Upload
linda-small
View
220
Download
0
Embed Size (px)
Citation preview
Infrastructure Service Approach to Handling Security in
Service-Oriented Architecture Business Applications
Doina Iepuras
SOA Security
• Authentication – validating the identity of the message originator
• Authorization – controlling the use of the services
• Privacy – no unwanted intercepts while transmitting a message
• Integrity – confidence that message has not been modified
SOA Security Levels
• Transport Layer Security– Point-to-point security– Encryption for data in motion
Cons• Not granular enough• Reduced auditing capabilities
SOA Security Levels
• Message Level Security– End-to-end security– WS-Security - integrity via cryptographic
mechanisms– WS-Policy – framework describing rules and
policies
Cons• Implementation for each message
Application Managed Security
DataStore
DataStore
DataStore
.NetApps
Portal Server
ApplicationServer
BusinessProcesses
FWTrusted Network
FW
J2EEApps
SecurityDecisions
CustomApps
SecurityDecisions
Message
DataStore
WebServer
SecurityDecisions
SecurityDecisions
Application Proxy
• Common interface that can receive and respond to web service calls
• Reduce the load on the enterprise’s infrastructure
• Caches and manages authentication and authorization requests
Gateway Security Pattern
• Handles different transport layers
• Performs enhanced message transformations
• Coarse-grained authorization of the request message and its origins
• Validation of the request format
Enterprise Service Bus
Supports integration and flexible reuse of heterogeneous business components– Routing messages between services– Conversions of transport protocols – Transforming requests from one message
format to another
Security as a Service
• Access control decisions should be made each time a message reaches a transition point
• Allows early detection of unauthorized requests
• Eliminates unnecessary security processing at the application layer
• Issue: a lot of redundancy
Security as a Service
• Implement security as a set of services
• Application relies on services to acquire a security decision
• What if security is already implemented within the application?– The decisions should still be made via a
service which gets the decision from the application implementation
Security as a Service
• Security Decision Service - segregates the security decision functionality
• Security Enforcement Service – applies security decisions to a request
Security as a Service within the ESB
• ESB enables the security as a service model
• Services are implemented as mediations which provide reusable functionality– Service for Encryption/decryption– Service for Validating digital signatures– Service for Authenticating the requestor
ESB Model
DataStore
DataStore
DataStore
.NetApps
J2EEApps
SecurityDecisions
CustomApps
SecurityEnforcement
Services
RequestMessage
ESB
SecurityEnforcement
Services
SecurityDecisionsServices
ApplicationServer
Service EnforcementService
ESB Model
• Validation of request format
• Transport and end-to-end security for service implementations
• Enables layered security approach by separating enforcement and decision services
• Single point of control for identity mapping
• Can be implemented gradually
Q&A