Introduction to SOA, Cloud Computing, and Secure Cloud

Computing

Bhavani ThuraisinghamThe University of Texas at Dallas

January 23, 2015

2

Objective and Scope

The objective of this course is to provide an overview of the significant developments in SOA and Web Services Security Standards as well as directions for future developments

Current work on SOA security is focusing mainly on access control as well as confidentiality and integrity.

Solutions proposed for systems to address intrusion detection, denial of service and infrastructure attacks, insider threat analysis including data mining techniques for security applications are beyond the scope of this course.

3

Outline

SOA and Web services: Overview SOA and Web services security: Overview WS-Security and WS-* Security

4

Service Oriented Architecture (SOA) http://en.wikipedia.org/wiki/Service-oriented_architecture

Service Oriented Architecture (SOA) is an architectural style that guides all aspects of creating and using business processes, packaged as services, throughout their lifecycle, as well as defining and provisioning the IT infrastructure that allows different applications to exchange data and participate in business processes loosely coupled from the operating systems and programming languages underlying those applications

SOA represents a model in which functionality is decomposed into distinct units (services), which can be distributed over a network and can be combined together and reused to create business applications

These services communicate with each other by passing data from one service to another, or by coordinating an activity between two or more services.

SOA concepts makes software development flexible and extensible Service oriented analysis is becoming key to modeling and analyzing software The concepts of Service Oriented Architecture are often seen as built upon, and

the evolution of, the older concepts of distributed computing and modular programming

While object-orientation views the world as a collection of objects, service orientation views the world as a collection of services

SOA is technology independent; however it is commonly realized using web services

5

Web service definition

“A Web Service is a software system designed to support interoperable machine-to-machine

interaction over a network. It has an interface described in a machine-processable format

(specifically WSDL). Other systems interact with the Web service in a manner prescribed by its

description using SOAP messages, typically conveyed using HTTP with an XML serialization in

conjunction with other Web-related standards.”

Source: http://www.w3.org/TR/ws-arch/

6

SOA

Service requestor

Service providers

UDDI

Publish ServicesQuery

Request

Answer

Response

7

Web Services (WS) Framework An abstract (vendor neutral) existence defined by standards organizations

and implemented by (proprietary) technology platforms Core building blocks that include web sercices, service descriptions and

messages A communication agreement centered around service descriptions and

WSDL A messaging framework comprised of SOAP technology concepts A service description registration and discovery architecture sometimes

realized through UDDI A well defined architecture that supports messaging patterns and

compositions A second generation of web services extensions (also known as WS-*

specifications) continually broadening its underlying feature-set Concepts in WS-* include: Message Exchange Patterns (MEP), Service

Activity, Coordination, Atomic Transaction, Business Activities, Orchestration (WS-BPEL), Choreography (WS-CDL)

Reference: Service Oriented Architecture, Thomas Erl, Prentice Hall, 2005

8

Standardization bodies related to Web Services

9

SOA Security

Our approach is to implement SOA through web services; therefore SOA security essentially is about web services security

Three core specifications WS-Security, XML-Signature, XML-Encryption WS*-Security is the second generation of technologies for SOA

security Single sign-on (SSO) is a form of centralized security

mechanism that complements the WS-Security extensions Related specifications for SOA security

WS-Security, WS-SecurityPolicy, WS-Trust, WS-SecureConversation, WS-Federation, XACML, Extensibe Rights Markup Language, XML Key Management, XML, Signature, SAML, .NET Passport, Secure Socket Layer, WS-I Basic Security Profile

10

Basic Components of SOA Security

Identification For service requestor to acces a secure service provider it must first provide

information that expresses its origin or owner. This is referred to as making a claim

Authentiaction A message being delivered to a receipient must prove that the message is in

fact from the sender that it claims Authorization

Once authenticated, the receipient of a message may need to determine what the requestor is alowed to do

Singe sign on It is supported by SAML, .NET Passport and XACML

Confidentiality and Integrity Confidentiality is concerned with protecting the privacy of the message

content, Integrity ensures that the message has not been altered Transport level and Message level security

Transport level securiy is provided by SSL (securing HTTP), message level confidentiality and integrity are provied by XML-Encryption and XML-Signature.

