SlideShare a Scribd company logo
Hasini Gunasinghe
Software Engineer-WSO2
   Security requirements of a SOA solution in
    healthcare domain.

   Security patterns to accomplish them.

   Implementing patterns with WSO2 ESB.
Hospital Services                      Channelling consultation


                                                                            Physicians’
Patients’ data                                                                data



                                      Ceycare
                                      Systems
                 Medical Laboratory                      Collaboration with medical
                      Services                               research institutes


  Medical Test
    results
                                             Medical
                                            statistics
   Why SOA?

     Expose legacy sytem components as services.
     Loose coupling
     Interoperability
     Flexibility
     Business process composition.
   Why security in SOA?

     Business assets exposed to outside as services to
      be discovered.
     Should facilitates interoperability, flexibility.
 Identification and authentication
 Authorization
 Intergrity
 Privacy
 Security auditing
 Survivability
 Non-repudiation
                              Source: Security in SOA-Based Healthcare System
Requirement:


Services need to identify and verify the claimed
identity of internal users of the organization.
Pattern:

Authentication Patterns:

   Direct Authentication
    - Authenticating users with credentials stored internally.

    - Credentials can be :
      - Username/password
      - Username token
      - X.509 certificates
Patient’s Records:
                                     Name:
Credential                   3       Age:
                                     Histroy:
  1
             Secured Proxy

                                 2

                              Ceycare
                             credential
                               store
Requirement:

Services need to identify and verify the claimed
identity of external users – from partner
organizations.
Pattern:
Authentication Patterns:
   Brokered Authentication
     Authenticating users outside the organization boundary.
     Ceycare trusts a token issued by a trusted party in partner
      organization.
     Brokered authentication based on WS-Trust with SAML.
Scenario 1: Authentication accross organizational boundries
                       CeyCare                         4   Patient’s
                                                           Records:
Secure Token                                               Name:
 Service of                                                Age:
  CeyMed                                                   Histroy:
                   2                       Secured Proxy
                                 3

  CeyMed       1
 credential
   store


                             CeyMed
Requirement:

 Facilitate communication between clients and
 services which talk in different authentication
 mechanisms.
Pattern:
Resource Access Patterns:
   Protocol Transition
     ESB authenticates clients with the auth mechanism
      that they understand – eg: UT

     Transform credentials in the form that service
      understands - eg: Basic Auth
Patient’s
                       Records:
                       Name:
                       Age:
                       Histroy:
           BasicAuth
            Header
             3

    1
              2
Username
 Token
               Ceycare
              credential
                store
Requirements:

-   Avoid user credentials to be passed to
    backend service.
-   Avoid user bypassing security processing.
Pattern:

Resource Access Patterns:
 Trusted sub system pattern
   User authenticates to ESB with his/her credentials.
   BE service trusts ESB.
   ESB accesses BE service on behalf of authenticated user.
Patient’s
                                          Records:
                                          Name:
                                ESB       Age:
                             Credential   Histroy:


                              3
   User
Credential
             Secured Proxy
     1
                                    2

                                    Ceycare
                                   credential
                                     store
Requirement:

Control access based on privileges of the users.
  Eg:
  Users in role: ‘Physician’ can update patients’ records
  while users in role: ‘Lab technologist’ can only view
  records
Pattern:

Authorization patterns
 Role based access control:
   Assign users to roles.
   Grant privileges to roles.
   This is a coarse grained authorization model.
Requirement:

Control access based on user’s claims, in a fine
grained manner.
  Eg:
  Heart patients data could only be accessed by
  Physicians with job title: “Cardiologists”
Pattern:

Authorization patterns
 Claim based authorization :
   Provides fine grained authorization.
   Policy based access control with XACML –
   provides flexibilty.
Authorization based on claims carried in SAML token.
                                                           Heart
                                                           Patient’s
                                                           Records:
                                      (4) Allow/deny       Name:
                                      access               Age:
                                                           Histroy:
         SAML
         Token        Secured Proxy

                 1                     (3) Authorization
                                       decision

                       Entitlement                            PAP, PDP,
                       Mediator          (2) XACML            PIP
                         [PEP]           Authorization
                                         request
Requirement:

Delegating access:
 Eg:
 Application in a phisician’s mobile device needs to
 retrieve channelling appointments from his account
 in Ceycare System.
Pattern:

