SOA

  13. What We Really Need is Effective Separation of Concerns Authentication Blue’s Directory Server Green’s Directory Server Authorization Trust AgencyBlue Core Requirements • Build dynamic trust relationships • Transport the security context so that authentication and authorization can be distributed • Enforce privacy issues • Time out sessions/global logout Frank Sue Program X AgencyGreen Security and Identity Issues in Cross-Agency SOA

  14. The Mechanism Blue’s Directory Server 3. Mutually secure the transaction between parties Green’s Identity Server Trust 2. Validate token here according to trust model Frank Sue 1. Acquire Token with statement of authentication (and possibly authorization, attributes) in this security domain Program X Security and Identity Issues in Cross-Agency SOA

  15. Validation / Authorization Blurs the Concept of Identity Ephemeral identity Conventional Identity (e.g. DN=CN=Phil Walston) + • Time of day • Origin IP • Attributes • Remote authorization statements • Different trust paths • etc… Security and Identity Issues in Cross-Agency SOA

  16. Issue – Identity Mapping • Fan in • E.g. to service account • Map to local existing account • E.g. phil.walston -> pwalston • Map to role • E.g. TrustedAdministrator • Etc… Security and Identity Issues in Cross-Agency SOA

  17. Why is Federation/SSO of Web Services So Hard? • SSL • HTTP redirects • Simple signing • Cookies • URL query parameters Token protected from hijack, replay, etc by SSL Web Browser Domain Web Services Domain Web Server SSL Browser Client Identity Provider / Security Token Service SSL Web Services Server WSS WSS Web Services Client User Identity SOAP Message with bound security token Token protected from hijack, replay, etc by XML Signatures • WSS • Embedded, signed security tokens • Considerable orchestration at client • Manual token caching Application Identity Certificate and key pair Security and Identity Issues in Cross-Agency SOA

  18. Tactical Strategy Federation ID Provider & Security Token Service Federation Policy Enforcement Point Token Orchestration & Caching Layer Blue’s Directory Server Green’s Directory Server Trust Authentication Responsibility Authorization Responsibility AgencyBlue Message Level Security Ask Yourself:What do you really need? Frank Sue The dominant pattern is RPC-ish client/server Program X AgencyGreen 1. Security Token Issuer for Green 2. Token Validator for Blue 3. Orchestration code in client application Security and Identity Issues in Cross-Agency SOA

  19. The Standards and Specifications Landscape • Security • Existing / emerging W3C and OASIS • SSL/TLS, XML Crypto/Sig, WSS, WS-SecureConversation, WS-SecurityPolicy …. • Identity • WS-Federation (Focus on technology) • IBM, Microsoft, BEA, RSA, Verisign • SAML, SSL/TLS, WSS, WS-Trust, WS-Policy, WS-MetadataExchange • Liberty Alliance (Focus on business problem) • Consortium of over 150 companies • SAML, SSL/TLS, WSS • Government • E-Authentication Security and Identity Issues in Cross-Agency SOA

  20. Conclusions • Federation is simply SSO between different security domains • The new issue for secure cross-agency (federated) SOA is resolving security and trust models for remote entities • Security and federation for Web services have roots in distributed computing model, but are much more complicated • Variable security model • No automatic orchestration of client (redirects) • No formal client-side persistence model • This all leads to much more independent clients and servers, different security mechanisms, and much more complex logistics • Implementing secure federated Web services is extremely complex, and current support in application servers is very limited • Third-party infrastructure, however, does exist to provide drop-in security and federation for Web services Security and Identity Issues in Cross-Agency SOA

  21. For further information: Philip Walston Layer 7 Technologies 1501 – 700 West Georgia St. Vancouver, BC Canada (800) 681-9377 pwalston@layer7tech.com http://www.layer7tech.com

More Related