11

Web Services Security: Requirements and Standards

Securing Web services mainly requires to:

provide facilities for securing the integrity and confidentiality of the messages and

ensure that the service acts only on requests in messages that express the claims required by policies

Role of Standards Providing a Web Services Security Framework that is an integral part

of the Web Services Architecture

The framework is a layered and composable set of standard

specifications

12

WS-* security Standards framework

Transport level security SSL/TLS

Network level security IPSec

XML security XML Encryption

XML Signature

SOAP foundation

Message security

WS SecurityWS

SecureConversation

Reliable Messaging

WS ReliableMessaging

Security mgmt.

XKMS WS-Trust

XACML SAML

WS-Policy

Policy & Access Control

Identity Mgmt.

WS-federation Liberty SAML

13

WS-* security standards implementations

Microsoft .NET Framework 2.0 / WSE3.0 WS-Security (OASIS 2004 standard), WS-Policy, WS-

SecurityPolicy, WS-Trust, WS-SecureConversation and WS-Addressing

SUN Web Services Interoperability Technology (WSIT)

IBM WebSphere

Open Software: The Apache Software Foundation Web Services Project (http://ws.apache.org/)

14

XML EncryptionXML Encryption Syntax and Processing10 December 2002Status W3C Recommendation

Core standardGoals: provide confidentiality for applications that exchange structured data by

Representing in a standard way digitally encrypted resources separating encryption information from encrypted data, and

supporting reference mechanisms for addressing encryption information from encrypted data sections and vice-versa

providing a mechanism for conveying encryption key information to a recipient

providing for the encryption of a part or totality of an XML document

15

XML Signature

XML-Signature Syntax and Processing

12 February 2002

Status: W3C Recommendation

Core standard: XML Signature is a building block for many web services security standards (e.g. XKMS and WS-Security)

Goals:

represent a digital signature as an XML element Processing rules for creating this XML element The signed data items can be of different types and

granularity (XML documents, XML Elements, files containing any type of digital data)

16

Securing SOAP messagesWeb Services Security: SOAP Message Security 1.1 (WS-Security 2004)Status: Approved OASIS Standard Specification 1 February 2006

Goals: Provide single SOAP message integrity and confidentiality

Using existing digital signature, encryption, and security token mechanisms

Provide mechanisms for associating security tokens with message content (header and body blocks)

Extensibility (i.e. support multiple security token format)

the recipient can trust the content of the message and its sender

Security Token - a representation of security-related information (e.g. X.509 certificate, Kerberos tickets and authenticators, mobile device security tokens from SIM cards, username, etc.). Signed Security Token - a security token that contains a set of related claims (assertions) cryptographically endorsed by an issuer.

Examples: X.509 certificates and Kerberos tickets.

17

What is WS-Security? WS-Security enhances SOAP messaging to provide

quality of protection through: message integrity, message confidentiality, and single message authentication.

These mechanisms can be used to accommodate a wide variety of security models and encryption technologies.

WS-Security also provides a general-purpose, extensible mechanism for associating security tokens with messages: No specific type of security token is required support for multiple security token formats

WS-Security describes how to encode binary security tokens( X.509 certificates and Kerberos tickets)

18

WS-Policy

Web Services Policy 1.2 - Framework (WS-Policy) W3C Member Submission 25 April 2006

Status: public draft release for review and evaluation only Main goal: The WS-Policy and WS-PolicyAttachment aim to

offer mechanisms to represent the capabilities and requirements of Web services as Policies

Policy view in WS-Policy: A policy is used to convey conditions on an interaction between two

Web service endpoints. The provider of a Web service exposes a policy to convey conditions

under which it provides the service. A requester might use this policy to decide whether or not to use the

service.

19

XACML eXtensible Access Control Markup Language 2 (XACML)

Version 2.0 OASIS Standard, 1 Feb 2005

Status: approved OASIS Standard within the OASIS Access 12 Control TC.

