governance and security solution patterns
TRANSCRIPT
Governance and Security
Solution Patterns
Gillian Dass and Dakshitha Ratnayake
About WSO2
• Providing the only complete open source componentized cloud platform • Dedicated to removing all the stumbling blocks to enterprise agility • Enabling you to focus on business logic and business value
• Recognized by leading analyst firms as visionaries and leaders
• Gartner cites WSO2 as visionaries in all 3 categories of application infrastructure • Forrester places WSO2 in top 2 for API Management
• Global corporation with offices in USA, UK & Sri Lanka
• 200+ employees and growing • Business model of selling comprehensive support & maintenance for our products
150+ globally positioned support customers
• Introduction to Patterns
• Why Service Oriented Architecture?
• What is Governance?
• Governance Business Problems and Patterns
• Need for Security in SOA
• Security Requirements and Solution Patterns
Agenda
• Expose legacy system components as services
• Loose Coupling
• Interoperability
• Flexibility
• Business Process Composition
Why SOA?
A generic solution for a common recurring problem
• Used it before
• Error proof
• Catalog to pick one
Image Source: http://www.forbes.com/fdc/welcome_mjx.shtml
A Pattern
Managing the three Ps of Governance
• People roles & responsibilities
• Process design, execution and monitoring
• Policy definition and enforcements
Image Source: http://www.governanceinnovation.org/?pageID=whatis
What is Governance?
An organization has metadata related to different data types. They
need to capture relationships such as associations and
dependencies.
Business Scenario
• Model custom data types in a data repository
• Artifact governance
Pattern
Implementation
Implementation
An artifact is deployed across different environments: Dev, QA, Prod.
This artifact references some external resources, where the resource
need to change for each environment.
Business Scenario
/_...
Implementation
- Manage service quality
- Manage business transactions
- Monitor and analyze transaction data
- Create dashboard and reports
Why Runtime Governance
An online travel reservation application allows users to
create/edit and cancel bookings.
- If >5 cancellations within 24 hours from a single user send
a notification to administrators
- Create dashboards and reports for MI purposes
Business Scenario
- Real time events monitoring and notifications - Data analysis and presentation
Solution Pattern
Implementation
Patterns Security Patterns
Image Source - http://www.coresecuritypatterns.com/blogs/?tag=ws-security
• Business assets exposed to the outside as services to
be discovered
• Should facilitate interoperability and flexibility
Why Security in SOA?
After identifying the need for security in SOA, determine
the security requirements.
Security Requirements can fall under many categories.
A few examples:
• Identification and Authentication
• Authorization
Security Requirements
Image Source - http://www.mikeeckman.com/2013/02/how-much-do-you-think-about-privacy-on-the-internet/
Identification and Authentication
• Services need to identify and verify the claimed identity of internal users of the organization.
• Services need to identify and verify the claimed identity of external users from external organizations.
• Facilitate communication between clients and services which talk in different authentication mechanisms.
• Avoid user credentials to be passed to backend services and avoid user bypassing security processing.
Identification and Authentication Requirements
Requirement - Identify and verify the claimed identity of internal users of the organization.
Authentication Pattern:
Direct Authentication • Authenticating users with credentials stored internally. • Credentials can be :
§ Username/password § Username token § X.509 certificates
Identification and Authentication Requirements
Implementation: Direct Authentication Pattern
Configuring a Secured Proxy in ESB
Configuring a Secured Proxy in ESB
Requirement - Identify and verify the claimed identity of
external users – from external organizations.
Authentication Pattern:
Brokered Authentication
• Authenticating users outside the organization boundary.
• Trusting a token issued by a trusted party in partner organization.
• Brokered authentication based on WS-Trust with SAML.
Identification and Authentication Requirements
Implementation: Brokered Authentication Pattern
Requirement - Facilitate communication between clients and services which talk in different authentication mechanisms.
Resource Access Pattern:
Protocol Transition
• ESB authenticates clients with the authentication mechanism that they understand – e.g. Username Token
• Transform credentials to the form that service understands e.g. Basic Auth
Identification and Authentication Requirements
Implementation: Protocol Transition Pattern
Requirement - Avoid user credentials to be passed to backend service and avoid user bypassing security processing.
Resource Access Pattern:
Trusted Sub System
• User authenticates to ESB with his/her credentials.
• Backend service trusts ESB.
• ESB accesses backend service on behalf of authenticated user.
Identification and Authentication Requirements
Image Source - http://www.toolsjournal.com/integrations-articles/item/274-direct-and-brokered-authentication
User Credentials Submitted to Service + Bypassing Security Processing
Implementation: Trusted Sub System Pattern
Image Source - http://onlinebusiness.volusion.com/articles/volusion-authorizenet-partnership/
Authorization
• Control access based on privileges of the users
• Control access based on user’s claims, in a fine grained
manner
• Delegated access
Authorization Requirements
Requirement - Control access based on privileges of the users.
e.g. Users in role ‘Teacher’ can update students’ reports while users in
role ‘Temporary Teacher’ can only view reports.
Authorization pattern:
Role Based Access Control
Assign users to roles.
Grant privileges to roles.
This is a coarse grained authorization model.
Authorization
Configuring Role Based Access Control Pattern
Requirement - Control access based on user’s claims, in a fine grained manner.
e.g. Reports of Art students could only be accessed by Teachers with job title “Art Teacher”.
Authorization pattern:
Claim Based Authorization
• Provides fine grained authorization
• Policy based access control with XACML – provides flexibility
Authorization
Implementation: Claim Based Authorization Pattern
Requirement - Delegated access.
e.g. An application in a teacher’s mobile device needs to retrieve
the time table for the day from his account in the school’s
information system.
Authorization pattern:
Constrained Delegation
• Using OAuth
Authorization
Implementation: Constrained Delegation Pattern
Questions?
Engage with WSO2
• Helping you get the most out of your deployments • From project evaluation and inception to development
and going into production, WSO2 is your partner in ensuring 100% project success