® IBM SOA Security © IBM Corporation Total SOA Assurance- A framework for SOA Security.
-
Upload
elizabeth-duncan -
Category
Documents
-
view
218 -
download
3
Transcript of ® IBM SOA Security © IBM Corporation Total SOA Assurance- A framework for SOA Security.
®
IBM SOA Security
© IBM Corporation
Total SOA Assurance-A framework for SOA Security
IBM SOA Security
2
Agenda
Introduction to SOA
SOA Security
SOA Security Reference Model
SOA Security Scenarios
SOA Security Logical Architecture
Summary
®
IBM SOA Security
© IBM Corporation
Introduction to Service Oriented Architecture
IBM SOA Security
4
What is the SOA model?
Business Componentization
Re-defining today’s monolithic enterprise
processes as a set of standardized
modular business process components
Business Componentization
Re-defining today’s monolithic enterprise
processes as a set of standardized
modular business process components
Service Oriented Architecture
An IT model which mirrors the interaction
of business components through a set of
IT applications implemented as real-time
services that interact dynamically
Service Oriented Architecture
An IT model which mirrors the interaction
of business components through a set of
IT applications implemented as real-time
services that interact dynamically
Business components
SOA application components *
Web Services
A set of vendor neutral and platform
agnostic standards that can be used to
define how SOA components interact
Web Services
A set of vendor neutral and platform
agnostic standards that can be used to
define how SOA components interact
WS Protocols (XML, SOAP, WSDL, UDDI) provide an interface toolkit for components
Business components
SOA components
Components interfaces
Web Services protocols* Each SOA application component may be made up of multiple applications
IBM SOA Security
5
SOA Architecture frameworkD
ata
Arch
itectu
re a
nd
Bu
sine
ss Inte
llige
nce
QoS
, Security, M
anagem
ent, and
Monitoring Infrastructure
Se
rvice
Inte
gra
tion
(En
terp
rise S
ervice
Bu
s Ap
pro
ach
)ConsumersEnterprise LoB, Business Partners,Customers
Business CompositionProcess choreography,Business state machines
Servicesatomic and composite
Service components
Operational systems
Service C
onsumer
Service P
rovider OOApplication
CustomApplication
PackagedApplication
Govern
ance
IBM SOA Security
6
Division “A” Division “B” Division “C” Division “D” Division “E”
The Vertical Silo Problem - Today
IBM SOA Security
7
Where Are We Heading – Service Oriented Architecture
Outsourced
Supplier
Shared Services
Division (s)
Customer
IBM SOA Security
8
Service Oriented Architecture Benefits
A Service Oriented Architecture enables flexible connectivity of applications or resources by
Representing every application or resource as a service with a standardized interface
Enabling them to exchange structured information (messages, documents, ‘business objects’)
Mediating the message exchange through an Enterprise Service Bus
This flexibility enables new and existing applications to be easily and quickly combined to address changing business needs.
The ability to easily combine/choreograph applications allows IT services to more readily reflect business processes
The SOA infrastructure is also used to facilitate the management of business performance and quality of service
®
IBM SOA Security
© IBM Corporation
SOA Security
IBM SOA Security
11
Portal
Bank
Service Interface:
Personalized Financial Services
Service Requestors
Service Requestors
Service Interface:
Banking
Service Interface:
Accounts
Service Interface:
Accounts
Insurer
Service Interface:
Insurance
Service Interface:
Claims
Service Interface:
PoliciesService Requestor Cohesion
Coupling
Service Provider Cohesion
Service Implementer Cohesion
Coupling
This set of things make sense to
build as a system
This set of things make sense to operate as
a business
This set of things make sense to purchase
as a customer
IBM SOA Security
12
Security Considerations for SOA
Entities/Identities – users, services Services have identities Identities and/or credentials are propagated across services Users and services are now subject to the same security controls
Organizational/enterprise boundaries Perimeter is obscure Identities are managed across boundaries Trust relationships are established across boundaries
Composite applications Ensuring proper security controls are enacted for each service and when used in
combination
Greater focus on data/information Protecting data at transit and at rest Apply consistent protection measures Access to data by applications and services
Governance, Risk, and Compliance Auditing ie. entity identification to specific transactions
IBM SOA Security
13
Message Processing Requires New Layers of Security
®
IBM SOA Security
© IBM Corporation
SOA Security Reference Model
IBM SOA Security
15
IBM SOA Security Reference Model
Reference Model Layers Business Security Services
Leverage IT security services and policy infrastructure to build business specific security services
Security Policy Infrastructure Policy lifecycle management specific to
security
– Policies defined to conform to both corporate and legislative requirements
– Policies enforced by security services, intermediaries, …
Policy distribution and transformation
IT Security services Building blocks to provide security
functions as services
IBM SOA Security
16
SOA Security – Reference Model
Business Security Services
Identity & Access
Data Protection &Disclosure Control
Secure Systems & Networks
Governance, Risk, & Compliance
