![Page 1: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/1.jpg)
StandardsStandards and and StrategiesStrategies of Security for the of Security for the
Service Oriented ArchitectureService Oriented Architecture
Christopher IrishDavid Orr
Sophya KheimAdam LangeDaniel Palma
![Page 2: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/2.jpg)
AgendaAgenda
OverviewCurrent ProblemsCurrent StrategiesWS StandardsFuture Areas of ResearchReferencesQuestions
![Page 3: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/3.jpg)
Web Services DefinitionWeb Services Definition
From World Wide Web Consortium (W3C)– is the programmatic interfaces made
available for application to application communication
![Page 4: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/4.jpg)
Types of Web ServicesTypes of Web Services
![Page 5: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/5.jpg)
OverviewOverview
Key Concepts for Strategies– Authentication– Authorization– Integrity– Non-repudiation– Confidentiality– Privacy
![Page 6: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/6.jpg)
Current ProblemsCurrent Problems
SOAP monitoring and regulation
![Page 7: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/7.jpg)
Current StrategiesCurrent Strategies
IP Blocking XML Firewall SSL/TLS Virtual Private Networks (VPN) XML Digital Signature WS-Security XACML SAML
![Page 8: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/8.jpg)
IP BlockingIP Blocking
Process of identifying those IP addresses from which Web requests will be accepted
Achieved by specifying a list of acceptable IP addresses
Pros– Simple and easy to implement
Cons– Valid users with invalid IP addresses will be blocked– Clients will not be able to access any part of the Web
site until you have added their IP to the accepted list
![Page 9: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/9.jpg)
Traditional FirewallsTraditional Firewalls
Filters out unauthorized requests by IP Address
Pros– Easy to implement and maintain
Cons– IP Address can be spoofed– Does not perform authentication, authorization, auditing
and validation on web service traffic– Can not encrypt or decrypt– If web service uses Port 80, difficult to implement– Not XML aware
![Page 10: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/10.jpg)
XML FirewallsXML Firewalls
Filters out Unauthorized requests by inspecting XML content
Pros– Can perform authentication, authorization, auditing and
validation on web service traffic– Protect against buffer overflows and denial of service– Message routing, encryption and forwarding are available– Includes features of traditional firewall
Cons– Difficult to setup– Limited vendors– No standardization
![Page 11: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/11.jpg)
SSL/TLSSSL/TLS Endpoint to endpoint encryption of web service traffic over
TCP
Pros– Easy to implement– Standardized protocols– Protects against network sniffing
Cons– Does not perform authentication, authorization, auditing and
validation on web service traffic– Messages can not have multiple transports– No Element-Wise Signing– Data stored on disk before processing can not be protected – Not XML aware
![Page 12: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/12.jpg)
Virtual Private NetworksVirtual Private Networks Enables the creation of secure data tunnels among remote sites or hosts
for web service traffic
Pros – Uses several technologies– Standardized protocols
• Secure VPNs - IPSec, SSL/TLS, PPTP, L2TP• Trusted VPNs – MPLS, L2F
– Easy to implement– Protects against network sniffing– Web service can join or leave dynamically– A web service can be invoked dynamically– Frees web service from managing access control, auditing and encryption
Cons– Does not perform validation on web service traffic– Data stored on disk before processing can not be protected– Not XML aware
![Page 13: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/13.jpg)
XML Digital SignatureXML Digital Signature
Provide– Authentication– Data Integrity– Non-repudiation support
Can sign many types of resources– HTML, binary, XML-encoded data
Can be applied to specific portions of XML tree rather than complete document
![Page 14: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/14.jpg)
Web Services StandardsWeb Services Standards
OASIS Web Services Security Standard
SAMLXACML
![Page 15: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/15.jpg)
Developed by OASIS on April 29, 2004. Revised and republished February 17,
2006 as version 1.1. Currently the most comprehensive guide
to Web Service security. Main purpose is to allow the exchange of
secure SOAP messages by protecting its confidentiality and integrity
OASIS WS Security StandardOASIS WS Security Standard
![Page 16: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/16.jpg)
WS-SecurityWS-Security
Focuses on “Tokens” that are added to the SOAP messages to provide different kinds of security.
Is built to be extensible and flexible by allowing different types of token formats to be used in the same message.
![Page 17: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/17.jpg)
WS-Security: Username TokenWS-Security: Username Token
The username token provides a way for a sender to present a claimed identity to the receiver:
![Page 18: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/18.jpg)
WS Security: Binary Security WS Security: Binary Security TokensTokensUsed to encode non-XML security
token, like x.509 and kerberos.
e.g. x.509
Encoding Format
![Page 19: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/19.jpg)
WS-Security: XML SignatureWS-Security: XML Signature
The WS-Security standard incorporates the use of XML signatures into SOAP messages
Begin signature Reference to signature value
Algorithms used to form the signature
End signature
![Page 20: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/20.jpg)
WS-Security: TimestampWS-Security: Timestamp
Allows the freshness of the security features to be determined. Time synchronization is not accounted for.