XACML is a general-purpose access control policy language for managing access to resources

It describes both a policy language and an access control decision request/response language

Fine access control grained control

Access control based on subject and object attributes

Consistent with and building upon SAML

20

XACML – Key Aspects General-purpose authorization policy model and

XML-based specification language XACML is independent of SAML specification Triple-based policy syntax: <Object, Subject, Action> Negative authorization is supported Input/output to the XACML policy processor is clearly

defined as XACML context data structure Input data is referred by XACML-specific attribute

designator as well as XPath expression Extension points: function, identifier, data type, rule-

combining algorithm, policy-combining algorithm, etc. A policy consists of multiple rules A set of policies is combined by a higher level policy

(PolicySet element)

21

XACML data flow model

Source: oasis-access_control-xacml-2.0-core-spec-os

22

XACML Protocol

Policy

Enforcement Point (PEP)

Policy

Decision Point (PDP)

Policy

Access Point (PAP)

Policy

Information Point (PIP)

XACMLRequest/Response

23

XACML Protocol When a client makes a resource request upon a server, the PEP is charged with

AC In order to enforce AC policies, the PEP will formalize the attributes describing

the requester at the PIP and delegate the authorization decision to the PDP Applicable policies are located in a policy store, managed by the PAP, and

evaluated at the PDP, which then returns the authorization decision Using this information, the PEP can deliver the appropriate response to the

client

XACML Request Subject Object Action

XACML Response Permit Permit with Obligations Deny NotApplicable (the PDP cannot locate a policy whose target matches the

required resource) Indeterminate (an error occurred or some required value was missing)

24

XACML Protocol1. The Policy Administration Point (PAP) creates

security policies and stores these policies in the appropriate repository.

2. The Policy Enforcement Point (PEP) performs access control by making decision requests and enforcing authorization decisions.

3. The Policy Information Point (PIP) serves as the source of attribute values, or the data required for policy evaluation.

4. The Policy Decision Point (PDP) evaluates the applicable policy and renders an authorization decision.

Note: The PEP and PDP might both be contained within the same application, or might be distributed across different servers

25

XACML policy A Policy has four main components:

A target A rule-combining algorithm identifier A set of rules Obligations

The Rule is the elementary unit of a policy Main components of a rule:

A target An effect: permit or deny A condition

Policy Language A policy target specifies a set of:

Resources Subjects Actions Environment

to which it applies

26

Security Assertion Markup Language (SAML) Developed by the OASIS XML-Based Security Services

Technical Committee (SSTC) Status: SAML V2.0 OASIS Standard specification set was

approved on 15 March 2005 Main goal: authentication and authorization

promote interoperability between disparate authentication and authorization systems

How: defining an XML-based framework for communicating security and

identity information (e.g., authentication, entitlements, and attribute) between computing entities

using available different security infrastructures (e.g., PKI, Kerberos, LDAP, etc)

27

SAML basic concepts Assertions: The core concept

SAML Authority: a system entity that makes SAML assertions (also called Identity Provider – IdP – and Asserting Party)

Service Provider: a system entity making use of SAML assertions

Relying Party: a system entity that uses received assertions (named also SAML requester)

SAML Bindings: Bindings describe exactly how the SAML protocol maps onto the transport protocols.

28

SAML assertions

An assertion is constituted by one or more statements made by a SAML authority

Different kinds of assertion statement that can be created by a SAML authority: Authentication: The specified subject was authenticated

by a particular means at a particular time. Attribute: The specified subject is associated with the

supplied attributes. Authorization decision statements: the specified

subject is entitled to do a specified action

“Martino authenticated with a password at 9:00am”

“Bill is an account manager with a $1000 spending limit per one-day travel”

“John Doe” is permitted to buy a specified item

29

SAML entities

SAML RequesterSAML Requestera system entity that

uses received assertions

Service ProvidersService Providers a a system entity making use

of SAML assertions

SAML AuthoritySAML Authoritymakes SAML assertions SAML assertions

30

SAML and XACML

Source: Security Assertion Markup Language (SAML) V2.0 Technical Overview Working Draft 08, 12 September 2005

31

SAML & Federated Identity

SAML addresses one key aspect of identity management: how identity information can be communicated from one domain to another

SAML 2.0 will be the basis on which Liberty Alliance builds additional federated identity applications (such as web service-enabled permissions-based attribute sharing).

32

Cloud Computing Cloud computing is the delivery of computing as a service rather than a

product, whereby shared resources, software, and information are provided to computers and other devices as a metered service over a network

Cloud computing provides computation, software, data access, and storage resources without requiring cloud users to know the location and other details of the computing infrastructure.

End users access cloud based applications through a web browser or a light weight desktop or mobile app while the business software and data are stored on servers at a remote location.

Cloud application providers strive to give the same or better service and performance as if the software programs were installed locally on end-user computers.

At the foundation of cloud computing is the broader concept of infrastructure convergence and shared services.

33

Service Models Cloud computing providers offer their services according to three fundamental models

Infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) where IaaS is the most basic and each higher model abstracts from the details of the lower models.

Infrastructure as a Service (IaaS) In this most basic cloud service model, cloud providers offer computers – as physical or more often as

virtual machines; raw (block) storage, firewalls, load balancers, and networks. IaaS providers supply these resources on demand from their large pools installed in data centers.. To deploy their applications, cloud users then install operating system images on the machines as well

as their application software. In this model, it is the cloud user who is responsible for patching and maintaining the operating systems

and application software. Platform as a Service (PaaS)

In the PaaS model, cloud providers deliver a computing platform and/or solution stack typically including operating system, programming language execution environment, database, and web server.

Application developers can develop and run their software solutions on a cloud platform without the cost and complexity of buying and managing the underlying hardware and software layers.

Software as a Service (SaaS) In this model, cloud providers install and operate application software in the cloud and cloud users

access the software from cloud clients

34

Deployment Models Public cloud

A public cloud is one based on the standard cloud computing model, in which a service provider makes resources, such as applications and storage, available to the general public over the Internet.

Public cloud services may be free or offered on a pay-per-usage model. Community cloud

Community cloud shares infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally.

The costs are spread over fewer users than a public cloud (but more than a private cloud), so only some of the cost savings potential of cloud computing are realized.

Hybrid cloud Hybrid cloud is a composition of two or more clouds (private, community or public) that remain

unique entities but are bound together, offering the benefits of multiple deployment models. It can also be defined as multiple cloud systems that are connected in a way that allows

programs and data to be moved easily from one deployment system to another. Private cloud

Private cloud is infrastructure operated solely for a single organization, whether managed internally or by a third-party and hosted internally or externally,

35

Issues Privacy

Using a cloud service provider (CSP) can complicate privacy of data because of the extent to which virtualization for cloud processing (virtual machines) and cloud storage are used to implement cloud services.

Security The effectiveness and efficiency of traditional protection mechanisms are being

reconsidered as the characteristics of this innovative deployment model can differ widely from those of traditional architectures

Compliance In order to obtain compliance with regulations including FISMA, HIPAA, and SOX

in the United States, the Data Protection Directive in the EU and the credit card industry's PCI DSS, users may have to adopt community or hybrid deployment modes that are typically more expensive and may offer restricted benefits.

Legal Certain legal issues arise; everything from trademark infringement, security

concerns to the sharing of propriety data resources.

36

Secure Cloud Computing Cloud computing security refers to a broad set of policies, technologies, and controls

deployed to protect data, applications, and the associated infrastructure of cloud computing.

Cloud security is not to be confused with security software offerings that are "cloud-based" (a.k.a. security-as-a-service).

There are a number of security issues/concerns associated with cloud computing but these issues fall into two broad categories: Security issues faced by cloud providers (organizations providing Software-, Platform-, or

Infrastructure-as-a-Service via the cloud) Security issues faced by their customers. In most cases, the provider must ensure that their

infrastructure is secure and that their clients’ data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information

The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for customers or tenants of a public cloud service.

