Layer 7: Fine Grained Authorization for Web Services


Published on

Learn about the challenge with implementing fine grained authorization in service based architectures, how to leverage existing identity infrastructure for entitlements management, how to use policy enforcement intermediaries to enforce entitlement preferences.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Layer 7: Fine Grained Authorization for Web Services

  1. 1. Fine grained authorization for Web Services Jonathan Gershater Solution Architect
  2. 2. What you will learn in this session? 1. The difference between fine grained and coarse grained authorization 2. The challenge with implementing fine grained authorization in service based architectures 3. How to leverage existing identity infrastructure for entitlements management 4. How to use policy enforcement intermediaries to enforce entitlement preferences March 2008
  3. 3. Traditional enterprise Independent applications with their own access control, mechanisms and authorization policies. March 2008
  4. 4. Traditional enterprise security Protected by •A gate-keeper firewall primarily offering network level TCP/IP protection. •URL only protection using agent based SSO solutions. March 2008
  5. 5. The New Enterprise:SaaS, Web2.0, Legacy The challenge: •Mixed application and integration environment •Diverse credential requirements •Existing SSP and user directories •No centralized policy control and audit. • Services requiring fine grained authorization. March 2008
  6. 6. SaaS, Web2.0, Integrated enterprise March 2008
  7. 7. SaaS, Web2.0, Integrated enterprise March 2008
  8. 8. WebServices authentication: The Many-To-Many Problem Tokens  Transport (HTTP hdr, Request x509, etc…)  Message (UTP, x509,…) Web Services Authentication  LDAP Directory  Proprietary IAM …  Certificate Servers (OCSP, CRLs, etc)  etc…
  9. 9. Complexity grows! Multi-platform, multi-development environment –.NET, J2EE Frameworks, other •Support Mobile users / disconnected applications •Support conditional expressions for authorization *Use existing authentication sources March 2008
  10. 10. Quick review of AAA •Authentication – who are you? •Authorization – what can you do? •Auditing – who did what? March 2008
  11. 11. What is coarse versus fine grained authorization? What is authorization? The difference between coarse grained authorization (static)  By job role  By IT defined role  By group membership and fine grained authorization (dynamic)  By transaction type  By time of day or day of week March 2008
  12. 12. Sample fine grained AZ request Stock quote can be anonymous Stock purchase during trading hours must be: •Authenticated •over SSL •working hours •not from suspect network (user=Name_of_Stockbroker) AND (SSL=TRUE) AND ((hour > 6am) AND (hour < 1pm)) AND (ip_address_segment != March 2008
  13. 13. Solution Policy Decision Point (PDP) that intercepts and examines XML packets at the application layer: • Identifies service endpoint • Authenticates requester with support for diverse credential types • Integration with diverse SSO, Federation and user directories • Performs fine-grained authorization of of an operation within a service • Credential chaining and translation • SAML issuing for downstream consistency March 2008
  14. 14. Policy Decision Points (PDP) March 2008
  15. 15. Also...SAMLP query to Policy Decision Point (PDP) March 2008
  16. 16. Other solutions – an XCAML query Policy EnforcementPoint (PEP) makes an XACML query to a PolicyDecisionPoint (PDP). •PEP executes XACMLAuthzDecisionQuery •PDP returns XACMLAuthzDecisionStatement March 2008
  17. 17. Policy Enforcement Point makes an XCAML query March 2008
  18. 18. Layer 7 solution for fine grained authorization Policy Decision Point (PDP): •Highly available / clustered. • Integrates with several of Web SingleSignOn and PolicyDecisionPoint sources. •Supports any information store: Databases, or SecureTokenServices. • Generates appropriate SAML assertion to make authorization decisions. March 2008
  19. 19. Appliance, software or virtual machine solution Message level intermediary between services and requesters Internal Application Consumers External Application Services Consumers March 2008
  20. 20. Layer 7 SecureSpan Gateway Runtime Governance - Policy Enforcement Point PEP validates policy compliance and applies security decorations Security requirements defined by an administrator. Policies become effective independently of the actual services. Services March 2008
  21. 21. SecureSpan Solution Advantages, Differentiators Sophisticated policy language enables complex governance requirements Available as hardware appliance with XML accelerator or as software Quick deployment, ease of use Extensible through APIs Instant policy application (no service downtime) Standard based Industry leadership March 2008
  22. 22. Thanks and questions Jonathan Gershater March 2008