Authorization patterns
 Constrained delegation using OAuth:
  1. Mobile app authenticates to authorization server.
  2. Mobile app requests authorization from resource owner.
  3. Resource owner authenticates to authorization server.
  4. Resource owner grants permissions to the application to
     access resource on behalf of him.
  5. Application obtains access token from access grant.
  6. Resource server (ESB) validates access token.
  7. Allow/Deny access to BE resource.
Chanelling
                                                            appointments
                                                            Name:
                                                            Time:
                                               (7) Allow/   Hospital:
        Access request+                        deny
        Access Token            OAuth          access
                   5           Mediator

                                               (6) Validate Access Token


    Authorization
1
    request
                            (4) Access Token
    2
Authorization             (3) Authorization grant
grant
Requirements:

   Protect sensitive personal data during
    transmission from :
     tampering
     unauthorized access

   Non-repudiation - A patient’s account should
    show who has updated his/her medical
    records.
Patterns:

Message protection patterns:
 Data origin authentication and intergrity -
  digital signatures.
 Data confidentiality - digital encyption.
Example Configuration:
Example Configuration:
Requirement:

Avoid exposing sensitive data through exceptions.
 Legacy application code might throw exceptions
  containing sensitive information.
 Need to filter those expections when system is exposed
  to external parties.
Pattern:

Boundry defense pattern
 Exception shielding:
 - Sanitize unsafe exception data by replacing it with
   non-harmful exception message.
 - Enrich mediator of ESB.
   Example un-safe message:
   Example Configuration:
Requirement:

Log security incidents to trace system abuse:
- Failed login attempts
- Unauthorized access attempts to services
Pattern:

Boundry defense pattern:
 Audit Intercepter
  All messages flow through the a gateway of the
   system. (ESB)
  Necessary auditing is done by the logging at the
   gateway. (Log mediators of ESB)
Example Configuration:
Requirement:

Prevent denial of service attacks caused by
replaying valid messages.
Pattern:

Boundray defense pattern
 Replay mitigation:
- Apply throttling rules at the entry point
  (ESB).
- Validate message freshness by WS-Security
  mechanisms (Timestamp).
Applying throttling rules in ESB:

Control access at three different levels through
throttling:
1. Global
2. Service
3. Operation
   Throttling at global level:
   Throttling at service level:
   Configuring throttling in ESB:
   Example Time Stamp in WS-Security Header:
Requriement:

Mitigate damages to the system from messages
with malicious content :
- SQL injection
- X-Doc attacks
Pattern:

Boundray defense pattern
 Message validation :
- XML Schema validation.
- Regular expression validation to avoid SQL
  injections contained in strings.
- Validation & Filter mediators of ESB.
   Examlpe SQL Injection attack:
Query:
SELECT * FROM p r e s c r i p t i o n s WHERE pat i ent ID = ' + $pat i ent ID +' ;

If
$pat i ent ID = 3 5 2 1 ' ; DROP TABLE p a t i e n t s ;

Resulting query causing SQL injection:
SELECT FROM p r e s c r i p t i o n s WHERE pat i ent ID = ' 3 5 2 1 ' ;
DROP TABLE p a t i e n t s ;


                                                Source: Security in SOA-Based Healthcare System
   Example Configuration:
   Security requierments related to a healthcare
    SOA solution.

   Security patterns used to accomplish them.

   How WSO2 ESB fits in the security patterns.
   WSO2 Security & Identity Gateway solution
    white paper:
    http://wso2.com/casestudies/wso2-security-and-
    identity-gateway-solution/

   Security in SOA based healthcare systems:
    By Richard Sassoon
Selected Customers



 https://ail.google.com/mail/u/0/?ui=2&ik=ad9a
 e58f41&view=att&th=1331a70983344a32&atti
 d=0.1&disp=thd&realattid=f_gtxto6mk0&zw
• QuickStart
• Development
  Support
• Development
  Services
• Production
  Support
• Turnkey Solutions
    • WSO2 Mobile Services Solution
    • WSO2 FIX Gateway Solution
    • WSO2 SAP Gateway Solution
Contact us:
 bizdev@wso2.com

More Related Content

Viewers also liked

Api security-eic-prabath
Api security-eic-prabathApi security-eic-prabath
Api security-eic-prabath
WSO2
 
