SB20: SOA Security and the Impacts to BCP

Mark Spreitzer, CBCPCGI Enterprise Security PracticeDirector, Business Continuity/CIP

Office: 212.612.3611mark.spreitzer@cgifederal.com

www.cgi.com

Ken Huang, CISSPCGI Enterprise Security PracticeDirector, Security Engineering

Office: 703.227.4921ken.huang@cgifederal.com

www.cgi.com

Agenda• Defining Service Oriented Architecture (SOA)• How to roadmap SOA • SOA and Service Level Agreements• SOA Security Stack• SOA and the RTO & RPO• SOA and the BIA Questionnaire• Tips for applying SOA to BCP• Summary & Questions

What is SOA?• Business-centric approach to IT architecture

– supports integrating your business as linked, repeatable business tasks, or services.

• SOA enables business to define and implement loosely-coupled and coarse-grained services– services are made available to other participants in the

network in a standardized way – to increase ROI and reusability

Roadmap Example• Approach

– Workflow the value chain• information provided and consumed

– Identify opportunities to standardize the information interface

– Develop solution with those services– Increase ROI & reusability profit!

• Points to remember– Business and IT are working on the same tool– Path to execution: all services are defined

Workflow the Business Process

Program ProvidersProgram Development

Regional and International Offices

Program Operations

ConsumersReceive Catalogs/Bills

FinanceBilling and Financial

Tracking

Call CenterRegistration/Payments

PublisherCatalog Printing

and Mailing Vendors

Finance Application

Finance Application

Program Changes

Special Requests

MarketingCatalog & Brochure

Design

Customer Service

Consumer QuestionsProgram Changes/Cancellations

Program EditsFinance

Currency conversion and Fee association

Mail OperationsBrochure Distribution

MailOperations

Identify external vs. internal services

Program ProvidersProgram Development

Regional and International Offices

Program Operations

ConsumersReceive Catalogs/Bills

FinanceBilling and Financial

Tracking

Call CenterRegistration/Payments

PublisherCatalog Printing

and Mailing Vendors

Finance Application

Finance Application

Program Changes

Special Requests

MarketingCatalog & Brochure

Design

Customer Service

Consumer QuestionsProgram Changes/Cancellations

Program EditsFinance

Currency conversion and Fee association

Mail OperationsBrochure Distribution

MailOperations

Identify the Information Interface

Program ProvidersProgram Development

Regional and International Offices

Program Operations

ConsumersReceive Catalogs/Bills

FinanceBilling and Financial

Tracking

Call CenterRegistration/Payments

PublisherCatalog Printing

and Mailing Vendors

Finance Application

Finance Application

Program Changes

Special Requests

MarketingCatalog & Brochure

Design

Customer Service

Consumer QuestionsProgram Changes/Cancellations

Program EditsFinance

Currency conversion and Fee association

Mail OperationsBrochure Distribution

MailOperations

VPN

VPN

VPN

VPN

VPN

VPNIA

M

IAM

IAM

VPN

IAM = Identity & Access Management

Before SOA• Disconnect between Business

Strategies and IT Solutions– Operation support– Individual project based decision– Ad hoc and technology driven

implementation

• Proprietary middleware & presentation technologies

• Non-Scalable Point to point integration

• Lack of Agility• Limited Reusability

SOA Identity Management

Program ProvidersProgram Development

Regional and International Offices

Program Operations

ConsumersReceive Catalogs/Bills

FinanceBilling and Financial

Tracking

Call CenterRegistration/Payments

PublisherCatalog Printing

and Mailing Vendors

Finance Application

Finance Application

Program Changes

Special Requests

MarketingCatalog & Brochure

Design

Customer Service

Consumer QuestionsProgram Changes/Cancellations

Program EditsFinance

Currency conversion and Fee association

Mail OperationsBrochure Distribution

MailOperations

trust

trust

trust

trust

trust

trusttrust

trust

trust

trust

What SOA Provides• Focus on Business Processes

– Internal and external view of business services

– How data flow between services components– Analyze the trust among services partners– Provide an abstraction layer for services and

workflow associated– Involved into business strategies and

decisions– Have long-term blueprint and big pictures as

guidance• Enforcement of reusability

– Promote agility– Promote standardization

• Gartner sees the use of SOA for mission critical applications ramping from 50 percent in 2007 to 80 percent by 2010

BCP and SOA: What is in common?• Focus on core and critical business processes and values• Insider and outsider view of Business• Business Centric approach instead of IT Centric• What changes?

– SOA Architect and Governance body

SOA and Service Level Agreements (SLA)

• Before SOA (hard-wired deployments)– SLAs relatively easy to implement using conventional tools

• With SOA– Environment becomes dynamic– loosely-coupled enterprise SLA becomes difficult– Service end points may be added or changed– New services might be offered or existing SLAs redefined– SLAs may even exist between different enterprises entirely

• Solution: map and exercise plans to the value chain

SOA Security Stack• Areas influenced by SOA

Security standards– Policy Standards

• Trust• Confidentiality

– Identity Management • Business partner entitlements • Service partner entitlements

– Messaging integrity and confidentiality• Lower layer security• Key management• Encryption management

Three categories of standards• Identity Management Standards

– SAML - XACML– Liberty ID-FF - DSML– SPML - WS-Federation, etc.

