Using Oracle's SOA Suite and Cash Management Within a Complex Banking Environment
Compliance in an SOA environment
-
date post
19-Oct-2014 -
Category
Documents
-
view
678 -
download
0
description
Transcript of Compliance in an SOA environment
Facilitating compliance management in an SOA environmentJuly 2008
Compliance in an SOA environment
Facilitating compliance management in an SOA environmentPage 2
Contents
2 Introduction2 The SOA factor4 Security encompasses all
aspects of the SOA life cycle 9 Conclusion1 For more information
2
Introduction
From industry regulations to data privacy laws and government mandates,
meeting compliance has become a permanent criterion for doing business.
As each year passes, the resources needed to comply with ever-multiplying,
disconnected regulatory and industry requirements continue to escalate. The
challenge is even greater with the recognition that there is no finish line when
it comes to compliance. Instead, it is a cyclical process that requires continual
diligence and focus.
The necessity of conforming to regulations and mandates has wide-ranging
implications in the way organizations manage and run their businesses,
particularly in the area of security. The majority of regulatory compliance
requirements and internal control objectives include major IT security
components, in part designed to protect public assets and interest. In short,
compliance has become the new driver for IT security.
The SOA factor
Data privacy regulations and compliance-reporting mandates require that you
define consistent security policies, monitor compliance with these policies and
government or industry regulations, and provide a complete audit trail for
proof of policy enforcement. In an SOA Environment, there is increased
flexibility with which an organization can implement and manage services,
which improves the speed with which it can implement and enforce policies.
An organization can disconnect policy information from the actual service,
improving the ability to manage and update policies rather than if policy
information were built directly into the applications themselves. However,
Service Oriented Architecture (SOA) can make it challenging to ensure that
information remains secure and auditable as it moves across systems, and
difficult to reconcile who is doing what, where and when between applications
and processes.
Security policies for services include the rules established for allowing
services to be accessed. In moving to SOA, a key initial activity needs to be to
establish the SOA Governance framework that can be used as the basis for
creating and controlling policies, including security policies. A user or service
Facilitating compliance management in an SOA environmentPage 3
might require specific privileges to allow them to access a service. However,
when services are combined, such as when they are choreographed into a
higher-level business process, the combination of these services can require
another examination of the security policy. For example, a user might be
allowed to access Service A and Service B independently. Yet, when these
services are choreographed together, perhaps with other service invocations,
the user might no longer be allowed to access these services. The complexity
in an SOA environment means that the security policy for the choreographed
services needs to take into account the mixing and matching of services in
different combinations as required to reflect changes in business processes.
Each new sequence of steps can require examination of the security policy to
ensure it remains valid for this new combination.
Protection of data from unauthorized modification and disclosure is
a key requirement within SOA. Data needs to be protected because it is
business sensitive, privacy sensitive or both. For this reason, a policy should
be in place to ensure that data is protected in transit and at rest, with
consistent security measures applied. Data protection is especially important
when data moves outside the organizational boundary, which can happen
without the knowledge of the consumer. For example, an internal service
might be replaced with an outsourced service with data now flowing to the
external organization. The service provider might need to ensure appropriate
protection is in place to satisfy the policy requirements of the calling
organization if the data is business sensitive or privacy sensitive.
Auditing of transactions is required to provide the data needed for assessing
compliance as it measures the performance of the IT environment relative to
measurements established by the business policies. This can include verifying
the working system against a set of internally created policies, and also against
external regulatory acts. Complexity is increased in an SOA where different
applications from dissimilar sources or vendors are targeted for different levels
Facilitating compliance management in an SOA environmentPage 4
Figure 1. Model of the SOA life cycle
of compliance. This is especially true when accessing services provided
by an external organization, and the complexity increases when the regulatory
and compliance regime for that organization is different from that in the
requesting organization. Ideally, the audit data produced by the various policy
enforcement points should be integrated into a single repository or federated
into a single logical view of the data. This facilitates the production of the
required audit reports, verification of compliance against policy and
investigation of security-related events.