RahasNym: Preventing Linkability in the Digital Identity Eco System
RahasNym: Preventing Linkability in the Digital Identity Eco SystemRahasNym: Preventing Linkability in the Digital Identity Eco System
RahasNym: Preventing Linkability in the Digital Identity Eco System
HasiniG
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
HasiniG
 
WSO2 Charon
WSO2 CharonWSO2 Charon
WSO2 Charon
HasiniG
 
Privacy Preserving Biometrics-Based and User Centric Authentication Protocol
Privacy Preserving Biometrics-Based and User Centric Authentication ProtocolPrivacy Preserving Biometrics-Based and User Centric Authentication Protocol
Privacy Preserving Biometrics-Based and User Centric Authentication Protocol
HasiniG
 
WSO2Con USA 2015: End-to-end Microservice Architecture with WSO2 Identity Ser...
WSO2Con USA 2015: End-to-end Microservice Architecture with WSO2 Identity Ser...WSO2Con USA 2015: End-to-end Microservice Architecture with WSO2 Identity Ser...
WSO2Con USA 2015: End-to-end Microservice Architecture with WSO2 Identity Ser...
WSO2
 
Enterprise Security and Identity Management Use Cases with WSO2 Identity Server
Enterprise Security and Identity Management Use Cases with WSO2 Identity ServerEnterprise Security and Identity Management Use Cases with WSO2 Identity Server
Enterprise Security and Identity Management Use Cases with WSO2 Identity Server
HasiniG
 

Viewers also liked (7)

Api security-eic-prabath
Api security-eic-prabathApi security-eic-prabath
Api security-eic-prabath
 
RahasNym: Preventing Linkability in the Digital Identity Eco System
RahasNym: Preventing Linkability in the Digital Identity Eco SystemRahasNym: Preventing Linkability in the Digital Identity Eco System
RahasNym: Preventing Linkability in the Digital Identity Eco System
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
 
WSO2 Charon
WSO2 CharonWSO2 Charon
WSO2 Charon
 
Privacy Preserving Biometrics-Based and User Centric Authentication Protocol
Privacy Preserving Biometrics-Based and User Centric Authentication ProtocolPrivacy Preserving Biometrics-Based and User Centric Authentication Protocol
Privacy Preserving Biometrics-Based and User Centric Authentication Protocol
 
WSO2Con USA 2015: End-to-end Microservice Architecture with WSO2 Identity Ser...
WSO2Con USA 2015: End-to-end Microservice Architecture with WSO2 Identity Ser...WSO2Con USA 2015: End-to-end Microservice Architecture with WSO2 Identity Ser...
WSO2Con USA 2015: End-to-end Microservice Architecture with WSO2 Identity Ser...
 
Enterprise Security and Identity Management Use Cases with WSO2 Identity Server
Enterprise Security and Identity Management Use Cases with WSO2 Identity ServerEnterprise Security and Identity Management Use Cases with WSO2 Identity Server
Enterprise Security and Identity Management Use Cases with WSO2 Identity Server
 

Similar to Security patterns with wso2 esb

Presentation
PresentationPresentation
Presentation
Laxman Kumar
 
Computer security module 4
Computer security module 4Computer security module 4
Computer security module 4
Deepak John
 
Blacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersBlacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential users
IAEME Publication
 
Blacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersBlacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential users
IAEME Publication
 
Unit 5
Unit 5Unit 5
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization Models
CSCJournals
 
Better Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern AppsBetter Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern Apps
Shrivatsa Upadhye
 
Week3 lecture
Week3 lectureWeek3 lecture
Week3 lecture
Shaikha AlQaydi
 
UMA as Authorization mechanism for IoT: a healthcare scenario
UMA as Authorization mechanism for IoT: a healthcare scenarioUMA as Authorization mechanism for IoT: a healthcare scenario
UMA as Authorization mechanism for IoT: a healthcare scenario
Domenico Catalano
 
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffffapi-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
DucAnhLe56
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
Roger CARHUATOCTO
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
Oliver Pfaff
 
Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Privacypreservingauthenticationbiometrics 100228075830-phpapp02Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Hai Nguyen
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
SomuPatil8
 
