This document discusses how information security has failed to evolve with advances in software development and web applications. Specifically: - Security approaches like firewalls and SSL have not changed meaningfully in over 13 years, despite huge growth in web integration, distributed applications, and reliance on web apps for business functions. - As software evolved to integrate disparate systems using SOAP and XML, security did not develop models for authentication, authorization, or confidentiality for these new programming models. - For security to progress, it needs to learn from software development practices and priorities like virtualization, interoperability, and reusability - and deliver properties like authentication and authorization as widely deployed services.

1. Building Security In
Editors: John Steven, jsteven@cigital.com
Gunnar Peterson, gunnar@arctecgroup.net
Deborah A. Frincke, deborah.frincke@pnl.gov
Service-Oriented Security
Indications for Use
I
n evolutionary terms, the information security field grate data from multiple back-end Gunnar
systems—if you had pricing data Peterson
is more than a decade behind software development. in Oracle, order data in SAP, and Arctec Group
customer data in a mainframe, for
By that, I mean that we haven’t had a single meaning- example, you could write separate
data access objects, apply business
ful change in security architecture in 13 years. De- logic in the middle tier, and tie it
all together in a friendly user in-
velopers have evolved, businesses have increasingly bet their terface. At this point, Web appli-
cations began to integrate across
entire business models on the Web the security industry moved as departments, business units, and
and networks, and both sides have never before or since to build and geographic boundaries, with huge
increased their security budgets. deploy two security mechanisms. critical chunks of the business now
But what has the security architec- The first was a network firewall to connected to the Web. How did
ture (as it’s deployed in the field) keep the “good stuff” (enterprise the security people defend this
got to show for all of this? More data and functionality) separate vertically and horizontally inte-
firewalls and more Secure Sockets from the “bad stuff” (the Inter- grated business architecture? They
Layer (SSL) connections. net). The second mechanism was applied the same exact 1995 secu-
Why has information security the SSL to encrypt the link from rity architecture—network fire-
failed? I think the problem lies the user’s Web browser to, ideally, walls and SSL.
with its mission—confidentiality, the Web server. In the 1999 to 2000 time
integrity, and availability are fine What happened next was the frame, businesses started to rely
statements to make, but they don’t dotcom boom—businesses figured on Web applications for major
lead anywhere. Because informa- out that they could make buckets parts of their revenue. Software
tion security has proven incapable of money on the Web, developers developers responded by building
of evolving, it’s time to learn from began innovating feverishly, Web applications in different technolo-
a discipline that has mastered in- applications became more sophis- gies because the customer didn’t
novation—software development. ticated and personalized, and so care (still doesn’t)—the customer
In this installment of Building on. This led to Java’s Java Server wanted (still wants) data access and
Security In, we’ll learn what this Pages (JSPs), Microsoft’s Active functionality. To integrate these
field can teach us. Server Pages (ASPs), and even disparate technologies, developers
greasier Perl scripts, all in an effort deployed SOAP and XML so that
Diagnosis to pool enterprise resources and Microsoft could talk to Java and
Software developers began build- personalized sessions on Web serv- Websphere could talk to Weblogic
ing sophisticated Web applications ers. The security people defended and so on. Moreover, develop-
in the mid 1990s, using CGI and this revolutionary new application ers found they could use SOAP
Perl scripts to connect their users programming model with their and XML to connect business-
to databases and back-end content. original security architecture— to-business networks so that part-
Even back then, security people network firewalls and SSL. ners in a supply chain or business
knew immediately that security Around 1998, developers be- process could exchange data and
would be an issue—after all, de- gan building increasingly distrib- interoperate. SOAP and XML
velopers were publishing back-end uted three-tier applications that presented a fundamentally new
content from their core business separated the business logic, pre- programming model, but neither
databases and applications onto sentation, and data access layers. one had a security model by de-
the Web and letting users post Among other things, a Web appli- fault for authentication, authoriza-
content there as well. In response, cation could now seamlessly inte- tion, or confidentiality. How did
MARCH/APRIL 2009 ■ 1540-7993/09/$25.00 © 2009 IEEE ■ COPublished by the IEEE Computer and Reliability Societies 91