Virtualization alters the relationship between the OS and underlying hardware - be it computing, storage or even networking.

This introduces an additional layer - virtualization - that itself must be properly configured, managed and secured.

Specific concerns include the potential to compromise the virtualization software, or "hypervisor". While these concerns are largely theoretical, they do exist

37

Security and Privacy Security and privacy In order to ensure that data is secure (that it cannot be accessed by unauthorized

users or simply lost) and that data privacy is maintained, cloud providers attend to the following areas:

Data protection  To be considered protected, data from one customer must be properly segregated from that of

another; it must be stored securely when “at rest” and it must be able to move securely from one location to another.

Cloud providers have systems in place to prevent data leaks or access by third parties. Proper separation of duties should ensure that auditing or monitoring cannot be defeated, even by privileged users at the cloud provider

Physical Control  Physical control of the Private Cloud equipment is more secure than having the equipment off site and

under someone else’s control. Having the ability to visually inspect the data links and access ports is required in order to ensure data

links are not compromised.

Identity management  Every enterprise will have its own identity management system to control access to information and

computing resources. Cloud providers either integrate the customer’s identity management system into their own

infrastructure, using federation or SSO technology, or provide an identity management solution of their own.

38

Security and Privacy Physical and personnel security 

Providers ensure that physical machines are adequately secure and that access to these machines as well as all relevant customer data is not only restricted but that access is documented.

Availability  Cloud providers assure customers that they will have regular and predictable access to their

data and applications.

Application security  Cloud providers ensure that applications available as a service via the cloud are secure by

implementing testing and acceptance procedures for outsourced or packaged application code. It also requires application security measures (application-level firewalls) be in place in the production environment.

Privacy  Finally, providers ensure that all critical data (credit card numbers, for example) are masked

and that only authorized users have access to data in its entirety. Moreover, digital identities and credentials must be protected as should any data that the

provider collects or produces about customer activity in the cloud.

Legal issues  In addition, providers and customers must consider legal issues, such as Contracts and E-

Discovery, and the related laws, which may vary by country

39

Compliance Compliance

Numerous regulations pertain to the storage and use of data, including Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act, among others.

Many of these regulations require regular reporting and audit trails. Cloud providers must enable their customers to comply appropriately with these regulations.

Business continuity and data recovery Cloud providers have business continuity and data recovery plans in place to ensure that

service can be maintained in case of a disaster or an emergency and that any data loss will be recovered.

These plans are shared with and reviewed by their customers.

Logs and audit trails In addition to producing logs and audit trails, cloud providers work with their customers to

ensure that these logs and audit trails are properly secured, maintained for as long as the customer requires, and are accessible for the purposes of forensic investigation

Unique compliance requirements In addition to the requirements to which customers are subject, the data centers maintained

by cloud providers may also be subject to compliance requirements. Using a cloud service provider (CSP) can lead to additional security concerns around data

jurisdiction since customer or tenant data may not remain on the same system, or in the same data center or even within the same provider's cloud.

40

Compliance Legal and contractual issues

Aside from the security and compliance issues enumerated above, cloud providers and their customers will negotiate terms around liability (stipulating how incidents involving data loss or compromise will be resolved, for example), intellectual property, and end-of-service (when data and applications are ultimately returned to the customer.

Public records Legal issues may also include records-keeping requirements in the public sector,

where many agencies are required by law to retain and make available electronic records in a specific fashion.

This may be determined by legislation, or law may require agencies to conform to the rules and practices set by a records-keeping agency.

Public agencies using cloud computing and storage must take these concerns into account.

41

Summary Points SOA concept based on service orientation is now a

significant method for software development and promotes extensibility and flexibility; Service oriented analysis has now become a standard way to model software

Web Services is just one way to realize SOA Security for SOA is crucial as SOA is being used in

numerous sectors; since web services realize SOA, web services security is critical

SOA and SOA Security Standards are being developed by W3C and OASIS; WS-Security, WS*-Security Framework, and XACML are some of the key standards

SOA and Web Services are at the heart of Cloud Computing