• Web Services Standards – WS-Security– WS Security Policy– WS-SecureConversation– WS-Trust– WS-ReliableMessaging

• Digital Security Standards (Mostly in the lower layers of IP Stack)

– XKMS - XML-SIG– XML-ENC - TLS IPSec– PKI - SSL– S/MIME - LDAP– Kerberos etc.

SAML (Security Assertion Markup Language)

• XML standard for exchanging authentication and authorization data between security domains.

• SAML Building Blocks– Extensible Markup Language (XML) – XML Schema – XML Signature

• For authentication and message integrity. – XML Encryption

• For Identity encryption – SOAP

Liberty Alliance Project• Global alliance on Identity

Federation– Organization of over 150

members comprised of business, non-profit and government agencies

– Developing an open standard for federated network identity (Liberty ID-FF)

• Liberty ID-FF (Identity Federation Framework)– Now part of OASIS standard

• OASIS (Organization for the Advancement of Structured Information Standards)

• Is the basis for SAML 2.0

WS-Federation• Competing standard to SAML

–Developed by BEA Systems, BMC Software, CA, Inc., IBM, , Microsoft, Novell, and VeriSign

• Part of the larger WS-* Security framework• Microsoft has its own standard

–Interoperates with WS-Federation–Based on Active Directory –Bundled in Windows Server 2003 R2 –Microsoft ADFS (Active Directory Federation

Service)

XACML (eXtensible Access Control Markup Language)

• Declarative access control policy language• Implemented in XML • Processing model

– describing how to interpret the access policies

• Defines who can access what resource• Passed from PEP (Policy Enforcement Point) to PDP

(Policy Decision Point)– PDP uses the information inside XACML to determine who has

access to which resource

WSS (WS-Security)• Application layer protocol• Enables end-to-end security using security tokens• Describes how to attach security tokens to

messages– SOAP signature and HTTP encryption headers– including binary security tokens such as X.509

certificates and Kerberos tickets• Contains specifications on how integrity and

confidentiality can be enforced on Web services messaging– Includes details on the use of SAML and Kerberos, and

certificate formats such as X.509

Other WS-* Standards• Provides for Confidentiality and Integrity• Extension of WS-Security

–WS-SecureConversation• Provide the message authentication

–WS-SecurityPolicy• Define how and when the security tokens should be

used in Web Service conversation.–WS-Trust

• Provides framework for validation of security tokens.

WS-ReliableMessaging• Provides for System Availability• Protocol that allows SOAP messages to be delivered

reliably between distributed applications• Queues messages/requests in the presence of software

component, system, or network failures– Developed by BEA Systems, Microsoft, IBM, and Tibco (March 2003)– Approved as an OASIS Standard on June 14th, 2007

Application Destination

Send RemoteMessaging

Source

RemoteMessaging Destination

ApplicationSource

Transmit

Acknowledge

Deliver

SOA Security tips• Network and Transport Layer security:

–firewall, IPSec, SSL, VPN, HTTPS–Most non-invasive

• Use XML-Enc and XML-Sig• Apply WS-* Security• Identity and Access Management is must

have.

What SOA means to Data• Information is protected as it moves

– from structured to unstructured– in and out of applications– across each business process

• Information view as self describing and defending • Policies work consistently through the defensive layers and

technologies• Policies and controls account for business context

• Benefactors– Customers– Vendors– Employees– SOA Partners

SOA and the RTO & RPORecovery Time Objective (RTO)• Before SOA

– RTO tied to individual mission critical applications and business processes• With SOA

– RTO expectation is changed – RTO is tied to overall SOA infrastructure– SOA enables deep integration, and fast response time

Recovery Point Objective (RPO)• Before SOA

– Recovery of IT infrastructure Hardware, software, and network components • With SOA

– SOA security is key to define the RPO– Redefine where the data resides – More redundancy of systems and data

SOA and the BIA QuestionnaireBusiness Recovery• Before SOA

– Functional business mapping– Map systems and networks to identify interviews– Overlay technology (applications, networks, etc.)– Overlay organization chart to understand the components affected by an incident/outage

• With SOA– Overlay Line of Business SOA configuration over the Organization charts– Map SOA infrastructure to the business functions to produce questionnaire

IT Recovery• Before SOA

– Inventory of systems– Interview with applications owners, network and system administrators– Focused on systems– Results based on internal view

• With SOA– Focused on value chain– Results based on interfaces– SOA Governance body or committee in addition to the above

Tips for applying SOA to BCP• Establish senior management support• Cross train BCP/SOA

– First understand correlations then map partner links

• Review BCP plan with SOA Team– New Threat Landscape– Areas of Responsibilities– Emergency Contact information– Recovery Team composition

• Establish Review and Revision interval• Review backup of SOA applications and data• Exercise plans based on value chain

Summary• SOA impacts recovery processes

– Changes business flow changes RTO– Changes data flow changes RPO– Changes value chain changes BIA

• Enables further understanding of business• SOA may simplify the value chain

– Enables service foundations such as eTom and ITIL– Enables Virtualization (Data and Application)– Simplifies Insourcing/Outsourcing– Enables Mergers, Acquisitions and Divestment