CA SOA Security Manager


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

CA SOA Security Manager

  1. 1. PRODUCT BRIEF: CA SOA SECURITY MANAGER CA SOA Security Manager CA SOA SECURITY MANAGER (CA SOA SM) IS A CENTRALIZED, POLICY-BASED WEB SERVICES SECURITY SOFTWARE PRODUCT THAT SECURES ACCESS TO SERVICES BY INSPECTING THE SECURITY AND OTHER CONTENT IN XML MESSAGES. IT HELPS YOUR ORGANIZATION CREATE A CENTRALIZED ENTERPRISE SECURITY SERVICE THAT STOPS XML MALWARE AND PROVIDES AUTHENTICATION, AUTHORIZATION, FEDERATION, AND AUDIT CAPABILITIES ACROSS A HETEROGENEOUS IT INFRASTRUCTURE. Overview Benefits The CA Advantage Service-oriented With CA SOA Security CA SOA Security Manager Architectures and Web Manager, organizations can provides the industry’s most Services (SOA/WS) are centrally manage the security comprehensive SOA/WS emerging as the next major of their enterprise SOA/WS security platform. It enables wave of application deployments no matter how both identity-centric Web architectures for IT intensive many Web Services or Services security, such as enterprises. Organizations are different infrastructural authentication, authorization, looking to SOA/WS to technologies are deployed. federation and audit, and XML improve the speed, flexibility, Providing centralized, policy- threat-focused security in a and cost of building and based security as an integral single integrated solution. deploying applications for part of the SOA/WS When used in conjunction both internal and external infrastructure enables the with CA SiteMinder® Web uses. However, as with all abstraction of security from Access Manager (CA new IT architectures and in the Web Services themselves. SiteMinder WAM), CA particular those that are This eases the administrative Federation Manager, and CA highly distributed, security burden and cost of providing Identity Manager, the joint management can be a consistent and reliable solution provides a compre- significant challenge. Without enterprise security for hensive secure Web business a proper architecture, SOA/WS. enablement platform that application security is often secures both traditional Web created in silos, which applications and portals and leads to increased risk of XML-based Web Services. information leakage and CA SOA Security Manager increased cost of security is part of CA’s Enterprise administration and regulatory Management Vision (EITM), compliance. which helps you unify IT and simplify the management of complex computing environ- ments across the enterprise for better business results.
  2. 2. CA SOA Security Manager Provides Comprehensive Web Services Security for Enterprise SOA/WS Deployments CA SOA SM is a Service-oriented Architecture/Web Services (SOA/WS) security software product that secures access to services by inspecting the security information contained in the XML documents submitted by the service consumers. Leveraging a core set of SOA/WS standards, CA SOA SM uses centralized security policies bound to user identities to provide XML threat prevention, authentication, authorization, federation, session management and security auditing services. CA SOA SM fits into a heterogeneous SOA/WS deployment by providing both agent and proxy server-based policy enforcement points (PEPs) that are controlled and managed by centralized policy decision points (PDPs) known as policy servers. The majority of large organizations around the world have either started to use SOA/WS or are planning to do so in the near future. The attraction of SOA/WS largely rests on its ability to increase application development, deployment speed and flexibility while reducing IT costs. SOA/WS takes the model of cross-domain applications focused on serving human users, and generalizes this concept to computer-driven applications that may or may not be acting under the direct control of a person. SOA/WS directly leverage the benefits of the Internet and Internet technology to provide application integration flexibility no matter whether the service consumer resides inside or outside of the enterprise. As such, the SOA/WS approach both eases internal application integration while leveraging standards to open up the same services to the world at large, whether they are customers, partners, or internal organizations. However, just as with the first arrival of secured Web applications and portals in the 1990s, the arrival of SOA/WS-based applications creates a number of IT and security management challenges that must be addressed before SOA/WS can be deployed at scale. For instance, as with traditional Web applications, SOA/WS can be deployed for internal use, external use, or a mix of both. Just as who gets access to what matters for most enterprise Web applications, the same issue must be managed and controlled for SOA/WS. In short SOA/WS need the equivalent security functionality that has become standard with Web sites — namely those security services that are now commonly provided by Web access management (WAM) systems. In addition, as more SOA/WS are exposed outside an organization’s boundaries, the risk of targeted malware threats goes up dramatically. Just as in the traditional Web portal and Web application world, organizations need to both secure against SOA/WS threats while simulta- neously uniquely controlling access for separate SOA/WS client applications and organizations. To make security matters more challenging, making access decisions based on what is coming from inside the organization and what is coming from the outside is an outdated approach that can’t be relied upon given the inherently porous nature of today’s enterprise. The reality, given that a key purpose of SOA/WS is service reuse, is that a single service might simultaneously be both part of externally facing applications and internally facing ones. 2 PRODUCT BRIEF: CA SOA SECURITY MANAGER
  3. 3. While in some ways SOA/WS are different from what has come before, in many other ways the enterprise security requirements of SOA/WS are very familiar. In general, organizations have the following goals: • Message Integrity Ensuring that messages have not been tampered with • Message Privacy Making sure the message is encrypted for confidentiality • Authentication Discerning the identity of the requester • Authorization Deciding the level of entitlement that the requesting application or user should have • Federation Securely linking sessions across security domains • Auditing and Reporting Keeping track of what has and is happening from a security point of view in the environment • Malware Threats Keeping out requests that are looking to disrupt the usage of services or steal private data In addition, organizations try to build security systems and processes that can scale to meet the future growth that is inevitable with successful IT implementations. This is why the avoidance of security silos is also a key theme for organizations heading down the SOA/WS application development path. These are all needs directly addressed by CA SOA SM. Key Capabilities of CA SOA Security Manager Centralized Security Policy Administration and Enforcement EXTERNALIZES SECURITY FROM SOA/WS TO AVOID SECURITY SILOS CA SOA SM secures SOA/WS using a centralized set of security policies executing on centralized policy servers, known generally as policy decision points (PDPs). These policies provide message level authentication, authorization, federation, session management, XML threat prevention, and security auditing across all XML-based Web Services within an enterprise. This enables the administration and deployment of an enterprise security service that is external from the Web Services themselves; and thus can be created and changed independent of these services. This abstraction of security from the application services avoids the cost, inflexibility and risk of security silos. Heterogeneous SOA/WS Deployment Technology Support OVERLAY SECURITY SEAMLESSLY INTO THE SOA/WS DEPLOYMENT ENVIRONMENT Just like traditional Web portals or Web applications, enterprise SOA/WS systems tend to be deployed on a heterogeneous mix of technologies by different parts of the organization, including on Web servers, application servers, enterprise service buses and SOA platforms. The challenge many organizations have is how to secure their enterprise consistently and cost effectively without dictating what SOA/WS infrastructure developers and IT operations can use. To provide comprehensive, heterogeneous support of SOA/WS IT infrastructures, CA SOA SM provides a wide range of SOA agents (policy enforcement points [PEPs]) that can be installed within the service containers, and a SOA proxy gateway, which together can centrally secure practically any SOA/WS enterprise deployment. PRODUCT BRIEF: CA SOA SECURITY MANAGER 3
  4. 4. Consistent Security Enforcement at the Edge and at the Container Level SECURE SOA/WS AT EVERY LAYER, BOTH IN THE DMZ AND AT THE LAST MILE SOA/WS are often created without regard to whether they are intended to be externally or internally facing. The reality is that the same service might be used simultaneously for both types of applications. While most malware threats originate from the outside, security also needs to be enforced on the inside at the last mile, as services otherwise are open to any application that can reach them. CA SOA SM provides a comprehensive and integrated solution that enables policy-based security enforcement both at the edge, in the DMZ (through proxy-based gateway/firewall functionality of the SOA Security Gateway), and from within the service containers at the last mile through SOA Agents. The proxy functionality of the SOA Security Gateway hides the actual locations of the services and provides automated routing and protocol translation, while simultaneously acting as a PEP for the identity services provided by the Policy Servers (PDPs). Prevents XML Threats STOPS THE UNWANTED XML TRAFFIC IN THE DMZ Effective enterprise security is often best delivered through a strategy known as defense-in-depth. The situation is the same for XML- based SOA/WS. Any service that is exposed to the outside world will most likely be probed and attacked by hackers pursuing fun or profit. One element of defense-in-depth is to stop the malware threats before they get inside the enterprise — stopping them in the DMZ. However, malware is only part of the security story; identity-based access controls also need to be enabled and managed. To control access through the front door, CA SOA SM leverages its component, the SOA Security Gateway. The SOA Security Gateway provides proxy, XML threat prevention, and protocol translation services, while also acting as a PEP for the centralized PDP of CA SOA SM. The combined functionality of CA SOA SM with the SOA Security Gateway provides true enterprise-level security for SOA/WS that are exposed externally, keeping threats out while simultaneously controlling access for legitimate service consumers. Identity Federation and SSO for Services that Cross security Domains — Internal or External STANDARDS-BASED FEDERATION ENABLES MULTISTEP SERVICES A major value proposition of SOA/WS is service reuse. Often services will be made up of multiple underlying Web Services that themselves might be hosted in any number of internal domains and also be provided by external organizations. In these situations, security context needs to be maintained at every step. This is most often accomplished through trust relationships which are enforced and enabled by standards-based tokens (WS-Security with SAML typically) embedded in standardized message formats (such as SOAP). CA SOA SM enables federation of services through the support of standards, such as WS-Security tokens, acting both as a consumer and a producer of security tokens. A typical use case of CA SOA SM is as an authentication service that takes in one credential or token and issues another token that can be used to maintain the session (thus providing a form of Web Services SSO) for services further down the line. 4 PRODUCT BRIEF: CA SOA SECURITY MANAGER
