Post on 07-Jan-2016
description
May 2006
Security and Identity Issues Security and Identity Issues in Cross-Agency SOAin Cross-Agency SOAPhilip WalstonSenior Product Manager
pwalston@layer7tech.com
May 2006
Security and Identity Issues in Cross-Agency SOA
Agenda and ThemeAgenda and Theme
Security and identity in SOA The challenges of security and identity What is federation about? Why federation of Web services is hard Breaking the problem down Tactical, standards-based solutions
Theme: A pragmatic approach to cross-agency SOA
Security and federation for SOA is a complex problem, and the standards are still evolving. However, we can take a realistic look at what most services are being used for, we can build standards-compliant solutions today.
May 2006
Security and Identity Issues in Cross-Agency SOA
Security in Cross-Domain ComputingSecurity in Cross-Domain Computing
Firewall
Secure Zone
Resource (Server)
Directory Server
Identities
• WS-Security
• WS-SC
• WS-Trust
• XKMS
• etc…
SecurityTechnologies
• Encryption
• Signing
• Transport Layer
• Certificates/PKI
• Biometrics
• Fobs
• etc…
SecurityMechanisms
AlexSue
Francis
Internet or Intranet
Requestor (Client)
• XML Encryption
• XML Signing
• X.509
• SSL/TLS
May 2006
Security and Identity Issues in Cross-Agency SOA
The Security Challenge of Cross-Agency SOAThe Security Challenge of Cross-Agency SOA
Firewall
Secure Zone
Resource (Server)
Directory Server
Identities
AlexSue
Internet or Intranet
Requestor (Client)
Policy Application Point(s)
Policy Enforcement Point
• Coordinating common security policy
• Granular (operation-level) security
• Applying (coding) and testing security
• Dealing with changes
Issues
Mutual Security PolicyProgram
X
May 2006
Security and Identity Issues in Cross-Agency SOA
Tactical StrategyTactical Strategy
Firewall
Secure Zone
Resource (Server)
Directory Server
Identities
AlexSue
Internet or Intranet
Requestor (Client)
Program X
Mutual Security Policy
Policy Application Point(s)
• Security PEP intermediary (server proxy)
• Spec-compliant toolkits
• Plethora of WS-* and other specs
• WS-Policy (soon)
Security Mechanisms
XML Gateway
Policy Enforcement Point
May 2006
Security and Identity Issues in Cross-Agency SOA
Identity in Cross-Domain ComputingIdentity in Cross-Domain Computing
Firewall
Secure Zone
Resource (Server)
Directory Server
Identities
• IBM Tivoli Acess Mgr.
• Netegrity Siteminder
• RSA ClearTrust
• etc…
Authentication and Authorization Technologies
• Username/password
• Digest
• Certificates/PKI
• Biometrics
• Fobs
• etc…
Identity Validation Mechanisms
AlexSue
Francis
Internet or Intranet
Requestor (Client)
• LDAP
• Active Directory
• Radius
• RACF
• ACLs
May 2006
Security and Identity Issues in Cross-Agency SOA
Token Id=12345…
Internet or Intranet
What’s Single Sign On (SSO) Really About?What’s Single Sign On (SSO) Really About?
ID Server
Sue
Requestor (Client)
Resource (Server)1. Provide credentials
2.-n. Provide Token
Generate token
Validate token
May 2006
Security and Identity Issues in Cross-Agency SOA
Why Does SSO Work for Browsers?Why Does SSO Work for Browsers?
1. HTTP Redirects
1. Post
5. Post + Token
3. Post Creds
4. Receive token
Web Server
2. Redirect
Security Token
ServiceTime
This is a greatly simplified version of the actual request/response
flow
Web Browser-Based Client
May 2006
Security and Identity Issues in Cross-Agency SOA
Why Does SSO Work for Browsers?Why Does SSO Work for Browsers?
2. A Client-side Persistence Model
Security Token
Service
Persist token:
•In pages
•As URL artifact
•As cookie
May 2006
Security and Identity Issues in Cross-Agency SOA
Why Does SSO Work for Browsers?Why Does SSO Work for Browsers?