Trust Management
Business Process and Policy Management
Security Policy Infrastructure
Policy Distribution & Transformation
Monitoring &Reporting
Policy AdministrationPolicy Decision &
Enforcement
Authentication Services
IT Security Services
Authorization &Privacy Services
AuditServices
Identity Services
Confidentiality & Integrity Services
Non-repudiationServices
Building blocks to provide security functions as services
Leverage IT security services and policy infrastructure to build business specific security services
Policy lifecycle management specific to security
Policy distribution and transformation
IBM SOA Security
17
Business Security Services Governance, Risk, and Compliance
Governance – organizational roles and responsibilities defined Process and authority
Risk - Management process to decide security cost / value proposition Compliance - Assessment and reporting
Trust Management Trusted relationships and domains – system-to-system, business-to-business, etc
Identity and Access Management Lifecycle of identity and access control
Data Protection & Disclosure Control Content and data protection in transit and at rest Message protection Privacy policy
Secure Systems and Networks Operational security management
Business Process and Policy Management Coordination and integration of business processes
IBM SOA Security
18
Security Policy Infrastructure Policy Administration
Policy lifecycle management
Creation, maintenance, change, and deletion
Associate policy to resources
Policy Distribution and Transformation Virtualization, transformation, and distribution of policy to the decision and
enforcement endpoints
Policy Decision and Enforcement Determination if pending action conforms to policies
Monitoring and Reporting Audit trail of activity
IBM SOA Security
19
Security Services Identity Services
Unique identification of entities Assurance of accountability
Authentication Services Validation of identity for access control purposes
Authorization & Privacy Services Allow or deny access to resources based on a set of policies Protection, use, and disclosure of sensitive information
Confidentiality & Integrity Services Protection of sensitive information from disclosure Detection of the unauthorized modification of data
Audit Services Collection of event data
Non-repudiation Services Protection of requestor and provider from false denials that data has been sent or
received
®
IBM SOA Security
© IBM Corporation
SOA Security Management
IBM SOA Security
21
ManagementManagementImplementationImplementation
SOA ManagementSOA Management
SOA Management - scope
DesignDesign
Business Strategy Processes Services Applications Infrastructure
Governance and ManagementGovernance and Management
StrategyStrategy
IBM SOA Security
22
The notion of SOA Management
Business ProcessBusiness Process
ApplicationApplication
InfrastructureInfrastructure
ManagementScope
ManagementScope
Management Disciplines
Asset Management Availability Management
Change Management Configuration Management Operations Management
Performance Management Capacity Planning
Problem Management Security Management Business Continuity
Management Disciplines
Asset Management Availability Management
Change Management Configuration Management Operations Management
Performance Management Capacity Planning
Problem Management Security Management Business Continuity
An SOA environment by it’s nature will require a holistic view of management disciplines that is integrated across the process, services, application and infrastructure layers
ServicesServices
IBM SOA Security
23
SOA Management – Lifecycle context
Enterprise ArchitectureEnterprise
Architecture
Application Portfolio Analysis
Application Portfolio Analysis
Service Analysis &
Design
Service Analysis &
Design
Application ModernizationApplication Modernization
Meta-Data Repository & RegistryMeta-Data Repository & Registry
SOA Management(Operation)
SOA Management(Operation)
Business Strategy Goals Analysis &
Function Componentization
Business Strategy Goals Analysis &
Function Componentization
Meta-Data flow
Process Interactions
ManagementManagementImplementationImplementationDesignDesignStrategyStrategy
Governance (Definition of Policy)Governance (Definition of Policy)
SOA Management combines life-cycle management of services and their supporting components with the
operation aspects of web services management
IBM SOA Security
24
Process Choreography
Meta-Data Repository
Service Registry
Service Life-Cycle
Management
Security
SLAs
Measurements
Monitoring
Exceptions
Dashboards
Process Choreography
Meta-Data Repository
Service Registry
Service Life-Cycle
Management
Security
SLAs
Measurements
Monitoring
Exceptions
Dashboards
Managem
entM
anagement COBOL
CICSMVS
EGL
JavaLinux
TPF
PL/IIMS
MVS“LAMP”
EAI Messagin
g Bus
SOA-EAISOA-WS
Services A
bstractio
n Layer
(web serv
ices)
SOA Management - evolution from SOA-EAI to SOA-WS
Web Servic
e
Web Servic
e
Web Servic
e
Web Servic
e
Web Servic
e
LAMP – Linux, Apache, MySQL, Perl/Python/PHP
Govern
anceG
overnance
Web Services implementations(Legacy or green field)
Web Services implementations(Legacy or green field)
BPEL
SO
A M
anagem
ent
SO
A M
anagem
ent
The new generation of SOA-WS adds the
services abstraction layer to the current
SOA-EAI model
Web services management
SO
A L
ife
cy
cle
ma
na
ge
me
nt
Web Servic
e
SecurityServices
IBM SOA Security
25
SOA Management – Key Elements Governance – the Policies and rules that define
how the SOA environment will function consistently across the enterprise