PharmaLedger: A Digital Trust Ecosystem for Healthcare
PharmaLedger: A Digital Trust Ecosystem for HealthcarePharmaLedger: A Digital Trust Ecosystem for Healthcare
PharmaLedger: A Digital Trust Ecosystem for Healthcare
SSIMeetup
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
IJMER
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web Security
Oliver Pfaff
 
Ch14
Ch14Ch14
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
Dave Syer
 
Federated SOA Security Example From the Dutch National Healthcare Exchange
Federated SOA Security Example From the Dutch National Healthcare Exchange Federated SOA Security Example From the Dutch National Healthcare Exchange
Federated SOA Security Example From the Dutch National Healthcare Exchange
CA API Management
 

Similar to Security patterns with wso2 esb (20)

Presentation
PresentationPresentation
Presentation
 
Computer security module 4
Computer security module 4Computer security module 4
Computer security module 4
 
Blacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersBlacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential users
 
Blacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersBlacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential users
 
Unit 5
Unit 5Unit 5
Unit 5
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization Models
 
Better Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern AppsBetter Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern Apps
 
Week3 lecture
Week3 lectureWeek3 lecture
Week3 lecture
 
UMA as Authorization mechanism for IoT: a healthcare scenario
UMA as Authorization mechanism for IoT: a healthcare scenarioUMA as Authorization mechanism for IoT: a healthcare scenario
UMA as Authorization mechanism for IoT: a healthcare scenario
 
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffffapi-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
 
Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Privacypreservingauthenticationbiometrics 100228075830-phpapp02Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Privacypreservingauthenticationbiometrics 100228075830-phpapp02
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
 
PharmaLedger: A Digital Trust Ecosystem for Healthcare
PharmaLedger: A Digital Trust Ecosystem for HealthcarePharmaLedger: A Digital Trust Ecosystem for Healthcare
PharmaLedger: A Digital Trust Ecosystem for Healthcare
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web Security
 
Ch14
Ch14Ch14
Ch14
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
Federated SOA Security Example From the Dutch National Healthcare Exchange
Federated SOA Security Example From the Dutch National Healthcare Exchange Federated SOA Security Example From the Dutch National Healthcare Exchange
Federated SOA Security Example From the Dutch National Healthcare Exchange
 

Recently uploaded

LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 

Recently uploaded (20)

LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 

Security patterns with wso2 esb

  • 2. Security requirements of a SOA solution in healthcare domain.  Security patterns to accomplish them.  Implementing patterns with WSO2 ESB.
  • 3. Hospital Services Channelling consultation Physicians’ Patients’ data data Ceycare Systems Medical Laboratory Collaboration with medical Services research institutes Medical Test results Medical statistics
  • 4. Why SOA?  Expose legacy sytem components as services.  Loose coupling  Interoperability  Flexibility  Business process composition.
  • 5. Why security in SOA?  Business assets exposed to outside as services to be discovered.  Should facilitates interoperability, flexibility.
  • 6.  Identification and authentication  Authorization  Intergrity  Privacy  Security auditing  Survivability  Non-repudiation Source: Security in SOA-Based Healthcare System
  • 7. Requirement: Services need to identify and verify the claimed identity of internal users of the organization.
  • 8. Pattern: Authentication Patterns:  Direct Authentication - Authenticating users with credentials stored internally. - Credentials can be : - Username/password - Username token - X.509 certificates
  • 9. Patient’s Records: Name: Credential 3 Age: Histroy: 1 Secured Proxy 2 Ceycare credential store
  • 10. Requirement: Services need to identify and verify the claimed identity of external users – from partner organizations.
  • 11. Pattern: Authentication Patterns:  Brokered Authentication  Authenticating users outside the organization boundary.  Ceycare trusts a token issued by a trusted party in partner organization.  Brokered authentication based on WS-Trust with SAML.
  • 12. Scenario 1: Authentication accross organizational boundries CeyCare 4 Patient’s Records: Secure Token Name: Service of Age: CeyMed Histroy: 2 Secured Proxy 3 CeyMed 1 credential store CeyMed
  • 13. Requirement: Facilitate communication between clients and services which talk in different authentication mechanisms.
  • 14. Pattern: Resource Access Patterns:  Protocol Transition  ESB authenticates clients with the auth mechanism that they understand – eg: UT  Transform credentials in the form that service understands - eg: Basic Auth
  • 15. Patient’s Records: Name: Age: Histroy: BasicAuth Header 3 1 2 Username Token Ceycare credential store
  • 16. Requirements: - Avoid user credentials to be passed to backend service. - Avoid user bypassing security processing.
  • 17. Pattern: Resource Access Patterns:  Trusted sub system pattern  User authenticates to ESB with his/her credentials.  BE service trusts ESB.  ESB accesses BE service on behalf of authenticated user.
  • 18. Patient’s Records: Name: ESB Age: Credential Histroy: 3 User Credential Secured Proxy 1 2 Ceycare credential store
  • 19. Requirement: Control access based on privileges of the users. Eg: Users in role: ‘Physician’ can update patients’ records while users in role: ‘Lab technologist’ can only view records
  • 20. Pattern: Authorization patterns  Role based access control:  Assign users to roles.  Grant privileges to roles.  This is a coarse grained authorization model.
  • 21. Requirement: Control access based on user’s claims, in a fine grained manner. Eg: Heart patients data could only be accessed by Physicians with job title: “Cardiologists”
  • 22. Pattern: Authorization patterns  Claim based authorization :  Provides fine grained authorization.  Policy based access control with XACML – provides flexibilty.
  • 23. Authorization based on claims carried in SAML token. Heart Patient’s Records: (4) Allow/deny Name: access Age: Histroy: SAML Token Secured Proxy 1 (3) Authorization decision Entitlement PAP, PDP, Mediator (2) XACML PIP [PEP] Authorization request
  • 24. Requirement: Delegating access: Eg: Application in a phisician’s mobile device needs to retrieve channelling appointments from his account in Ceycare System.
  • 25. Pattern: Authorization patterns  Constrained delegation using OAuth: 1. Mobile app authenticates to authorization server. 2. Mobile app requests authorization from resource owner. 3. Resource owner authenticates to authorization server. 4. Resource owner grants permissions to the application to access resource on behalf of him. 5. Application obtains access token from access grant. 6. Resource server (ESB) validates access token. 7. Allow/Deny access to BE resource.
  • 26. Chanelling appointments Name: Time: (7) Allow/ Hospital: Access request+ deny Access Token OAuth access 5 Mediator (6) Validate Access Token Authorization 1 request (4) Access Token 2 Authorization (3) Authorization grant grant
  • 27. Requirements:  Protect sensitive personal data during transmission from :  tampering  unauthorized access  Non-repudiation - A patient’s account should show who has updated his/her medical records.
  • 28. Patterns: Message protection patterns:  Data origin authentication and intergrity - digital signatures.  Data confidentiality - digital encyption.
  • 31. Requirement: Avoid exposing sensitive data through exceptions.  Legacy application code might throw exceptions containing sensitive information.  Need to filter those expections when system is exposed to external parties.
  • 32. Pattern: Boundry defense pattern  Exception shielding: - Sanitize unsafe exception data by replacing it with non-harmful exception message. - Enrich mediator of ESB.
  • 33. Example un-safe message:
  • 34. Example Configuration:
  • 35. Requirement: Log security incidents to trace system abuse: - Failed login attempts - Unauthorized access attempts to services
  • 36. Pattern: Boundry defense pattern:  Audit Intercepter  All messages flow through the a gateway of the system. (ESB)  Necessary auditing is done by the logging at the gateway. (Log mediators of ESB)
  • 38. Requirement: Prevent denial of service attacks caused by replaying valid messages.
  • 39. Pattern: Boundray defense pattern  Replay mitigation: - Apply throttling rules at the entry point (ESB). - Validate message freshness by WS-Security mechanisms (Timestamp).
  • 40. Applying throttling rules in ESB: Control access at three different levels through throttling: 1. Global 2. Service 3. Operation
  • 41. Throttling at global level:
  • 42. Throttling at service level:
  • 43. Configuring throttling in ESB:
  • 44. Example Time Stamp in WS-Security Header:
  • 45. Requriement: Mitigate damages to the system from messages with malicious content : - SQL injection - X-Doc attacks
  • 46. Pattern: Boundray defense pattern  Message validation : - XML Schema validation. - Regular expression validation to avoid SQL injections contained in strings. - Validation & Filter mediators of ESB.
  • 47. Examlpe SQL Injection attack: Query: SELECT * FROM p r e s c r i p t i o n s WHERE pat i ent ID = ' + $pat i ent ID +' ; If $pat i ent ID = 3 5 2 1 ' ; DROP TABLE p a t i e n t s ; Resulting query causing SQL injection: SELECT FROM p r e s c r i p t i o n s WHERE pat i ent ID = ' 3 5 2 1 ' ; DROP TABLE p a t i e n t s ; Source: Security in SOA-Based Healthcare System
  • 48. Example Configuration:
  • 49. Security requierments related to a healthcare SOA solution.  Security patterns used to accomplish them.  How WSO2 ESB fits in the security patterns.
  • 50. WSO2 Security & Identity Gateway solution white paper: http://wso2.com/casestudies/wso2-security-and- identity-gateway-solution/  Security in SOA based healthcare systems: By Richard Sassoon
  • 51.
  • 52. Selected Customers https://ail.google.com/mail/u/0/?ui=2&ik=ad9a e58f41&view=att&th=1331a70983344a32&atti d=0.1&disp=thd&realattid=f_gtxto6mk0&zw
  • 53. • QuickStart • Development Support • Development Services • Production Support • Turnkey Solutions • WSO2 Mobile Services Solution • WSO2 FIX Gateway Solution • WSO2 SAP Gateway Solution

