Upload File

end to end soa security - distributed enforcement and

  • Home
  • Documents
  • End to End SOA Security - Distributed Enforcement and
17
End to End SOA Security - Distributed Enforcement and Centralized Policy Management Shashank Rajvanshi Principal Product Manager

Upload: zubin67

Post on 25-May-2015

504 views

Category:

Documents


1 download

Report

Tags:

TRANSCRIPT

Page 1: End to End SOA Security - Distributed Enforcement and

End to End SOA Security -Distributed Enforcement and Centralized Policy Management

Shashank Rajvanshi

Principal Product Manager

Page 2: End to End SOA Security - Distributed Enforcement and

End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 230 September 2008

Agenda

> SOA Security Landscape

> Typical SOA Security Mistakes

> Reference Architecture

> Recommendations/Best practices

> Case study

Page 3: End to End SOA Security - Distributed Enforcement and

End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 330 September 2008

SOA Security Landscape

Page 4: End to End SOA Security - Distributed Enforcement and

End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 430 September 2008

Web Applications: User, through a Web browser, interacts directly with the application

Web Services: Local application, often acting on behalf of the user, interacts with the Web service

Web Site & SOA/WS Security Is Similar

UserInternetInternet

ApplicationWeb Server

InternetInternet

Web Service ConsumerApplication

Web Service Platform

HTML/HTTP

XML/HTTP, FTP, JMS, MQ

SECURITY POLICYAuthentication –Username/Password, X509 cert, OTP…Authorization – Action on URL & Roles, Group or Entitlements

Securing Web Applications

Securing SOAs/Web Services

SECURITY POLICYAuthentication –WS-Security Tokens (SAML), XML-DSig, XML-EncAuthorization – Action on URI, XML Content, WS operations, Role, Group or Entitlements

Page 5: End to End SOA Security - Distributed Enforcement and

End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 530 September 2008

CA Sponsored SOA/WS Survey

Page 6: End to End SOA Security - Distributed Enforcement and

End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 630 September 2008

Agenda

> SOA Security Landscape

> Typical SOA Security Mistakes

> Reference Architecture

> Recommendations/Best practices

> Case study

Page 7: End to End SOA Security - Distributed Enforcement and

End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 730 September 2008

Typical SOA/WS Security Mistakes

> “Architecting” Silos of SecurityBuilding security into each service

– Corollary – Leaving security to the application developers

> Thinking that stopping threats/malware = effective security management

Corollary - Forgetting that “identity” matters with services– Authentication, authorization, centralized auditing,

SSO, federation, identity administration

> Not understanding that SOA applications have many layers/steps that need to be secured

Corollary – Thinking that guarding the “front door” is enoughCorollary – Thinking that point-to-point (SSL) security is enough