Web Services Management – the application of IT services management processes specifically at the services layer
IT Service Management – the generalized set of processes that are applied to all levels of IT management (process, service, application, infrastructure) provides the mechanism for execution of governance policy
Security – the deployment of a common security model and mechanisms across all aspects of the SOA environment
Meta-Data Repository – provides a focal point for all meta-data that relates to the design, build and run phases of an SOA deployment
Dashboards – is the mechanism for providing accurate, real-time information about the state of the business delivering this management information to the relevant business roles for both non-IT as well as IT based process managers and executives
SOA Management elements
GovernanceGovernance
Web Services Management
Web Services Management
IT Service Management
IT Service Management
SOA ManagementSOA ManagementMeta Data Repository
Service Registry
Meta Data Repository
Service Registry
DashboardsDashboards
SecuritySecurity
®
IBM SOA Security
© IBM Corporation
SOA Security Scenarios
IBM SOA Security
27
Use Case 1 - Service Creation
Service Interface
Service Requestor
Existing business application
Establish identity: Authentication Protect messages: Confidentiality & Integrity Accountability: Audit access to service User experience: SSO, Privacy
Service Requestor
IBM SOA Security
Use Case2 – Services Integration
Application Service
Enterprise Service Bus
Service Requestor
Service Requestor
Service Requestor
Business Service
Infrastructure Service
Partner Service
Identity & Authentication Authorization & Privacy Confidentiality & Integrity
Propagate identity: Cross domain/realm identity mapping and token transformation Reflect business relationships: Trust Management (for data, identity, etc) Protect business information Governance, Risk & Compliance
IBM SOA Security
Use Case 3 – Service Aggregation for Collaboration
Application Service
ServiceRequestor Enterprise Service Bus
Portal & Collaboration
PervasiveAccess
Remote Portlets (WSRP)
Partner Service
Partner Service
Identity & Authentication Single Sign-On (Web and Federated) Self-Care, Profile Mgmt.
Identity & Access Trust Management Governance, Risk & Compliance
-Provide access to business services through a common interface, ie portal.
-Simplify the user's interaction with the security services via SSO
-Meet audit requirements with user's identity propagated to all application components, ie no service accounts
IBM SOA Security
30
Security in a Typical Deployment Architecture
Client System (browser, rich client)
Proxy
Fire
wal
l Web Application Server/Portal
Server
ES
B
ExistingApplication
EnterpriseInformation
System
Data Server/Services
ExistingApplications/
Services
Fire
wal
l
Propagate identityFine level authorizationAudit
Propagate identityApplication level authorization
Federate Identities with partnersAuditingConfidentiality & Integrity
Transport SecurityTransport Security
Transport SecurityMessage Security
IBM SOA Security
Standards for IT Security Services
Service Relevant Standards
Identity Services IdAS, SPML, SAML, WS-Federation
Authentication Services
WS-Trust, Kerberos, SAML, PKI
Authorization and Privacy Services
XACML, JACC, WS-Authorization, IDMix
Audit Services CBE extensions, Audit web service (in progress), WS-BaseNotification
Confidentiality & Integrity Services
WS-Security, WS-SecureConversation, PKI, XKMS, WS-SecurityPolicy, SSL/TLS, JSSE/JCE
Non-repudiation Services
PKI, ISO/IEC 13888:2004
IBM SOA Security
32
References
Redbook on SOA Security in the works (Expected formal draft – 10/1) Service Oriented Architecture Security Whitepaper
Nataraj Nagaratnam, Anthony Nadalin, Sridhar Muppidi(draft available)
Business Driven Application Security Nataraj Nagaratnam, Anthony Nadalin, Maryann Hondo, et alwww.research.ibm.com/journal/sj/444/nagaratnam.html
Securing Service Oriented Applications Anthony Nadalin, Nataraj Nagaratnam, Maryann Hondo
Service-oriented architecture: Programming model and product architecture. D.F. Ferguson et al. IBM Systems Journal, VOL 44, NO 4, 2005. http://researchweb.watson.ibm.com/journal/sj/444/ferguson.pdf
IBM’s SOA Foundation: An Architectural Introduction and Overview. Version 1.0, November, 2005. Rob High, Jr. et al. http://download.boulder.ibm.com/ibmdl/pub/software/dw/webservices/ws-soa-whitepaper.pdf
Patterns: SOA Foundation: Service Creation Scenario. John Ganci et al. Draft Redbook. http://www.redbooks.ibm.com/redpieces/pdfs/sg247240.pdf
Patterns: SOA Foundation Service Connectivity Scenario. Carla Sadtler et al. Redbook http://www.redbooks.ibm.com/redbooks/pdfs/sg247228.pdf
Patterns: SOA Foundation -Business Process Management Scenario. Martin Keen et al. Redbook. http://www.redbooks.ibm.com/redbooks/pdfs/sg247234.pdf
Patterns: SOA with an Enterprise Service Bus. Martin Keen et al. Redbook. http://www.redbooks.ibm.com/redbooks/pdfs/sg246494.pdhttp://www-128.ibm.com/developerworks/library/ws-model7
Other WS-* specifications
IBM SOA Security
33
Summary
Security is about business, no longer just about technology
SOA enables better Application Integration
Web Services Security standards optimizes the development, deployment and management of Composite Applications
Identity Management is a critical component of SOA
Federation is the “bridge” by which ID Management integrates with Service Oriented Architectures
Comment: needs updating