Security encompasses all aspects of the SOA life cycle
Certain roles in an organization contribute to the creation, definition,
refinement, monitoring, verification and management of security policies
throughout the SOA life cycle. Corporate security officers and equivalent
executives define corporate security policies and outline regulations with
which the business must comply. Business analysts work with security policy
officers to translate corporate security policies into terms of a business
vocabulary and process. These security-related decisions are then applied at
various phases of the SOA life cycle. (See Figure 1.) To help you address
compliance requirements, IBM provides solutions that are especially useful
during the assemble, deploy and manage phases.
Facilitating compliance management in an SOA environmentPage 5
Assemble
Application and security architects model the security policies based on
choices provided by the business analyst. Application programmers and
administrators factor in these security policies by declaring the requirements
for the infrastructure to enforce. The security policy can be implemented in
the applications when the infrastructure support is not sufficient.
Getting to the definition stage of security policies requires assessments
and planning. An assessment can help identify and prioritize audit
deficiencies, as well as vulnerabilities at the system, network and application
levels. In addition, organizations should inventory enterprise assets—both
systems and information assets—to better understand what needs to be
protected and to what degree.
IBM offers a number of solutions to help assess and evaluate your
compliance posture, including IBM Audit and Compliance Gap Analysis,
security assessments and risk assessments. Other solutions include
IBM Rational® AppScan, which can help assess security compliance reporting
for Web applications through more than 40 ready-to-use security compliance
reports such as PCI Data Security Standard, ISO 17799, ISO 27001, HIPAA,
Gramm-Leach-Bliley Act (GLBA) and Basel II, and IBM Rational Policy
Tester, which can help audit Web sites for compliance with regulations for
consumer data privacy, e-government, banking and accessibility.
IBM solutions such as IBM Information Security Policy and Process
Definition can help organizations investigate the requirements for information
security and the associated priorities, and create a custom security policy.
Other solutions such as IBM Rational Method Composer can provide a
flexible process management platform, with tooling and an extensive process
library to help organizations implement effective processes for successful
software and IT projects.
Facilitating compliance management in an SOA environmentPage 6
Deploy
Application administrators install the applications and work with security
developers and security administrators to configure the applications and
associated security policies.
Tivoli® Federated Identity Manager offers an efficient and effective way
to manage and validate user identities across the SOA environment and
provide a robust identity-assurance and trust-management solution. Tivoli
Federated Identity Manager can enforce consistent identity propagation and
token mediation across diverse, heterogeneous enforcement points, such as
XML firewalls, application servers and the enterprise service bus.
IBM Tivoli Federated Identity Manager for z/OS® provides a strong
security bridge for distributed applications and mainframe applications by
integrating with IBM RACF® software to enable end-to-end identity
propagation and secure access to mainframe applications. As part of this
support, the federated audit solutions delivered by Tivoli Federated Identity
Manager for z/OS support the auditing of the identity-mapping function that
is used to create the bridge between RACF and distributed identity
management.
Manage
IT and security administrators manage the security policies across a set of
applications and infrastructure to meet requirements, which might continue to
change over time. Operators monitor the system behavior for compliance.
They detect situations that are potential security threats and feed them back
to administrators to make changes as required. Business analysts view
business dashboards to assess the effect of certain system security events on
the business. Security auditors assess the system’s compliance with regulatory
Facilitating compliance management in an SOA environmentPage 7
and corporate policies. It is significant to observe that security policies
are specified and refined throughout the SOA life cycle, undergoing
transformation from one phase to the next.
In many cases, these tasks rely on manual processes that drain considerable
time and money from organizations and prevent compliance staff from
focusing on higher-value activities. For example, IT still uses human eyes to
review and human hands to generate reports on security-relevant events in
the environment. To maximize efficiency and flexibility, these tasks should be
automated wherever possible.
