End to End SOA Security -Distributed Enforcement and Centralized Policy Management
Shashank Rajvanshi
Principal Product Manager
End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 230 September 2008
Agenda
> SOA Security Landscape
> Typical SOA Security Mistakes
> Reference Architecture
> Recommendations/Best practices
> Case study
End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 330 September 2008
SOA Security Landscape
End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 430 September 2008
Web Applications: User, through a Web browser, interacts directly with the application
Web Services: Local application, often acting on behalf of the user, interacts with the Web service
Web Site & SOA/WS Security Is Similar
UserInternetInternet
ApplicationWeb Server
InternetInternet
Web Service ConsumerApplication
Web Service Platform
HTML/HTTP
XML/HTTP, FTP, JMS, MQ
SECURITY POLICYAuthentication –Username/Password, X509 cert, OTP…Authorization – Action on URL & Roles, Group or Entitlements
Securing Web Applications
Securing SOAs/Web Services
SECURITY POLICYAuthentication –WS-Security Tokens (SAML), XML-DSig, XML-EncAuthorization – Action on URI, XML Content, WS operations, Role, Group or Entitlements
End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 530 September 2008
CA Sponsored SOA/WS Survey
End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 630 September 2008
Agenda
> SOA Security Landscape
> Typical SOA Security Mistakes
> Reference Architecture
> Recommendations/Best practices
> Case study
End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 730 September 2008
Typical SOA/WS Security Mistakes
> “Architecting” Silos of SecurityBuilding security into each service
– Corollary – Leaving security to the application developers
> Thinking that stopping threats/malware = effective security management
Corollary - Forgetting that “identity” matters with services– Authentication, authorization, centralized auditing,
SSO, federation, identity administration
> Not understanding that SOA applications have many layers/steps that need to be secured
Corollary – Thinking that guarding the “front door” is enoughCorollary – Thinking that point-to-point (SSL) security is enough
End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 830 September 2008
Agenda
> SOA Security Landscape
> Typical SOA Security Mistakes
> Reference Architecture
> Recommendations/Best practices
> Case study
End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 930 September 2008
Unsecured SOA Deployments
External Traffic
Lo
ad
Bala
nce
r
Web Service Requester
Web Services
J2EE
.NET
ESB
ESB
Internal Traffic
Partner
Customer
End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 1030 September 2008
Secured SOA Deployments
Web Service Requester
Web Services
Web Services
Legacy Systems
Internal Traffic
PEP
PEP
PEP
PEP
PEP
Partner
External Traffic
J2EE
ESB
ESB
.NET
PDP
USER STORE
POLICY STORE
KEY STORE
PDP
USER STORE
POLICY STORE
KEY STORE
PDP
USER STORE
POLICY STORE
KEY STORE
End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 1130 September 2008
Reference ArchitectureCA SOA Security Manager
Web Service Requester
Web Services
Web Services
Legacy Systems
Internal Traffic
SOA Security Gateway
SOA Agent
SOA Agent
SOA Agent
SOA
Agent SOA
Agent
External Traffic
J2EE
ESB
POLICY STORE
USER STORE
KEY STORE
Policy Server
Administrator
Reporting/ Auditing
End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 1230 September 2008
Reference Architecture CA SOA Security Manager and CA SiteMinder
Web Service Requester
Web Services
Web Services
Legacy Systems
Internal Traffic
SOA Security Gateway
SOA Agent
SOA Agent
SOA Agent
SOA
Agent SOA
Agent
External Traffic
J2EE
ESB
Portal
Agent
POLICY STORE
USER STORE
KEY STORE
Policy Server
Administrator
Reporting/ Auditing
End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 1330 September 2008
Agenda
> SOA Security Landscape
> Typical SOA Security Mistakes
> Reference Architecture
> Recommendations/Best practices
> Case study
End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 1430 September 2008
Recommendations and Best Practices
> Do not create (more) security management silosMake sure your enterprise architects understand thisDon’t leave it up to your developers to do this
> Leverage your current security infrastructure/people/processes
If you are doing enterprise IAM/WAM link SOA/WS security to this
> Architect as if services will eventually be externalizedThey probably willBut don’t confuse security at the edge with overall security
> Leverage WS standards even if not immediately requiredWS-Security, SOAP, XML-encryption, XML-Signature…You can do POX (Plain Old XML), but recognize that it is a temporary approach
End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 1530 September 2008
Agenda
> SOA Security Landscape
> SOA Security Challenges
> Reference Architecture
> Recommendations/Best practices
> Case study
End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 1630 September 2008
> CA SOA Security ManagerSecurity infrastructure for internal Web services deployed on ESB
Deployed as a Web services security proxy
Extended CA SiteMinder infrastructure to provide combined WAM & Web services security solution
Leverages CA SOA Security Manager support of WS-Security standard
> Other CA IAM Products: CA SiteMinder WAM
USA Federal Government Agency
End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 1730 September 2008
How to learn more about SOA Security
> Securing SOA/Web Services Based IT Architecturehttp://www.ca.com/files/TechnologyBriefs/mp32332_soa_sm_tb_us_en.pdf
> CA SOA Security Manager Product Briefhttp://www.ca.com/files/ProductBriefs/soa_sm_pb.pdf
> On-Demand Webcastshttp://www.ca.com/us/webcasts/ondemand/item.aspx?e=155385&eis=1
> Podcast – Why Web Services Security Should Be a Key Part of Your Web IAM Security Strategy
http://www.ca.com/files/Podcasts/greje13web.mp3
> Web based Product Demo – on request
Top Related