1 / 37

SOA Security

SOA Security. <Iris Levari> <OWASP role> <Amdocs> <irisl@amdocs.com>. <12/3/07>. Agneda. What Is SOA SOA life cycle & Security SOA Generated Security Concerns / opportunities SSO & SSO Federation WS Security Standard. Agneda. What Is SOA SOA life cycle & Security

Download Presentation

SOA Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SOA Security <Iris Levari> <OWASP role> <Amdocs> <irisl@amdocs.com> <12/3/07>

  2. Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard

  3. Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard

  4. SOA Example

  5. SOA Key Terms

  6. SOA - Service Oriented Architecture Business processes oriented architecture Decomposing business processes into discreet functional units = services Existing or new business functionalities are grouped into atomic business services Evolution of distributed computing and modular programming driven by newly emergent business requirements Application development focused on implementing business logic

  7. Service Properties Service is Loosely coupled High-level granularity Self describing Hardware or software platform interoperability Discoverable Service can be composed of other services Context-independent

  8. Service Oriented Architecture - Advantages & Disadvantages Advantages Maximize reuse Reduce integration cost Flexible & easily changed to reflect business process change Shortcomings Message handling and parsing Legacy application services wrapping Complex service design and implementation

  9. SOA Example

  10. Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard

  11. Business-Driven Development Methodology

  12. Security Encompasses all life cycle aspects

  13. Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard

  14. New Security Threats SOA Introduces the following new security threats: Services to be consumed by entities outside of the local trust domain Confidential data passes the domain’s trust boundaries Authentication and authorization data is communicated to external trust domains Security must be enforced across the trust domain Managing user and service identities

  15. Security Considerations The propagation of users and services across domain trust boundaries The need to seamlessly connect to other organizations on a real-time transactional basis Security controls for each service and service combinations Managing identity and security across a range of systems and services with a mix of new and old technologies Protecting business data in transit and at rest Compliance with corporate industry & regulatory standards Composite services

  16. New Techniques In Integration Security SOA introduces new techniques In integration security Message level security vs. transport level security Converting security enforcement into a service Declarative & policy-based security

  17. Message Level Security vs. Transport Level Security Transport level security (SSL/VPN) Point-to-point message exchange Encrypts the entire message Sender must trust all intermediaries Restricts protocols that can be used (i.e. https) Message level security End-to-end security Different message fields within the same message should be read by different entities

  18. Transport Layer Security

  19. Security Context | | | Security Context | | | Sender Intermediary Receiver Receiver Security Context Sender Intermediary Receiver Receiver Security in the Message • HTTP security (SSL) is point-to-point • WS-Security provides context over multiple end points.

  20. Transport Security For Web Services Pros and Cons

  21. Message Security For Web Services Pros And Cons

  22. Message Level Security (example) integration of a brokerage and a bank. An investor securely attaches authorization to withdraw funds from a bank account to the trading request submitted to the brokerage. The attached authorization is secured from everyone, including the brokerage. Only the bank read it and make use of it.

  23. Converting Security into a Service Security services provide service such as: Authentication Authorization Message services Encryption decryption Signing Verification Signatures Log messages scrub messages Facilitates integration Reduces development cost

  24. SOA Security Reference Model

  25. Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard

  26. Traditional SSO Security is hard coded into each application User credentials are transmitted across enterprise boundaries

  27. SOA SSO Federation

  28. SOA SSO Federation Cont’ Traditional limited implementation using 3rd party SSO solutions No easy integration with applications that have not been written by the same 3rd party SSO manufacturer SOA solution Managing security interaction between applications Clients and servers dynamically negotiate security policies Easy implementation

  29. Agneda • What Is SOA • SOA life cycle & Security • SOA Generated Security Concerns / opportunities • SSO & SSO Federation • WS Security Standard

  30. WS-security Standard SOAP security (securing the web service messages) SOAP header extension Standard Feb. 2007 Ver 1.1 (OASIS) Any combination of In Request/Response Authentication Encryption Digital Signature

  31. Web Services Stack

  32. Web Services Security Architecture

  33. “WS –Security” Building Blocks Security Tokens Username Token Username Token with Password Digest Binary Security Token X.509 Version 3 certificates Kerberos tickets Signatures signs all or part of the soap body Reference List or Encrypted Key

  34. Structure of a Basic Web Services Security SOAP Header

  35. Structure of a Basic Web Services Security SOAP Header (cont.)

  36. XML Encryption in WS-Security Use of a <ReferenceList> in the Security Header Pointing to the Parts of the Message Encrypted with XML Encryption

  37. Providing Integrity XML Signature in Web Services Security XML Signature Verify a security token or SAML assertion Message integrity XML syntax Explicit <reference> element points to what is being signed One or more XML signatures Overlapping is possible

More Related