Using OWSM Assertions and Policies

November 14th, 2012

14:55-15:40

Room VT445-32

Harold Dost III Senior Consultant

Raastech, Inc.

Slide 2 of 31 © Raastech, Inc. 2012 | All rights reserved.

1. Introduction

2. Why secure your services?

3. Where does OWSM fit?

4. Demo

5. Summary

Agenda

Slide 3 of 31 © Raastech, Inc. 2012 | All rights reserved.

INTRODUCTION

Slide 4 of 31 © Raastech, Inc. 2012 | All rights reserved.

Harold Dost III

5+ years of Oracle middleware experience

Experience in large implementations involving SOA

Suite, BAM, AIA, OSB, OSR, ODI, OWSM, OER, OEG,

and more

OCE (SOA Foundation Practitioner)

About Me

Slide 5 of 31 © Raastech, Inc. 2012 | All rights reserved.

WHY SECURE YOUR SERVICES?

Slide 6 of 31 © Raastech, Inc. 2012 | All rights reserved.

There is a broad list of security aspects to consider:

Authentication (AuthN for short)

Authorization (AuthZ for short)

Spoofing

Tampering

Repudiation

Information Disclosure

Denial of Service

Replay attacks

Virus attacks and Intrusion Detection

Why secure your services?

Slide 7 of 31 © Raastech, Inc. 2012 | All rights reserved.

Protect you against mischievous and dangerous attackers

Protect your customer’s data

Save money

For example, healthcare data security breaches cost:

http://www.hipaasecurenow.com/index.php/a-look-at-the-cost-of-healthcare-breaches/

Why secure your services?

# of records Cost

1 $ 240

100 $ 24,000

10,000 $ 2,400,000

Slide 8 of 31 © Raastech, Inc. 2012 | All rights reserved.

Zappos

24 million customers

Address Information

Credit Card Information

http://www.darkreading.com/security/news/232500003/zappos-dealing-with-data-breach.html

Why secure your services?

Slide 9 of 31 © Raastech, Inc. 2012 | All rights reserved.

UNC Charlotte

350k students and employees

Social Security Numbers

http://www.darkreading.com/insider-threat/167801100/security/news/240000307/unc-charlotte-breach-affected-more-than-350-000.html

Why secure your services?

Slide 10 of 31 © Raastech, Inc. 2012 | All rights reserved.

WHERE DOES OWSM FIT?

Slide 11 of 31 © Raastech, Inc. 2012 | All rights reserved.

Randomized Passwords

Scheduled Expiration

Encryption of sensitive data

Over the wire

On storage media

Authorization

Authentication

Layered Security Approach

http://marccortez.com/2012/09/27/beating-my-dead-horse-with-a-double-edged-sword/

Slide 12 of 31 © Raastech, Inc. 2012 | All rights reserved.

“Oracle Web Services Manager offers a comprehensive

and easy-to-use solution for policy management and

security of service infrastructure.”

“It provides visibility and control of the policies through a

centralized administration interface offered by Oracle

Enterprise Manager.”

OWSM is a component of SOA Suite

Add-on

OSB

SOA Suite

What is OWSM?

Slide 13 of 31 © Raastech, Inc. 2012 | All rights reserved.

Where does OWSM fit?

http://docs.oracle.com/cd/E17904_01/doc.1111/e15866/owsm.htm

Slide 14 of 31 © Raastech, Inc. 2012 | All rights reserved.

Oracle SOA Security Strategy

Slide 15 of 31 © Raastech, Inc. 2012 | All rights reserved.

Oracle SOA Security Strategy

Slide 16 of 31 © Raastech, Inc. 2012 | All rights reserved.

HOW TO USE OWSM?

Slide 17 of 31 © Raastech, Inc. 2012 | All rights reserved.

Filler

OWSM

Slide 18 of 31 © Raastech, Inc. 2012 | All rights reserved.

Filler

OWSM

Slide 19 of 31 © Raastech, Inc. 2012 | All rights reserved.

Filler

OWSM

Slide 20 of 31 © Raastech, Inc. 2012 | All rights reserved.

Filler

OWSM

Slide 21 of 31 © Raastech, Inc. 2012 | All rights reserved.

Filler

OWSM

Slide 22 of 31 © Raastech, Inc. 2012 | All rights reserved.

Filler

OWSM

Slide 23 of 31 © Raastech, Inc. 2012 | All rights reserved.

Filler

OWSM

Slide 24 of 31 © Raastech, Inc. 2012 | All rights reserved.

Filler

OWSM

Slide 25 of 31 © Raastech, Inc. 2012 | All rights reserved.

Filler

OWSM

Slide 26 of 31 © Raastech, Inc. 2012 | All rights reserved.

IS IT RIGHT FOR YOUR COMPANY?

Slide 27 of 31 © Raastech, Inc. 2012 | All rights reserved.

Yes

Is it for your company?

Slide 28 of 31 © Raastech, Inc. 2012 | All rights reserved.

Yes

If you’re already using OSB or SOA Suite, it’s built-in

No extra cost

Is it for your company?

Slide 29 of 31 © Raastech, Inc. 2012 | All rights reserved.

SUMMARY

Slide 30 of 31 © Raastech, Inc. 2012 | All rights reserved.

OWSM provides a method to add both transport and

message level protections to Web Services.

Should be used as part of a layered security approach.

Summary

Slide 31 of 31 © Raastech, Inc. 2012 | All rights reserved.

Contact Information

Harold Dost III

Senior Consultant

harold.dost@raastech.com