Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

  • Be the first to comment

  • Be the first to like this


  1. 1. Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras
  2. 2. SOA Security • Authentication – validating the identity of the message originator • Authorization – controlling the use of the services • Privacy – no unwanted intercepts while transmitting a message • Integrity – confidence that message has not been modified
  3. 3. SOA Security Levels • Transport Layer Security – Point-to-point security – Encryption for data in motion Cons • Not granular enough • Reduced auditing capabilities
  4. 4. SOA Security Levels • Message Level Security – End-to-end security – WS-Security - integrity via cryptographic mechanisms – WS-Policy – framework describing rules and policies Cons • Implementation for each message
  5. 5. Application Managed Security FW FW Trusted Network .Net Data Apps Store Web Portal Server Server Application J2EE Data Message Server Security Apps Store Decisions Security Business Decisions Processes Security Decisions Custom Data Apps Store Data Security Decisions Store
  6. 6. Application Proxy • Common interface that can receive and respond to web service calls • Reduce the load on the enterprise’s infrastructure • Caches and manages authentication and authorization requests
  7. 7. Gateway Security Pattern • Handles different transport layers • Performs enhanced message transformations • Coarse-grained authorization of the request message and its origins • Validation of the request format
  8. 8. Enterprise Service Bus Supports integration and flexible reuse of heterogeneous business components – Routing messages between services – Conversions of transport protocols – Transforming requests from one message format to another
  9. 9. Security as a Service • Access control decisions should be made each time a message reaches a transition point • Allows early detection of unauthorized requests • Eliminates unnecessary security processing at the application layer • Issue: a lot of redundancy
  10. 10. Security as a Service • Implement security as a set of services • Application relies on services to acquire a security decision • What if security is already implemented within the application? – The decisions should still be made via a service which gets the decision from the application implementation
  11. 11. Security as a Service • Security Decision Service - segregates the security decision functionality • Security Enforcement Service – applies security decisions to a request
  12. 12. Security as a Service within the ESB • ESB enables the security as a service model • Services are implemented as mediations which provide reusable functionality – Service for Encryption/decryption – Service for Validating digital signatures – Service for Authenticating the requestor
  13. 13. ESB Model Security Enforcement Services ESB .Net Data Apps Store Application J2EE Data Server Apps Store Request Message Security Decisions Service Enforcement Service Custom Data Apps Store Security Enforcement Services Security Decisions Services
  14. 14. ESB Model • Validation of request format • Transport and end-to-end security for service implementations • Enables layered security approach by separating enforcement and decision services • Single point of control for identity mapping • Can be implemented gradually
  15. 15. Q&A