![Page 21: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/21.jpg)
WS-Security: The big pictureWS-Security: The big picture
![Page 22: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/22.jpg)
WS-Security: The big picture cont.WS-Security: The big picture cont.
![Page 23: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/23.jpg)
XACMLXACML
Covers subjects such as authorization, access control, and privacy policies that is often overlooked in other standards.
XACML (Extensible Access Control Markup Language) is an XML-based policy language that allows for the description of access control requirements.
![Page 24: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/24.jpg)
XACMLXACML
1. Request sent to Policy Enforcement Point (PEP).
2. the Policy Information Point (PIP), will use XACML to describe requestors in terms of attributes.
3. PDP actually makes the decisions.
4. Current policy is retrieved
5. Return response to the PEP and ultimately to the user.]
![Page 25: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/25.jpg)
SAMLSAML
Uses “Assertions” to validity and authenticiy.
![Page 26: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/26.jpg)
Service to Service AuthenticationService to Service Authentication
Verify if a service should be allowed to communicate with another
Authorization Methods:– Tokens
• PK certificates• Kerberos tickets• SAML assertions
– SSL certificates Most web services follow the OASIS WS-
Security standard for any of these methods
![Page 27: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/27.jpg)
Establishing Trust Between ServicesEstablishing Trust Between Services
Trust relationships need to be established between remote web services in order to be useful on a large scale
Involves a Trusted Third Party (TTP)Uses Public Key Infrastructure to
pass keys through the TTP
![Page 28: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/28.jpg)
Distributed Authorization and Distributed Authorization and Access ManagementAccess ManagementWeb Service Access Controls– Role-Based– Policy-Based– Risk-Adaptive
![Page 29: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/29.jpg)
Role-Based Access ControlRole-Based Access Control
Associates a set of access privileges with a particular user role
Allows access based on membership in a group or by id
Simplifies security management by providing a role hierarchy
![Page 30: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/30.jpg)
Role Based ExampleRole Based Example
![Page 31: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/31.jpg)
Policy Based Access ControlPolicy Based Access Control
Enforces strict environmental-level access control policies
Use notion of a Policy AuthorityFocuses on automatically enforcing
Mandatory Access Controls
![Page 32: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/32.jpg)
Risk Adaptive Access ControlRisk Adaptive Access Control
Access control decisions are based on a relative risk profile of the subject
Predefined policy rules aren’t as strictly enforced as role based
Requires real-time information to base risk assessment on with each authentication request
![Page 33: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/33.jpg)
Enforcing Least Privilege AccessEnforcing Least Privilege Access
Users and services should never be given more than the minimum privileges needed to perform an operation
Give privileges only when needed Relinquish privileges immediately upon
completion Divide complex functions into simple
ones, with separate minimal required privilege for each function
![Page 34: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/34.jpg)
End to End AccountabilityEnd to End Accountability
Auditing essential to ensure operations/transactions occurred as expected
Dynamic services make it difficult to implement auditing
No auditing standard has been defined Web Server logging most common
![Page 35: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/35.jpg)
SOAPSOAP Simple Object Access Protocol A SOAP message is fundamentally a one-way transmission
between SOAP nodes, from a SOAP sender to a SOAP receiver, but SOAP messages are expected to be combined by applications to implement more complex interaction patterns ranging from request/response to multiple, back-and-forth "conversational" exchanges.
Pros– Powerful, can perform RPC.– Widespread industry support and acceptance
Cons– Tunnel’s through other protocols, circumventing security.– Application programmer responsible for protocol functionality.
![Page 36: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/36.jpg)
RESTREST
Representational State Transfer
REST strictly refers to a collection of architectural principles. The term is also often used in a looser sense to describe any simple interface that uses XML (or YAML, JSON, plain text) over HTTP without an additional messaging layer such as SOAP.
![Page 37: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/37.jpg)
Block Extensive Exchange ProtocolBlock Extensive Exchange ProtocolBEEPBEEP DTD and XML aware generic application protocol kernel for
connection-oriented asynchronous interactions (web services) using Simple Authentication and Security Layer for authentication and authorization
Pros– Very extensible and simple– Built in profiles for security– Provides single application user-identity– Gaining popularity– Implements standardized technologies– Sits at transport layer
Cons– Limited support– Development costs can be expensive– Can become complicated quickly
![Page 38: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/38.jpg)
Future areas of researchFuture areas of research
Focus on standardizationPerformance of Web Services
security mechanisms Scale of Web Services security
![Page 39: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/39.jpg)
Future Areas of Research cont..Future Areas of Research cont..
Possible future configuration of a web services security system in which an XML Firewall and EASI framework are both implemented together
![Page 40: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/40.jpg)
SummarySummary
OverviewCurrent ProblemsCurrent StrategiesNew StrategiesWS Standards including OASIS,
SAML, XACMLReferences
![Page 41: Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d235503460f949f9d5d/html5/thumbnails/41.jpg)
Questions?Questions?