3. SSL Protection of Tokens
Malicious Third Party
X
May 2006
Security and Identity Issues in Cross-Agency SOA
AlexScott
Francis
The Identity Challenge of Cross-Agency SOAThe Identity Challenge of Cross-Agency SOA
Firewall
Blue’s Server
Blue’s Directory
Server
AgencyGreen
Frank
Sue
Program X
Green’s Directory
Server
AgencyBlue
Green’s Client
Islands of Identity
Need to share not only authentication and authorization
information, but also identity attribute information
Big privacy and confidentiality issues…
May 2006
Security and Identity Issues in Cross-Agency SOA
What Hasn’t Worked in the PastWhat Hasn’t Worked in the Past
Firewall
Blue’s Directory
Server
Frank
Sue
Program X
Green’s Directory
Server
AgencyBlue
Remote Directory Access
Directory Synchronization
• Online access through firewall mazes
• Latency in replication
• People leave, fired, etc
Issues
AgencyGreen
May 2006
Security and Identity Issues in Cross-Agency SOA
What We Really Need is Effective What We Really Need is Effective Separation of ConcernsSeparation of Concerns
Blue’s Directory
Server
Frank
Sue
Program X
Green’s Directory
Server
AgencyBlue
Authentication
Authorization
• Build dynamic trust relationships
• Transport the security context so that authentication and authorization can be distributed
• Enforce privacy issues
• Time out sessions/global logout
Core Requirements
Trust
AgencyGreen
May 2006
Security and Identity Issues in Cross-Agency SOA
The MechanismThe Mechanism
Blue’s Directory
Server
Frank
Sue
Program X
Green’s Identity Server
Trust
1. Acquire Token with statement of authentication (and possibly authorization, attributes) in this
security domain
2. Validate token here according to
trust model
3. Mutually secure the transaction between parties
May 2006
Security and Identity Issues in Cross-Agency SOA
Validation / Authorization Blurs the Concept of IdentityValidation / Authorization Blurs the Concept of Identity
Ephemeral identity
• Time of day
• Origin IP
• Attributes
• Remote authorization statements
• Different trust paths
• etc…
+Conventional Identity
(e.g. DN=CN=Phil Walston)
May 2006
Security and Identity Issues in Cross-Agency SOA
Issue – Identity MappingIssue – Identity Mapping
• Fan in
• E.g. to service account
• Map to local existing account
• E.g. phil.walston -> pwalston
• Map to role
• E.g. TrustedAdministrator
• Etc…
May 2006
Security and Identity Issues in Cross-Agency SOA
Why is Federation/SSO of Web Services So Hard?Why is Federation/SSO of Web Services So Hard?
Browser Client
Web Services Client
Web Services Server
Web Server
Identity Provider / Security Token
Service
SSL
SSL
WSSWSS
SOAP Message with bound
security token
Token protected from hijack, replay,
etc by SSL
Token protected from hijack, replay,
etc by XML Signatures
Application Identity
User Identity
Certificate and key pair
• SSL
• HTTP redirects
• Simple signing
• Cookies
• URL query parameters
• WSS
• Embedded, signed security tokens
• Considerable orchestration at client
• Manual token caching
Web Browser
Domain
Web Services
Domain
May 2006
Security and Identity Issues in Cross-Agency SOA
Tactical StrategyTactical Strategy
Blue’s Directory
Server
Frank
Sue
Program X
Green’s Directory
Server
AgencyBlue
Trust
The dominant pattern is RPC-ish client/server
Ask Yourself: What do you really need?
Federation ID Provider & Security
Token Service
Authentication Responsibility
Authorization Responsibility
1. Security Token Issuer for Green
2. Token Validator for Blue
3. Orchestration code in client application
Token Orchestration & Caching Layer
Federation Policy Enforcement Point
Message Level Security
AgencyGreen
May 2006
Security and Identity Issues in Cross-Agency SOA
The Standards and Specifications LandscapeThe Standards and Specifications Landscape
Security• Existing / emerging W3C and OASIS
SSL/TLS, XML Crypto/Sig, WSS, WS-SecureConversation, WS-SecurityPolicy ….
Identity• WS-Federation (Focus on technology)
IBM, Microsoft, BEA, RSA, Verisign SAML, SSL/TLS, WSS, WS-Trust, WS-Policy, WS-
MetadataExchange• Liberty Alliance (Focus on business problem)
Consortium of over 150 companies SAML, SSL/TLS, WSS
• Government E-Authentication
May 2006
Security and Identity Issues in Cross-Agency SOA
ConclusionsConclusions
Federation is simply SSO between different security domains
The new issue for secure cross-agency (federated) SOA is resolving security and trust models for remote entities
Security and federation for Web services have roots in distributed computing model, but are much more complicated
Variable security model No automatic orchestration of client (redirects) No formal client-side persistence model
This all leads to much more independent clients and servers, different security mechanisms, and much more complex logistics
Implementing secure federated Web services is extremely complex, and current support in application servers is very limited
Third-party infrastructure, however, does exist to provide drop-in security and federation for Web services
May 2006
Philip Walston
Layer 7 Technologies
1501 – 700 West Georgia St.
Vancouver, BC
Canada
(800) 681-9377
pwalston@layer7tech.com
http://www.layer7tech.com
For further information: