layer 7: fine grained authorization for web services
DESCRIPTION
Learn about the challenge with implementing fine grained authorization in service based architectures, how to leverage existing identity infrastructure for entitlements management, how to use policy enforcement intermediaries to enforce entitlement preferences.TRANSCRIPT
Fine grained authorization for Fine grained authorization for Web ServicesWeb ServicesJonathan GershaterSolution Architecthttp://www.layer7tech.com
March 2008
What you will learn in this session?What you will learn in this session?
1. The difference between fine grained and coarse grained authorization
2. The challenge with implementing fine grained authorization in service based architectures
3. How to leverage existing identity infrastructure for entitlements management
4. How to use policy enforcement intermediaries to enforce entitlement preferences
March 2008
Traditional enterpriseTraditional enterprise
Independent applications with their own access control, mechanisms and authorization policies.
March 2008
Traditional enterprise securityTraditional enterprise security
Protected by •A gate-keeper firewall primarily offering network level TCP/IP protection.•URL only protection using agent based SSO solutions.
March 2008
The New Enterprise:SaaS, Web2.0, LegacyThe New Enterprise:SaaS, Web2.0, Legacy
The challenge:•Mixed application and integration environment•Diverse credential requirements•Existing SSP and user directories•No centralized policy control and audit.• Services requiring fine grained authorization.
March 2008
SaaS, Web2.0, Integrated enterpriseSaaS, Web2.0, Integrated enterprise
March 2008
SaaS, Web2.0, Integrated enterpriseSaaS, Web2.0, Integrated enterprise
WebServices authentication:The Many-To-Many Problem
Request
Web Services
…
Authentication
LDAP Directory
Proprietary IAM
Certificate Servers (OCSP, CRLs, etc)
etc…
Tokens
Transport (HTTP hdr, x509, etc…)
Message (UTP, x509,…)
March 2008
Complexity grows!Complexity grows!
Multi-platform, multi-development environment–.NET, J2EE Frameworks, other
•Support Mobile users / disconnected applications
•Support conditional expressions for authorization
*Use existing authentication sources
March 2008
Quick review of AAAQuick review of AAA
•Authentication – who are you?
•Authorization – what can you do?
•Auditing – who did what?
March 2008
What is coarse versus fine grained authorization?What is coarse versus fine grained authorization?
What is authorization?
The difference between coarse grained authorization(static)
By job role By IT defined role By group membership
and fine grained authorization(dynamic)
By transaction type By time of day or day of week
March 2008
Sample fine grained AZ requestSample fine grained AZ request
Stock quote can be anonymousStock purchase during trading hours must be:
•Authenticated•over SSL•working hours•not from suspect network
(user=Name_of_Stockbroker) AND (SSL=TRUE) AND ((hour > 6am) AND (hour < 1pm))
AND
(ip_address_segment != 155.154.133.0)
March 2008
Solution Solution
Policy Decision Point (PDP) that intercepts and examines XML packets at the application layer:
• Identifies service endpoint• Authenticates requester with support for diverse credential types• Integration with diverse SSO, Federation and user directories• Performs fine-grained authorization of of an operation within a service• Credential chaining and translation• SAML issuing for downstream consistency
March 2008
Policy Decision Points (PDP) Policy Decision Points (PDP)
March 2008
Also...SAMLP query to Policy Decision Point (PDP) Also...SAMLP query to Policy Decision Point (PDP)
March 2008
Other solutions – an XCAML query Other solutions – an XCAML query
Policy EnforcementPoint (PEP) makes an XACML query Policy EnforcementPoint (PEP) makes an XACML query to a PolicyDecisionPoint (PDP).to a PolicyDecisionPoint (PDP).
•PEP executes XACMLAuthzDecisionQuery
•PDP returns XACMLAuthzDecisionStatement
March 2008
Policy Enforcement Point makes an XCAML query Policy Enforcement Point makes an XCAML query
March 2008
Layer 7 solution for fine grained authorization Layer 7 solution for fine grained authorization
Policy Decision Point (PDP):
•Highly available / clustered.• Integrates with several of Web SingleSignOn and PolicyDecisionPoint sources.•Supports any information store: Databases, or SecureTokenServices.• Generates appropriate SAML assertion to make authorization decisions.
•
March 2008
Appliance, software or virtual machine solutionAppliance, software or virtual machine solution
ServicesExternal
ApplicationConsumers
InternalApplicationConsumers
Message level intermediary between services and requesters
March 2008
Layer 7 SecureSpan GatewayLayer 7 SecureSpan Gateway
Services
PEP validates policy compliance and applies security decorations
Security requirements defined by an administrator.
Policies become effective independently of the actual services.
Runtime Governance - Policy Enforcement Point
March 2008
SecureSpan Solution Advantages, DifferentiatorsSecureSpan Solution Advantages, Differentiators
Sophisticated policy language enables complex governance requirements
Available as hardware appliance with XML accelerator or as software
Quick deployment, ease of use
Extensible through APIs
Instant policy application (no service downtime)
Standard based
Industry leadership
March 2008
Thanks and questionsThanks and questions
Jonathan Gershater
http://www.layer7tech.com
http://layer7blog.blogspot.com/