Successfully reported this slideshow.

Securing Service Oriented Architecture-May 2005

355 views

Published on

  • Be the first to comment

  • Be the first to like this

Securing Service Oriented Architecture-May 2005

  1. 1. Securing Service Oriented Architecture Don Flinn Flint Security LLC [email_address] www.flintsecurity.com
  2. 2. Agenda <ul><li>Distributed security </li></ul><ul><ul><li>Traditional protocols </li></ul></ul><ul><ul><li>SOA requirements </li></ul></ul><ul><li>What's next </li></ul>
  3. 3. Distributed Security Traditional Protocols
  4. 4. Security Principals <ul><li>Protection of assets </li></ul><ul><li>Security fundamentals </li></ul><ul><ul><li>Authentication, Authorization </li></ul></ul><ul><ul><li>Audit, Administration, </li></ul></ul><ul><ul><li>Cryptography </li></ul></ul><ul><li>Risk Management </li></ul><ul><li>Never-ending contest </li></ul>
  5. 5. Traditional Security Protocols <ul><li>Authentication </li></ul><ul><ul><li>HTTP Basic Auth </li></ul></ul><ul><ul><li>SSL/TLS </li></ul></ul><ul><ul><li>Kerberos </li></ul></ul><ul><ul><li>VPN </li></ul></ul><ul><li>Authorization </li></ul><ul><ul><li>RBAC </li></ul></ul><ul><li>Limitations </li></ul>
  6. 6. Distributed Security SOA Requirements
  7. 7. SOA Scenario
  8. 8. SOA Security Challenges <ul><li>Circuitous route </li></ul><ul><li>Heterogeneous entities </li></ul><ul><li>Untrusted intermediates </li></ul><ul><li>Unlimited system size </li></ul>
  9. 9. Message Based Security <ul><li>Security integral part of the message </li></ul><ul><li>Integrity & Confidentiality </li></ul><ul><ul><li>End-to-end </li></ul></ul>
  10. 10. WS-Security <ul><li>SOAP header block </li></ul><ul><li>Tokens </li></ul><ul><li>Digital signatures </li></ul><ul><li>XML encryption </li></ul>
  11. 11. WSS Tokens <ul><li>Username </li></ul><ul><li>X.509 Certificate </li></ul><ul><li>Kerberos </li></ul><ul><li>SAML </li></ul><ul><li>Biometric </li></ul><ul><li>XrML </li></ul>
  12. 12. d-sig & XML Encryption <ul><li>Digital Signature (d-sig) </li></ul><ul><ul><li>Substitute for written signature </li></ul></ul><ul><ul><li>Legal in Business (2000) </li></ul></ul><ul><li>XML encryption </li></ul><ul><ul><li>Fine-grained encryption </li></ul></ul>
  13. 13. XACML <ul><li>XML based access control </li></ul><ul><li>Language for Access Control </li></ul><ul><li>Rules & Policies </li></ul><ul><li>XACML protocols </li></ul>
  14. 14. Vendors <ul><li>.NET Microsoft </li></ul><ul><li>Websphere IBM </li></ul><ul><li>JWSDP Sun </li></ul><ul><li>etc. </li></ul><ul><li>Be careful of any proprietary moves </li></ul>
  15. 15. What's Next
  16. 16. Where Are We Today? <ul><li>Intranet & Extranet </li></ul><ul><li>Internet </li></ul><ul><ul><li>Establish trust </li></ul></ul><ul><ul><li>Federation </li></ul></ul><ul><ul><li>Delegation </li></ul></ul><ul><ul><li>Privacy </li></ul></ul>
  17. 17. Next Steps <ul><li>Complex scenarios </li></ul><ul><li>Trusted third-parties </li></ul><ul><li>Discovery & Access </li></ul><ul><li>Higher level specifications </li></ul>
  18. 18. Security & Law <ul><li>Recent security laws </li></ul><ul><li>Recent court cases </li></ul><ul><li>Need court defensible security </li></ul>
  19. 19. Summary <ul><li>Abundance of tools </li></ul><ul><ul><li>Blind Use of Tools </li></ul></ul><ul><li>Complex scenarios </li></ul><ul><ul><li>Higher level specifications </li></ul></ul><ul><ul><li>Experience with the protocols </li></ul></ul>

×