Governance and Security

Solution Patterns

Gillian Dass and Dakshitha Ratnayake

About WSO2

•  Providing the only complete open source componentized cloud platform •  Dedicated to removing all the stumbling blocks to enterprise agility •  Enabling you to focus on business logic and business value

•  Recognized by leading analyst firms as visionaries and leaders

•  Gartner cites WSO2 as visionaries in all 3 categories of application infrastructure •  Forrester places WSO2 in top 2 for API Management

•  Global corporation with offices in USA, UK & Sri Lanka

•  200+ employees and growing •  Business model of selling comprehensive support & maintenance for our products

150+ globally positioned support customers

•  Introduction to Patterns

•  Why Service Oriented Architecture?

•  What is Governance?

•  Governance Business Problems and Patterns

•  Need for Security in SOA

•  Security Requirements and Solution Patterns

Agenda

•  Expose legacy system components as services

•  Loose Coupling

•  Interoperability

•  Flexibility

•  Business Process Composition

Why SOA?

A generic solution for a common recurring problem

•  Used it before

•  Error proof

•  Catalog to pick one

Image Source: http://www.forbes.com/fdc/welcome_mjx.shtml

A Pattern

Managing the three Ps of Governance

•  People roles & responsibilities

•  Process design, execution and monitoring

•  Policy definition and enforcements

Image Source: http://www.governanceinnovation.org/?pageID=whatis

What is Governance?

An organization has metadata related to different data types. They

need to capture relationships such as associations and

dependencies.

Business Scenario

•  Model custom data types in a data repository

•  Artifact governance

Pattern

Implementation

Implementation

An artifact is deployed across different environments: Dev, QA, Prod.

This artifact references some external resources, where the resource

need to change for each environment.

Business Scenario

/_...

Implementation

- Manage service quality

- Manage business transactions

- Monitor and analyze transaction data

- Create dashboard and reports

Why Runtime Governance

An online travel reservation application allows users to

create/edit and cancel bookings.

- If >5 cancellations within 24 hours from a single user send

a notification to administrators

- Create dashboards and reports for MI purposes

Business Scenario

- Real time events monitoring and notifications - Data analysis and presentation

Solution Pattern

Implementation

Patterns Security Patterns

Image Source - http://www.coresecuritypatterns.com/blogs/?tag=ws-security

•  Business assets exposed to the outside as services to

be discovered

•  Should facilitate interoperability and flexibility

Why Security in SOA?

After identifying the need for security in SOA, determine

the security requirements.

Security Requirements can fall under many categories.

A few examples:

•  Identification and Authentication

•  Authorization

Security Requirements

Image Source - http://www.mikeeckman.com/2013/02/how-much-do-you-think-about-privacy-on-the-internet/

Identification and Authentication

•  Services need to identify and verify the claimed identity of internal users of the organization.

•  Services need to identify and verify the claimed identity of external users from external organizations.

•  Facilitate communication between clients and services which talk in different authentication mechanisms.

•  Avoid user credentials to be passed to backend services and avoid user bypassing security processing.

Identification and Authentication Requirements

Requirement - Identify and verify the claimed identity of internal users of the organization.

Authentication Pattern:

Direct Authentication •  Authenticating users with credentials stored internally. •  Credentials can be :

§  Username/password §  Username token §  X.509 certificates

Identification and Authentication Requirements

Implementation: Direct Authentication Pattern

Configuring a Secured Proxy in ESB

Configuring a Secured Proxy in ESB

Requirement - Identify and verify the claimed identity of

external users – from external organizations.

Authentication Pattern:

Brokered Authentication

•  Authenticating users outside the organization boundary.

•  Trusting a token issued by a trusted party in partner organization.

•  Brokered authentication based on WS-Trust with SAML.

Identification and Authentication Requirements

Implementation: Brokered Authentication Pattern

Requirement - Facilitate communication between clients and services which talk in different authentication mechanisms.

Resource Access Pattern:

Protocol Transition

•  ESB authenticates clients with the authentication mechanism that they understand – e.g. Username Token

•  Transform credentials to the form that service understands e.g. Basic Auth

Identification and Authentication Requirements

Implementation: Protocol Transition Pattern

Requirement - Avoid user credentials to be passed to backend service and avoid user bypassing security processing.

Resource Access Pattern:

Trusted Sub System

•  User authenticates to ESB with his/her credentials.

•  Backend service trusts ESB.

•  ESB accesses backend service on behalf of authenticated user.

Identification and Authentication Requirements

Image Source - http://www.toolsjournal.com/integrations-articles/item/274-direct-and-brokered-authentication

User Credentials Submitted to Service + Bypassing Security Processing

Implementation: Trusted Sub System Pattern

Image Source - http://onlinebusiness.volusion.com/articles/volusion-authorizenet-partnership/

Authorization

•  Control access based on privileges of the users

•  Control access based on user’s claims, in a fine grained

manner

•  Delegated access

Authorization Requirements

Requirement - Control access based on privileges of the users.

e.g. Users in role ‘Teacher’ can update students’ reports while users in

role ‘Temporary Teacher’ can only view reports.

Authorization pattern:

Role Based Access Control

Assign users to roles.

Grant privileges to roles.

This is a coarse grained authorization model.

Authorization

Configuring Role Based Access Control Pattern

Requirement - Control access based on user’s claims, in a fine grained manner.

e.g. Reports of Art students could only be accessed by Teachers with job title “Art Teacher”.

Authorization pattern:

Claim Based Authorization

•  Provides fine grained authorization

•  Policy based access control with XACML – provides flexibility

Authorization

Implementation: Claim Based Authorization Pattern

Requirement - Delegated access.

e.g. An application in a teacher’s mobile device needs to retrieve

the time table for the day from his account in the school’s

information system.

Authorization pattern:

Constrained Delegation

•  Using OAuth

Authorization

Implementation: Constrained Delegation Pattern

Questions?

Engage with WSO2

•  Helping you get the most out of your deployments •  From project evaluation and inception to development

and going into production, WSO2 is your partner in ensuring 100% project success