With IBM Tivoli Security Policy Manager, you can centrally manage
security policies for multiple business applications across your enterprise. It
provides unified policy life-cycle management and enforces policies at run
time, strengthening your organization’s security posture. Security Policy
Manager also offers centralized change and control, making it easier to meet
tightening or new compliance requirements.
IBM Tivoli Security Information and Event Manager—designed to support
security compliance and audit management—is a powerful solution that allows
you to monitor, correlate and report on security audit data and user activity
across your enterprise. IBM Tivoli Security Information and Event Manager
can help automate key components of the IT organization that affect
compliance, such as:
● Generating sufficient audit trails in the form of logs of network, system and application events.
● Monitoring user activities for misuse or noncompliance.● Leveraging automated policy-enforcement mechanisms.● Managing incidents using standardized, trackable procedures.● Leveraging standardized compliance reporting.
Facilitating compliance management in an SOA environmentPage 8
It captures relevant security audit data from a broad set of systems, including
applications, databases, operating systems, mainframes, security devices and
network devices. A log continuity mechanism helps ensure that internal
controls over log collection are properly carried out. It communicates through
effective reporting on the status of user activity within IT systems. This
capability enables executives to see the ongoing status of security operations,
including attempts to gain unauthorized access, how those attempts were
stopped and recommendations about how to prevent similar attacks.
(See Figure 2.)
Figure 2. Tivoli Security Information and Event Manager provides numerous audit and compliance reporttemplates. This example shows more than 30 report templates specific to helping manage Payment CardIndustry (PCI) compliance efforts.
Facilitating compliance management in an SOA environmentPage 9
Other solutions, such as Rational AppScan, can help automatically scan
and test Web applications for common vulnerabilities, using intelligent fix
recommendations and advanced remediation capabilities.
And IBM Tivoli zSecure Audit can help you automatically analyze and
report on mainframe-related security events and incorporate that information
directly into Tivoli Security Information and Event Manager for a more
holistic view of the organization’s security posture. Because critical and
sensitive information is often stored on mainframes, the ability to audit events
on these systems and correlate that activity with activity in the distributed
environment is critical to maintaining security and demonstrating due
diligence when it comes to protecting sensitive data.
In addition, the IBM WebSphere® DataPower® XML Security Gateway
XS40 appliance provides a centralized means of controlling and viewing
services within an SOA to meet compliance requirements. Its policy
enforcement blocks threats to XML Web services, helps ensure secured access
and helps enforce service levels. This SOA appliance can easily manage and
secure multiple Web services and helps ensure full policy compliance within
your IT infrastructure.
Conclusion
The complexity of an SOA environment increases the challenge of meeting
compliance requirements. IBM offers a comprehensive range of solutions to
help you address your compliance needs as you move through the stages of
the SOA life cycle.
For more information
To learn more about compliance in
SOA environments, please contact
your IBM marketing representative
or IBM Business Partner, or visit the
following Web sites:
● ibm.com/software/solutions/
soa/mgmtsec/security.html
● ibm.com/software/tivoli/
governance/security/
compliance.html
© Copyright IBM Corporation 2008
IBM CorporationSoftware GroupRoute 100Somers, NY 10589U.S.A.
Produced in the United States of AmericaJuly 2008All Rights Reserved
IBM, the IBM logo, ibm.com, DataPower,RACF, Rational, Tivoli, WebSphere and z/OSaretrademarks or registered trademarks ofInternational Business Machines Corporation inthe United States, other countries, or both. Ifthese and other IBM trademarked terms aremarked on their first occurrence in thisinformation with a trademark symbol (® or™),these symbols indicate U.S. registered orcommon law trademarks owned by IBM at thetime this information was published. Suchtrademarks may also be registered or commonlaw trademarks in other countries. A current listof IBM trademarks is available on the Web at“Copyright and trademark information” atibm.com/legal/copytrade.shtml.
UNIX is a registered trademark of The OpenGroup in the United States and other countries.
WSW14030-USEN-00