  5. 5. Authentication and Authorization Based on XML Message Content PROVIDING POLICY-BASED ACCESS CONTROL FOR SOA/WS With SOA/WS, the requesting application generally sends both its credentials and the payload for the requested service in the same XML message. Before the message is processed, the requester must both be authenticated and authorized for use of that service. CA SOA SM, through its PEP and PDP architecture, automatically extracts the requester’s credentials from the XML message (whether it is plain old XML [POX] or uses standards such as SOAP/WS-Security) and compares them to the assigned credentials for that requester. Importantly, the PDP of CA SOA SM is outside of the DMZ and thus the policies and the corporate directories are not exposed directly to potentially hostile processes running in the DMZ. In addition, the authorization policies can be as fine grained as the organization chooses to make them. This allows access policy decisions to be made both based on elements within the XML message and on attributes that are stored in the corporate directory about the requester. SOA/WS Standards Compliant EASING INTEGRATION AND CROSS-DOMAIN INTEROPERABILITY Standards are key building blocks for SOA/WS. Without standards the value proposition of SOA/WS would be seriously impacted. This applies equally to security for SOA/WS. Security standards for SOA/WS make secure interoperability possible and managed integration easier to attain. CA SOA SM supports many XML-related standards out-of-the-box, which makes using it as security infrastructure all the easier. Support of standards, such as XML, SOAP, SAML Session Ticket, WS-Security, XML Encryption, and XML Signatures, and support of the .NET and J2EE application platforms eases the implementation and administration of a CA SOA SM based security service. Administering Large Scale Deployments ENABLES CREATION OF SECURITIES POLICIES USING WSDL The administrative UI of the product can connect to multiple Policy Servers so you can manage all of your components from a single shared administration server. The UI is specifically Web Services oriented; for example, an administrator can create security policy for a Web Service directly from WSDL. The WSDL file can be loaded from a file or from a URL location. Once loaded, the product’s UI displays all the WSDL operations and makes it very easy for the administrator to secure it with one or more authentication schemes. Scalable and Reliable PROVEN HIGH-PERFORMANCE FAULT TOLERANT ARCHITECTURE CA SOA SM provides load balancing, fully tunable two-level caching, agent, policy server and user store replication and automatic failover. CA SOA SM can be deployed with confidence in high transaction volume service environments providing high availability and reliable security. CA SOA SM uses the proven architecture of CA SiteMinder® Web Access Manager (CA SiteMinder WAM), one of the world’s leading and high performance Web access management systems, as the basis of its deployment architecture. PRODUCT BRIEF: CA SOA SECURITY MANAGER 5
  6. 6. Architectural Overview of CA SOA Security Manager The architecture of CA SOA SM is made up of three main cooperating components: • The centralized policy servers that act as the PDP • The SOA Security Gateway that provides XML threat prevention, routing and proxy-services, protocol translation, and PEP functionality • The SOA Agents that provide last-mile security by running natively in various SOA containers, such as Web servers and J2EE application servers FIGURE A CA SOA SECURITY MANAGER DEPLOYMENT REFERENCE ARCHITECTURE CA SOA Security Manager is made of a highly distributed architecture that provides a combination of distributed policy enforcement points (SOA Security Gateways and SOA Agents) and centralized policy server based policy decision points. 1. Web Service requests coming from outside into your network are secured by SOA Security Gateway running in the DMZ. Alternatively, a user may also access the Portal Server, which in turn makes a Web Service request to a Web Service hosted behind the DMZ. 2. Web Services deployed within an enterprise can also make requests to each other as part of a particular business process. This is secured by SOA Agents as part of the Last Mile of SOA/WS security. 3. Common central Policy Server secures both Web Service traffic and Website traffic when CA SiteMinder WAM and CA SOA Security Manager are used together. 6 PRODUCT BRIEF: CA SOA SECURITY MANAGER
