Case studies on Authentication, Authorization and Audit in SOA Environments

Dr. Srini Kankanahalli

2

ClearAvenue, LLC

Headquartered in Columbia, Maryland Focused on Systems Integration, Data

Management, Information Security, Storage networking, Custom Software development

Premier IBM Business Partner CMMi Maturity Level 3 clearAvenue, LLC is a 8(a) certified

minority women owned Small Disadvantaged Business

3

Authentication, Authorization, and Audit– The Challenge

Identity and Access Management is a major challenge for all federal agencies

Multitude of Applications, Legacy as well as state-of the art Systems pose additional challenges

The complexity of Federal laws as well as federal contracting regulations further adds to the complexity

Comprehensive End-to-End Audits across multiple systems poses a significant challenge

4

Layers of Security

Perimeter Defense Keep out unwanted with

• Firewalls• Anti-Virus• Intrusion Detection, etc.Perimeter Defense

Control Layer

Assurance Layer

Control Layer• Which users can come in?• What can users see and do?• Are user preferences supported?• Can user privacy be protected?

Assurance Layer• Can I comply with regulations?• Can I deliver audit reports?• Am I at risk?• Can I respond to security events?

5

Custom Application

Packaged Application

Packaged Application

Custom Application

consumers

business processesprocess choreography

servicesatomic and composite

Service C

onsumer

Service P

rovider

11

22

33

44

55

OO ApplicationCustom

ApplicationOutlook

SAP Custom Application

business processesprocess choreography

Services (Definitions)atomic and composite

Servicecomponents

Service C

onsumer

Service P

rovider

11

22

33

44

55

OO ApplicationISV

Custom Apps

PlatformOperational

systems Supporting Middleware

MQ DB2Unix OS/390

SOA Security Encompass All Solution Layers

SOA Security Identity Authentication Authorization &

Privacy Auditing Confidentiality,

Integrity and Availability

Compliance Administration and

Policy Management

SCA Portlet WSRP B2B Other

6

Identity Management– the basis of comprehensive security

Systems

Identity Management Functions

User Groups

FoH

BoH

Contractors

Customers

Provisioning

De-provisioning

User self service

User profile management

Systems

Identity Management Functions

User Groups

FoH

BoH

Contractors

Customers

Provisioning

De-provisioning

User self service

User profile management

7

User Provisioning and De-provisioning

User Provisioning across multiple enterprise systems poses significant challenges

User De-provisioning is a greater challenge Role-based access and Role Management

adds to the complexity Role Engineering encompasses very little

“engineering” and lot of “Politics”

8

Implementing Role-based Access Control

Successfully implemented RBAC with role-based provisioning to legacy as well as state-of the art systems

A Role is a set of entitlements that has a “Business Context”

Roles are not “cast in stone,” but is derived through a “trial and error” process

Role Re-factoring has to be kept in mind during the design and implementation of any RBAC system

9

Role-based Access to Legacy and Modernized Systems

10

Legacy systems integration -- Seibel

11

Federated Identity Management-- Challenge

In many situations, one federal agency has to communicate and access data from another agency

This problem also may exist between multiple subdivisions of the same agency or organization

The solution involves building and propagating trust across boundaries using industry standards

Audits across agencies or subdivisions pose additional challenges

12

SAML

Organization B

Organization A

Federated Identity Management Across Multiple Organizations

13

Federation Entities

14

SOA Federated Identity Management

Web ServiceInternetLDAP

Websphere ND

TFIM

SAML

SAML

15

Multi-Factor Authentication

There are multiple federal and commercial mandates for strong and Multi-factor authentication

16

Multi-factor based Certificate based Authentication architecture using IBM Tivoli Federated Identity manager

17

Conclusions

We have implemented complex security patterns in multiple federal agencies

Security is Multi-faceted and hence has to be carefully architected and implemented correctly

The availability of multiple point products adds to the integration complexity

Authentication, Authorization, Audit and Identity Management are all intertwined and has to be planned and implemented correctly to ensure that “Attack Surface” of an organization is minimized