Page 8: End to End SOA Security - Distributed Enforcement and

End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 830 September 2008

Agenda

> SOA Security Landscape

> Typical SOA Security Mistakes

> Reference Architecture

> Recommendations/Best practices

> Case study

Page 9: End to End SOA Security - Distributed Enforcement and

End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 930 September 2008

Unsecured SOA Deployments

External Traffic

Lo

ad

Bala

nce

r

Web Service Requester

Web Services

J2EE

.NET

ESB

ESB

Internal Traffic

Partner

Customer

Page 10: End to End SOA Security - Distributed Enforcement and

End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 1030 September 2008

Secured SOA Deployments

Web Service Requester

Web Services

Web Services

Legacy Systems

Internal Traffic

PEP

PEP

PEP

PEP

PEP

Partner

External Traffic

J2EE

ESB

ESB

.NET

PDP

USER STORE

POLICY STORE

KEY STORE

PDP

USER STORE

POLICY STORE

KEY STORE

PDP

USER STORE

POLICY STORE

KEY STORE

Page 11: End to End SOA Security - Distributed Enforcement and

End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 1130 September 2008

Reference ArchitectureCA SOA Security Manager

Web Service Requester

Web Services

Web Services

Legacy Systems

Internal Traffic

SOA Security Gateway

SOA Agent

SOA Agent

SOA Agent

SOA

Agent SOA

Agent

External Traffic

J2EE

ESB

POLICY STORE

USER STORE

KEY STORE

Policy Server

Administrator

Reporting/ Auditing

Page 12: End to End SOA Security - Distributed Enforcement and

End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 1230 September 2008

Reference Architecture CA SOA Security Manager and CA SiteMinder

Web Service Requester

Web Services

Web Services

Legacy Systems

Internal Traffic

SOA Security Gateway

SOA Agent

SOA Agent

SOA Agent

SOA

Agent SOA

Agent

External Traffic

J2EE

ESB

Portal

Agent

POLICY STORE

USER STORE

KEY STORE

Policy Server

Administrator

Reporting/ Auditing

Page 13: End to End SOA Security - Distributed Enforcement and

End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 1330 September 2008

Agenda

> SOA Security Landscape

> Typical SOA Security Mistakes

> Reference Architecture

> Recommendations/Best practices

> Case study

Page 14: End to End SOA Security - Distributed Enforcement and

End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 1430 September 2008

Recommendations and Best Practices

> Do not create (more) security management silosMake sure your enterprise architects understand thisDon’t leave it up to your developers to do this

> Leverage your current security infrastructure/people/processes

If you are doing enterprise IAM/WAM link SOA/WS security to this

> Architect as if services will eventually be externalizedThey probably willBut don’t confuse security at the edge with overall security

> Leverage WS standards even if not immediately requiredWS-Security, SOAP, XML-encryption, XML-Signature…You can do POX (Plain Old XML), but recognize that it is a temporary approach

Page 15: End to End SOA Security - Distributed Enforcement and

End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 1530 September 2008

Agenda

> SOA Security Landscape

> SOA Security Challenges

> Reference Architecture

> Recommendations/Best practices

> Case study

Page 16: End to End SOA Security - Distributed Enforcement and

End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 1630 September 2008

> CA SOA Security ManagerSecurity infrastructure for internal Web services deployed on ESB

Deployed as a Web services security proxy

Extended CA SiteMinder infrastructure to provide combined WAM & Web services security solution

Leverages CA SOA Security Manager support of WS-Security standard

> Other CA IAM Products: CA SiteMinder WAM

USA Federal Government Agency

Page 17: End to End SOA Security - Distributed Enforcement and

End to End SOA Security - Distributed Enforcement and Centralized Policy Management Page 1730 September 2008

How to learn more about SOA Security

> Securing SOA/Web Services Based IT Architecturehttp://www.ca.com/files/TechnologyBriefs/mp32332_soa_sm_tb_us_en.pdf

> CA SOA Security Manager Product Briefhttp://www.ca.com/files/ProductBriefs/soa_sm_pb.pdf

> On-Demand Webcastshttp://www.ca.com/us/webcasts/ondemand/item.aspx?e=155385&eis=1

> Podcast – Why Web Services Security Should Be a Key Part of Your Web IAM Security Strategy

http://www.ca.com/files/Podcasts/greje13web.mp3

> Web based Product Demo – on request


© 2006 IBM Corporation SOA on your terms and our expertise Discovering the Value of SOA SOA In Action SOA & End-2-End Business Driven Development using

SAP NetWeaver and Enterprise SOA - f5.com · APPLICATION READY SOLUTION GUIDE SAP NetWeaver and Enterprise SOA 2 ... to providing access control regardless of end user, client type,

IBM Software Group Name Title Company End-2-End Development Tools SOA & Business Driven Development using J2EE, Portal, Web Services, Service Data Objects,

F INE + DCIL Nikhil Swamy Juan Chen Ravi Chugh End-to-end Verification of Security Enforcement

Building a SOA Solution with Oracle Fusion Middleware · PDF fileBuilding a SOA Solution with Oracle Fusion Middleware for Oracle E-Business Suite ... Application Integration End-to-end

IBM Software Group SOA Tools Landscape... across Business and IT SOA & End-2-End Business Driven Development using Java, Web Services, Modeling, BPM, Portal,

Software Group End-2-End IBM Development Tools Landscape IBM Business Driven Development, SOA and the Software Development Platform (SDP) [email protected]

An End-to-End SOA Integration Scenario using IBM WebSphere

Securities Enforcement 2015 Year-End Review/media/Files/NewsInsights/Publications/... · Securities Enforcement 2015 Year-End Review Page . 1 The Commission set another record in

Disclaimer - Integrated Cloud Applications and Platform ... · • Trading Partner Management • The SOA Suite enables: • A Unified Business Process Platform • End-to-End Instance