  7. 7. FIGURE B SSO FROM PORTAL TO INTERNAL AND EXTERNAL WEB SERVICES 1. User logs into the banking portal secured by using CA SiteMinder WAM and applies for a credit card. 2. Portal-based application makes a SOAP call to the internal Credit Card service using the user’s security context. 3. The user’s session gets validated and authorized by the SOA Agent PEP/Policy Server PDP that is protecting the credit card service. 4. CA SOA Security Manager then generates a WS-Security/SAML token and adds it to SOAP Header of request for the next step in the Web Service, which in this example is to the credit check Web Service. 5. The Credit Card service sends SOAP request with SAML token to the external Credit Check service provided by a partner. CA SOA Security Manager Benefits 6. The Credit Check service By enabling a standards-based SOA/WS security solution, CA SOA SM can help organizations: authenticates the requester using • Reduce IT risk by enhancing security by leveraging a consistent centralized, end-to-end, WS-Security SAML standard and provides response to the Credit Card enterprise security service for SOA/WS. No longer will organizations be exposed to risks service, which in turn returns credit that are inherent with security silos. card approval or denial to the user on the portal-based application. • Enhance regulatory compliance through improved preventive and detective controls combined with centralized security auditing and logging. • Reduce security development, maintenance, and operational costs through the use of an enterprise shared security service. • Ease the integration of cross-domain applications through the use of industry accepted XML standards. • Reduce administrative costs by simplifying security policy administration and management — leveraging the products Web Services focused UI. PRODUCT BRIEF: CA SOA SECURITY MANAGER 7
  8. 8. SUPPORTED SYSTEMS AUTHENTICATION STANDARDS USER CA SOA SECURITY METHODS COMPLIANCE DIRECTORIES MANAGER PLATFORMS WS-Security (SAML) XML Sun Java System Microsoft Windows Directory Server WS-Security SOAP Sun Solaris (Username) Novell eDirectory REST Red Hat Linux WS-Security (X509) Microsoft Active WSDL Directory SUSE zSeries XML Document Credential Collector XML Encryption Microsoft AD/AM IBM AIX (DCC) XML Signature Microsoft SQL Server XML Digital Signature X.509 v3 Certificates Microsoft NT Domain SOA AGENT PLATFORMS SAML Session Ticket WS-Security Oracle Internet SAML Directory Microsoft IIS XPATH Oracle RDBMS Apache HTTP Server XSLT Lotus Domino LDAP IBM HTTP Server XML Schema Critical Path Directory Sun Java System Web Server Server JMS Siemens DirX, DirXEE BEA WebLogic IPv6 IBM Directory Server IBM WebSphere IBM DB2 CA Directory The CA Advantage — A Comprehensive, Integrated and Modular Approach to Managing Security on the Web CA SOA Security Manager is a key component of CA’s solutions for Secure Web Business Enablement. CA’s integrated but modular products allow your organization to select the components that target specific areas of immediate need, while providing the organization with a path for incremental growth. The modular approach also enables you to start with the product that meets your most critical need and implement a solution in phases, or implement the whole Secure Web Business Enablement solution at one time, depending on your budget and business goals. Other products in the Secure Web Business Enablement solution include: • CA SiteMinder® Web Access Manager provides flexible and scalable policy enforcement for Web applications, as well as Web-based single sign-on. • CA Federation Manager provides industry standards based identity federation capabilities for the Web. • CA Identity Manager provides automated identity administration and auditing for Web identities. 8 PRODUCT BRIEF: CA SOA SECURITY MANAGER
  9. 9. Once in place, CA solutions can help you open the door to a multitude of new opportunities. Your organization can rapidly deploy new Web applications and services and bring new users on board quickly and efficiently. This higher level of management control supports CA’s vision for Enterprise IT Management (EITM), which helps you unify and simplify the management of complex computing environ- ments across your enterprise. EITM is a dynamic and secure approach that integrates and automates the management of applications, databases, networks, security, storage and systems across departments and disciplines to maximize the full potential of each. CA’s comprehensive portfolio of modular IT management solutions helps you to better manage risk, costs and service, and ensure that IT meets the business needs of your enterprise. CA Services and our partners can help you assess your current web services security situation, define your goals and implement solutions to gain measurable results. To keep all your CA solutions operating at peak performance, CA Support delivers unparalleled technical and customer support worldwide, and we offer training and certification through CA Education. CA Education — a preferred source for IT management and best practices training — is an important part of our services offering. We assess your training needs, create the right training plan for you and optimize the program with advanced coursework and industry certifications. Next Steps To fully leverage the reach and power of SOA and Web Services, investigate the breadth and depth of CA SOA Security Manager for your enterprise-scale security management system. With a centralized Web Services security system based on CA SOA Security Manager, organizations can more easily deliver on the IT agility and cost savings promise of SOA/WS. To learn more, and see how CA software solutions enable organizations to unify IT and simplify the management of complex computing environments across the enterprise for better business results, visit Copyright © 2008 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. MP320721108 Learn more about how CA can help you transform your business at