Editor's Notes

  1. Manages, exchanges and exposes sensitive data with related to different services offered.
  2. IT system of Ceycare going to adaopt SOA solution with its business expansion – why need SOA?SOA enables ceycare to expose its legacy sys comp as services, achive loosecouplingf among them,With expansion, their IT sys needs to collaborate with partner org – SOA provides necessary interoperabilityIt provides req. Flexibility to cope up with changing business req. While providing capability to compose several services together as values added business processes ceycare decided to adapt a SOA solution:List of points in brief for ceycare to adopt SOA.Expose legacy sys components as reusable services.With expansion of org – collaborate with other partener org. Need to support interoperability,Support changing business requierments, soln needs to be flexible.Ochestrating business processes.
  3. Why do we need special concern about SOA security?Web service sec mechanisms & ws sec policy
  4. European Union's Data Protection Directive95/46/EC, together with other relevant laws and regulations,Following is a specific set of req. Related to healthcare sys extracted from: which is a research carried out on:WRT identification & authz. Sys should..........Those are the main sec. Req. Of a Healthcare SOA soln in brief.. Lets go though each of them one by one in detail and explore how to accomplish them by applying the relevant security patterns.
  5. There can be many types of users of the sys – both human, sys, internal & externalMajority is being internal users.Services should identify and verify the identity of all its human usersbefore allowing them access to their resourcesServices should identify and verify the identity of corresponding servicesbefore they are allowed to communicate.
  6. There is a central place where the credentials stored and the authentication is enforced at a central place or the at the entry point to the system. Users can use the credentials of these listed types.
  7. Services should identify and verify the identity of all its human usersbefore allowing them access to their resourcesServices should identify and verify the identity of corresponding servicesbefore they are allowed to communicate.
  8. Instead of user name, password, user brings a security token issued by a third party authentication broker.There are several mechanisms to implement borkered auth, here we illustrate how to accomplish it with WS-Trust based on SAML SAML is the standard for porting identities accross organizational boundary.
  9. Services should identify and verify the identity of all its human usersbefore allowing them access to their resourcesServices should identify and verify the identity of corresponding servicesbefore they are allowed to communicate.
  10. Even if the claim based authorization is used, if it is backed into application logic, it is not flexible, it should be possible to change access control policies with changing business requirements.
  11. XACML mediator
  12. This is how you can configure in sequence of a ESB proxy service to implement audit interceptor pattern.
  13. Internal system will be free from unwanted traffic since the messages are dropped at boundray.
  14. The throttle mechanism is used to control access to our services at different levels.Globally, service level, operation level
  15. SQL injection is a threat that results from poor validation of user input,when performing a dynamic query, one formed by concatenating strings, inan application's database. Such attack can allow access to private data andmodify the database in a number of ways, via select, insert, update, anddelete operations [81].
  16. SQL injection is a threat that results from poor validation of user input,when performing a dynamic query, one formed by concatenating strings, inan application's database. Such attack can allow access to private data andmodify the database in a number of ways, via select, insert, update, anddelete operations [81].