Infrastructure Service Approach to Handling Security in

Service-Oriented Architecture Business Applications

Doina Iepuras

SOA Security

• Authentication – validating the identity of the message originator

• Authorization – controlling the use of the services

• Privacy – no unwanted intercepts while transmitting a message

• Integrity – confidence that message has not been modified

SOA Security Levels

• Transport Layer Security– Point-to-point security– Encryption for data in motion

Cons• Not granular enough• Reduced auditing capabilities

SOA Security Levels

• Message Level Security– End-to-end security– WS-Security - integrity via cryptographic

mechanisms– WS-Policy – framework describing rules and

policies

Cons• Implementation for each message

Application Managed Security

DataStore

DataStore

DataStore

.NetApps

Portal Server

ApplicationServer

BusinessProcesses

FWTrusted Network

FW

J2EEApps

SecurityDecisions

CustomApps

SecurityDecisions

Message

DataStore

WebServer

SecurityDecisions

SecurityDecisions

Application Proxy

• Common interface that can receive and respond to web service calls

• Reduce the load on the enterprise’s infrastructure

• Caches and manages authentication and authorization requests

Gateway Security Pattern

• Handles different transport layers

• Performs enhanced message transformations

• Coarse-grained authorization of the request message and its origins

• Validation of the request format

Enterprise Service Bus

Supports integration and flexible reuse of heterogeneous business components– Routing messages between services– Conversions of transport protocols – Transforming requests from one message

format to another

Security as a Service

• Access control decisions should be made each time a message reaches a transition point

• Allows early detection of unauthorized requests

• Eliminates unnecessary security processing at the application layer

• Issue: a lot of redundancy

Security as a Service

• Implement security as a set of services

• Application relies on services to acquire a security decision

• What if security is already implemented within the application?– The decisions should still be made via a

service which gets the decision from the application implementation

Security as a Service

• Security Decision Service - segregates the security decision functionality

• Security Enforcement Service – applies security decisions to a request

Security as a Service within the ESB

• ESB enables the security as a service model

• Services are implemented as mediations which provide reusable functionality– Service for Encryption/decryption– Service for Validating digital signatures– Service for Authenticating the requestor

ESB Model

DataStore

DataStore

DataStore

.NetApps

J2EEApps

SecurityDecisions

CustomApps

SecurityEnforcement

Services

RequestMessage

ESB

SecurityEnforcement

Services

SecurityDecisionsServices

ApplicationServer

Service EnforcementService

ESB Model

• Validation of request format

• Transport and end-to-end security for service implementations

• Enables layered security approach by separating enforcement and decision services

• Single point of control for identity mapping

• Can be implemented gradually

Q&A