SOA*BPM12c*new*features** - Oracle€¦ · Deliver*Greater*Visibility* 20/20 Vision to Manage & Operate Integrations • Integrated SOA Infrastructure provides for “end to end instance

Fujitsu scanners & Hyland Software Webinar 'Delivering ... · • An SOA example may be the Kofax “SOA” scanning front-end would more easily connect to a FileNet SOA system and

PhD. Meriem Benhaddipeople.dsv.su.se/~petia/MENA/MeriemBenhaddi.pdfPROBLEMATIC SOA limitations : 1. Exclusion of the end user from the hierarchy of the SOA actors: users kept away

State of Alaska, · Becca Wilson – transferred to another department with SOA Joshua Sasse – transferred to another section of LSS SOA Curliah Young - hired into OA II with enforcement

Partner Selection in End to End Resource Planning: An SOA and Data Mining Based Approach MIN NI, PHD Post-doctor research scientist

2019 End of Year Preliminary Law Enforcement Officers Fatalities … · 2020-05-12 · 8 | 2019 End of Year Preliminary Law Enforcement Officers Fatalities Report Other Causes of

A Proposal to End Regressive Taxation through Law Enforcement · 3/14/2019  · 2 A Proposal to End Regressive Taxation through Law Enforcement Abstract Many jurisdictions in the

Enterprise SOA Development Handbook - Community · PDF fileENTERPRISE SO. A . DEVELOPMENT HANDBOOK 1.1 . END-TO-END GUIDE FOR ENTERPRISE SOA DEVELOPMENT . ... Architecture of a GP

2009/10 - 2011/12 - KENYA Revenue Authority · ODA Overseas Development ... SOA Service Oriented Architecture ... development of an enforcement strategy and deploying of

LAW ENFORCEMENT STRESS PROGRAM - The Counseling Team · 2017-10-04 · Stress and the Law Enforcement Officer's Family Effects of Stress on Law Enforcement Agencies End Notes Chapter

soa sot) — soa soa soa- 10 8 2 20 202 20 20 soa— . soa— soa-3 13 soa- Created Date 5/15/2017 3:23:12 PM

Business Process Driven SOA using BPMN and BPEL Process Driven SOA using BPMN and BPEL Modeling business processes for SOA and developing end-to-end IT support for these processes

Reactive Microservices with Spring 5 WebFlux - iproduct.orgiproduct.org/wp-content/uploads/2018/01/Microservices-with-Spring... · End-to-end non-blocking reactive SOA with Netty

Understanding End-of-Life Issues for Actuaries - SOA · 2017 SOA Annual Meeting & Exhibit IAN DUNCAN FSA FIA FCIA FCA MAAA . Session 153: Understanding End -of-Life Issues for Actuaries

SOA World Magazine-Enterprise SOA

Microsoft SOA Roadmapdownload.microsoft.com/download/7/9/5/795b70bc-a242-46cb-bb81...Microsoft SOA Roadmap ... to-end SOA and BPM solutions on the Microsoft process platform ... END-TO-END

2013 Year-End Securities Litigation and Enforcement Highlights · 2013 Year-End Securities Litigation and Enforcement Highlights. January 2014 . By: Marc D. Powers, Mark A. Kornfeld,

Secure High-Performance SOA Management with Intel SOA ...€¦ · 11 5.2 STRESS-TESTING RESULTS ... The HP® LoadRunner is used to emulate end users and generate load for testing

Securities Enforcement 2015 Year-End Review/media/Files/NewsInsights/... · 2016-03-02 · Securities Enforcement 2015 Year-End Review Page . 1 The Commission set another record in

Quick Ways to Supplement Your Law Enforcement Budget at Year's End

UNIVERSITY OF CALIFORNIA, SAN DIEGOgoto.ucsd.edu/~rjhala/dissertations/ravi_chugh.pdfType-preserving Compilation for End-to-end Veri-fication of Security Enforcement. In Proceedings

PhD. Meriem Benhaddi - s upetia/MENA/MeriemBenhaddi.pdf · PROBLEMATIC SOA limitations : 1. Exclusion of the end user from the hierarchy of the SOA actors: users kept away and out

Monitoring-Based System for E2E Security Auditing and Enforcement in Trusted and Untrusted SOA

Zeph: Cryptographic Enforcement of End-to-End Data Privacy

CONFIDENTIAL Deep Dive: A SOA Application, End-to-End Deep Dive: A SOA Application, End-to-End