Security and Identity Issues in CrossAgency SOA Philip
- Slides: 21
Security and Identity Issues in Cross-Agency SOA Philip Walston Senior Product Manager pwalston@layer 7 tech. com May 2006
Agenda and Theme § § § Security and identity in SOA The challenges of security and identity What is federation about? Why federation of Web services is hard Breaking the problem down Tactical, standards-based solutions Theme: A pragmatic approach to cross-agency SOA Security and federation for SOA is a complex problem, and the standards are still evolving. However, we can take a realistic look at what most services are being used for, we can build standards-compliant solutions today. May 2006 Security and Identity Issues in Cross-Agency SOA
Security in Cross-Domain Computing Security Mechanisms Firewall • Encryption Resource (Server) • Signing • Transport Layer • Certificates/PKI Directory Server • Biometrics • Fobs • etc… Requestor (Client) Secure Zone Identities Internet or Intranet Security Technologies • XML Encryption • WS-Security Alex Sue Francis • XML Signing • WS-SC • X. 509 • WS-Trust • SSL/TLS • XKMS • etc… Security and Identity Issues in Cross-Agency SOA May 2006
The Security Challenge of Cross-Agency SOA Issues • Coordinating common security policy Firewall • Granular (operation-level) security Resource (Server) • Applying (coding) and testing security • Dealing with changes Policy Application Point(s) Directory Server Requestor (Client) Secure Zone Identities Internet or Intranet Policy Enforcement Point Alex Sue Program X Mutual Security Policy May 2006 Security and Identity Issues in Cross-Agency SOA
Tactical Strategy Security Mechanisms • Security PEP intermediary (server proxy) Firewall • Spec-compliant toolkits Resource (Server) • Plethora of WS-* and other specs • WS-Policy (soon) Policy Application Point(s) Directory Server Requestor (Client) Identities XML Gateway Internet or Intranet Secure Zone Policy Enforcement Point Alex Sue Program X Mutual Security Policy May 2006 Security and Identity Issues in Cross-Agency SOA
Identity in Cross-Domain Computing Identity Validation Mechanisms Firewall • Username/password Resource (Server) • Digest • Certificates/PKI • Biometrics Directory Server • Fobs • etc… Requestor (Client) Secure Zone Identities Internet or Intranet Authentication and Authorization Technologies • LDAP Alex • IBM Tivoli Acess Mgr. • Active Directory • Netegrity Siteminder Sue Francis • Radius • RSA Clear. Trust • RACF • etc… • ACLs Security and Identity Issues in Cross-Agency SOA May 2006
What’s Single Sign On (SSO) Really About? Resource (Server) 1. Provide credentials ID Server Requestor (Client) Generate token Sue 2. -n. Provide Token Internet or Intranet Validate token Token Id=12345… May 2006 Security and Identity Issues in Cross-Agency SOA
Why Does SSO Work for Browsers? 1. HTTP Redirects Web Server This is a greatly simplified version of the actual request/response flow 1. Post 5. Post + Token 2. Redirect 3. Post Creds Web Browser. Based Client 4. Receive token Time Security Token Service May 2006 Security and Identity Issues in Cross-Agency SOA
Why Does SSO Work for Browsers? 2. A Client-side Persistence Model Persist token: • In pages • As URL artifact • As cookie Security and Identity Issues in Cross-Agency SOA Security Token Service May 2006
Why Does SSO Work for Browsers? 3. SSL Protection of Tokens X Malicious Third Party May 2006 Security and Identity Issues in Cross-Agency SOA
The Identity Challenge of Cross-Agency SOA Blue’s Server Islands of Identity Blue’s Directory Server Green’s Directory Server Firewall Green’s Client Alex Scott Francis Frank Sue Program X Agency Green Agency Blue Need to share not only authentication and authorization information, but also identity attribute information Big privacy and confidentiality issues… May 2006 Security and Identity Issues in Cross-Agency SOA
What Hasn’t Worked in the Past Issues • Online access through firewall mazes • Latency in replication • People leave, fired, etc Green’s Directory Server Firewall Blue’s Directory Server Remote Directory Access Agency Blue Directory Synchronization Frank Sue Program X Agency Green May 2006 Security and Identity Issues in Cross-Agency SOA
What We Really Need is Effective Separation of Concerns Authentication Blue’s Directory Server Green’s Directory Server Authorization Trust Agency Blue Core Requirements • Build dynamic trust relationships Frank Sue Program X Agency Green • Transport the security context so that authentication and authorization can be distributed • Enforce privacy issues • Time out sessions/global logout Security and Identity Issues in Cross-Agency SOA May 2006
The Mechanism Blue’s Directory Server 3. Mutually secure the transaction between parties Green’s Identity Server Trust 2. Validate token here according to trust model Frank Sue Program X 1. Acquire Token with statement of authentication (and possibly authorization, attributes) in this security domain Security and Identity Issues in Cross-Agency SOA May 2006
Validation / Authorization Blurs the Concept of Identity Ephemeral identity Conventional Identity (e. g. DN=CN=Phil Walston) + • Time of day • Origin IP • Attributes • Remote authorization statements • Different trust paths • etc… May 2006 Security and Identity Issues in Cross-Agency SOA
Issue – Identity Mapping • Fan in • E. g. to service account • Map to local existing account • E. g. phil. walston -> pwalston • Map to role • E. g. Trusted. Administrator • Etc… May 2006 Security and Identity Issues in Cross-Agency SOA
Why is Federation/SSO of Web Services So Hard? • SSL • HTTP redirects • Simple signing Token protected from hijack, replay, etc by SSL r se w o Br ain b s ce We Dom i v r Se ain b We Dom • Cookies Web Server • URL query parameters SSL Browser Client Identity Provider / Security Token Service SSL Web Services Server WSS Web Services Client WSS User Identity SOAP Message with bound security token Application Identity Certificate and key pair Token protected from hijack, replay, etc by XML Signatures Security and Identity Issues in Cross-Agency SOA • WSS • Embedded, signed security tokens • Considerable orchestration at client • Manual token caching May 2006
Tactical Strategy Federation ID Provider & Security Token Service Federation Policy Enforcement Point Token Orchestration & Caching Layer Green’s Directory Server Blue’s Directory Server Trust Authentication Responsibility Authorization Responsibility Agency Blue Message Level Security Ask Yourself: What do you really need? Frank Sue Program X The dominant pattern is RPC-ish client/server Agency Green 1. Security Token Issuer for Green 2. Token Validator for Blue 3. Orchestration code in client application Security and Identity Issues in Cross-Agency SOA May 2006
The Standards and Specifications Landscape § Security • Existing / emerging W 3 C and OASIS w SSL/TLS, XML Crypto/Sig, WSS, WS-Secure. Conversation, WS-Security. Policy …. § Identity • WS-Federation (Focus on technology) w IBM, Microsoft, BEA, RSA, Verisign w SAML, SSL/TLS, WS-Trust, WS-Policy, WSMetadata. Exchange • Liberty Alliance (Focus on business problem) w Consortium of over 150 companies w SAML, SSL/TLS, WSS • Government w E-Authentication May 2006 Security and Identity Issues in Cross-Agency SOA
Conclusions § Federation is simply SSO between different security domains § The new issue for secure cross-agency (federated) SOA is resolving security and trust models for remote entities § Security and federation for Web services have roots in distributed computing model, but are much more complicated w Variable security model w No automatic orchestration of client (redirects) w No formal client-side persistence model § This all leads to much more independent clients and servers, different security mechanisms, and much more complex logistics § Implementing secure federated Web services is extremely complex, and current support in application servers is very limited § Third-party infrastructure, however, does exist to provide drop-in security and federation for Web services May 2006 Security and Identity Issues in Cross-Agency SOA
For further information: Philip Walston Layer 7 Technologies 1501 – 700 West Georgia St. Vancouver, BC Canada (800) 681 -9377 pwalston@layer 7 tech. com http: //www. layer 7 tech. com May 2006
Privatesecurity
Ws security in soa
E commerce security and fraud issues and protections
Personal identity map
State legal ethical and professional aspects of security
Legal and ethical issues in computer security
Legal and ethical issues in computer security
Legal and ethical issues in information security
Csse certification
Identity-driven security
Identity-driven security
Dissociative identity disorder social security disability
Sip security issues
Instant messaging security risks
Ajax security issues
Software security issues
Mengapa keamanan basis data menjadi penting.
Wireless security in cryptography and network security
E commerce security meaning
Soa and cas
Evolution of soa
Ood and soa principles