2. Building Security In
Service
• Virtualization. We want Beijing,
requester Bangalore, and Boston to com-
municate so that we can chop up
work and deliver it from where
Service Security Service it makes sense.
requester Authentication services Authentication provider
• Interoperability. We want our Java
systems to talk to our .NET
Service Audit systems.
requester • Reusability. We want to know how
Assurance many order, pricing, and customer
systems one company needs.
Figure 1. Virtualized service interfaces. By decoupling authentication and authorization, such
decisions can be delivered to different locales in the architecture. These are goals to keep in mind
when building services, so they
make perfect starting points for
Open standards security goals such as confidential-
ity, integrity, and availability. The
Service Service way we seek to deliver these prop-
requester provider
erties is through such mechanisms
as authentication, authorization,
Service Security Service and auditing, but the challenge
requester Authentication services Authentication provider is deploying these mechanisms
as widely and flexibly as possible
Service Audit Service
through services.
requester provider
Virtualization
Assurance
In terms of virtualization, we
need to be able to authenticate
Figure 2. Standards. Consistent policy enforcement and management translates to better users in one place and authorize
security decisions. them in another—for example,
authenticate in Beijing and autho-
rize in Bangalore. To paraphrase
Table 1. Comparing field-level software development Ross Anderson, we need crypto
and information security innovations. mechanisms that take trust from
where it exists to where it’s need-
Relative timeline Software Security ed. Figure 1 shows that authenti-
~1995 CGI/Perl Network firewalls, SSL cation and authorization decisions
~1997 ASP, JSP Network firewalls, SSL are delivered to different locales
~1998 COM, EJB, J2EE Network firewalls, SSL in the architecture.
~1999–2000 SOAP, XML Network firewalls, SSL
~2001 SOA, REST Network firewalls, SSL Interoperability
~2003 Web 2.0 Network firewalls, SSL Security decisions are business,
not technical, decisions. Thus,
wherever possible, security infor-
the security people deal with this? networked applications built on mation must be standards based,
Sing it with me—network fire- top of that. Clearly, the time has allowing for consistent autho-
walls and SSL. come to do something to meet all rization policy enforcement us-
The software world didn’t stop this innovation and somehow pro- ing SAML, XACML, and other
innovating in 2000, of course. In tect both its users and developers. open standards. Figure 2 diagrams
the past few years, we’ve seen Web where standards add the capability
services and XML form the basis Prescription Patterns to transmit attributes to make se-
of powerful service-oriented archi- Web 2.0 has no effective security curity decisions.
tectures (SOAs) and simple Repre- model, so let’s pick up the trail
sentational State Transfer (REST) with the next most recent inno- Reusability
applications. We’ve also seen the vation, Web services, which have The perimeter in an SOA is the
debut of Web 2.0 and entirely new three main goals: document, not the network; sim-
92 IEEE SECURITY PRIVACY

3. Building Security In
ilarly, the security model is de-
Central security domain
fined by the security constructs in
the document, not the network
Subject Object
firewall. Because security comes Session
from an operational mindset, the (a)
inclination is centralized com-
mand and control. Figure 3 shows
three possible ways to deliver se-
curity services. Subject Object
Unfortunately, this model
(b) High-assurance endpoint High-assurance endpoint
makes many assumptions from
which technical and business reali-
ties diverge. In an enterprise today, High-assurance intermediary
you can’t expect to govern both the Security
subject and the object, as well as the Subject Object
devices
session and data, in one technology (c) Medium-assurance endpoint Medium-assurance endpoint
or even one business unit.
The next logical step is high-
assurance endpoints, but the prob- Figure 3. Hybrid models. Pure (a) centralized and (b) distributed security models won’t fly in the
lem here is that when you have enterprise, so (c) a decentralized hybrid of security services is the pragmatic way forward.
100,000 of anything, you end up
with management problems. You
simply don’t have enough security How about email systems? curity services a reality, we need
gurus to comprehensively address They fit the decentralized ser- to start from scratch—develop a
all the distributed endpoints on an vice-based model well, their end- playbook, and then classify, lo-
ongoing basis. points are loosely coupled, and cate, design, and optimize the
Next, we go to the hybrid mod- their agreement point is a mes- controls. Maybe someday soon,
el (remembering that hybrids are sage, not binary communication. we’ll catch up with the software
the most resilient plants in nature) Businesses have already proven development community.
in Figure 3c. Now we can place that they can deploy this flexible
various high-assurance intermedi- model in the real world, and guess Reference
aries that can provide some security what else? We’ve actually seen 1. M. Tanji et al., Threats in the Age of
services to the endpoints. We can real, live, security innovation in Obama, Nimble Books, 2009.
tune the intermediaries for their the field. The course your email
specific services, say, XML encryp- follows is mediated by many dif- Gunnar Peterson is a founder and man-
tion/decryption, and environment, fering security mechanisms, from aging principal at Arctec Group, which
say, B2C or B2B. This model is antivirus tools to spam filters. supports clients in strategic technology,
predicated on how successful and This is, I think, what informa- decision making, and architecture. His
scalable enterprise security mecha- tion security can leverage in Web work focuses on distributed systems
nisms have worked in the past, applications—designing and de- security architecture, design, process,
such as Active Directory, Light- ploying decentralized security and delivery. He maintains an informa-
weight Directory Access Protocol, services that facilitate the delivery tion security blog at http://1raindrop.
and Federation, which all leverage of a specific service. typepad.com. Contact him at gunnar@
multiple centers to provide services arctecgroup.net.
to a wide variety of endpoints.
What Next?
I think this last decentralized mod-
T he real question with security
as a service isn’t about confi-
dentiality, integrity, or availability
el captures information security’s properties—it’s how to distrib- Interested in writing for this
best chance to regain some cred- ute the services that enable those department? Please contact
ibility and traction in improving properties. Meshing the two con- editors John Steven (jsteven@
software security. Web security is cepts together, how can we deliver cigital.com), Gunnar Peterson
horribly broken after more than virtualized, interoperable, and re- (gunnar@arctecgroup.net), and
a decade of noninnovation, so it’s usable authentication, authoriza- Deborah A. Frincke (deborah.
time to just admit it and look to tion, and auditing? To move away frincke@pnl.gov).
other models. from the static past and make se-
www.computer.org/security 93