1. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM CorporationSOA Security ProgrammingModelAnthony NadalinDistinguished EngineerIBM Corporation Presented by Mike Perks Anthony Nadalin SOA Security Programming ModelPage 1

2. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation Agenda Securing an on demand business Business requirements on demand security infrastructure Service Oriented Architecture andSecurity Federation and trust management Business driven application security Anthony Nadalin SOA Security Programming Model Page 2 3. Security is a BusinessColorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation Requirement that Affects Business Strategy Impacts Business Processes andOperations Helps Secure Business Applications Needed to Secure theInfrastructureAnthony Nadalin SOA Security Programming Model Page 3 4. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM CorporationCustomer Pain PointsProtecting privacy and security of customer andemployee information Securing exchange of business criticalinformation Manage identity within and acrossenterprise(s)Ensure integrity of the environment (delegated,federated) Manage security policies to mitigate risks Anthony Nadalin SOA Security Programming Model Page 4 5. Understanding the pain pointsColorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation lead to .. Anthony Nadalin SOA Security Programming ModelPage 5 6. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation on demand security infrastructureTooling for model driven security infrastructure Business Controls, Risk and Security Compliance Management Business Controls, Risk and Security GovernanceIdentity and Data protection Secure BusinessSecure Security Access and disclosureProcess and Transactions Monitoring Management control collaboration and audit Secure Systems and Networks on demand security management disciplineson demand security fabric Anthony Nadalin SOA Security Programming ModelPage 6 7. that help secure an on demandColorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation environment .. Anthony Nadalin SOA Security Programming ModelPage 7 8. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation So as to achieve Enterprise Integration and Virtualization Security Services Security components Pluggability and customizability Consistent and coherent model Based on Service Oriented Architecture Componentization Standards based interoperability and integration Loose coupling and virtualization Adapters to legacy applications Using Security policies from executives to IT staff End to end tools from modeling to infrastructure management Governance model and delegation of authority Anthony Nadalin SOA Security Programming Model Page 8 9. .. Using Security Fabric that isColorado Software Summit: October 23 28, 2005 Copyright 2005, IBM CorporationStandards Based and Pluggable On Demand Applications Business Application ServicesUtility Business Services Enterprise Service Bus Runtime Security APIsAdministrative Security APIs Vendor API extensions(login, authorization, etc)(create user, change policy,..)(J2EE, Unix, )Operating Environment Security Runtime- Credential propagation, authentication, context establishment, authorization checks,audit, privacy,AuthenticationAuthorization SPICred Mapping SPIIdentity Policy, Audit, SPIManagement IntrusionUser RegistryDetection, PrivacyAuthz provider Mapping provider Management Kerberos, RACF provider LDAP, OS registry 3rd Party 3rd Party3rd Party3 rd Party 3 rd PartyWS-TrustWS-Attribute Service WS-Authorization WS-TrustWS-Attribute ServiceWS-Policy WS-Federation Security Services InfrastructureWS-Privacy Anthony Nadalin SOA Security Programming Model Page 9 10. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation Agenda Securing an on demand business Business requirements on demand security infrastructure Service Oriented Architecture andSecurity Federation and trust management Business driven application security Anthony Nadalin SOA Security Programming Model Page 10 11. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM CorporationFederated Lifecycle Management Audit and compliancePartnerEnrollment BusinessDriven PartnerPartner-User Scenario TrustEnrollment Enrollment RealizationAgreementsCredentialsTechnical Provisioning/Management PoliciesDeprovisioningOperational Partner-Role- Best Attribute Role/Permission PracticesManagement Management Security & IdentityUser Life cycleAttribute changeAgreementsManagementManagement AuditIdentityAgreementsTransaction/DataRelationshipAgreementsManagementPrivacyScenario Federation/AgreementsManagement De-federationAnthony Nadalin SOA Security Programming Model Page 11 12. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation Federations Require TrustTrustReflects business relationshipNeeds governance modelImplemented using technology Trust between Identity Provider and Service ProvidersThis can be implemented using technologyTrust can be provided by WS-Trust, WS-Security, WS-SecureConversation Trust between users and Identity ProvidersThis can be facilitated by technologyRequires business, legal and faith based solutions Trust by users of how IdP will user their informationThis can be mitigated by WS-Policy familyAlso requires business, legal and faith based solutionsAnthony Nadalin SOA Security Programming Model Page 12 13. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation Web Services Security Model Web Services Web ServicesClient RequestorSecurityService ProviderGatewayB2BAuthenticAuthorizProvisio SSO Auditation ationningWS-Security Family (Kerberos,X.509, SAML) Users SOAP HTTPS, JMS, MQB2B 2 C End to End Security model simplifies integration between companies Each Web Services message can be individually authenticated, integrity & confidentiality protected and authorizedAnthony Nadalin SOA Security Programming Model Page 13 14. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM CorporationWeb Services SecurityApplicationsSuppliers SOAP/HTTPServices Driven InteractionsWeb ServicesSOAP Web ServicesLegacy Non WebPartnersSecurity Services Applications Checkpoint Web Services Web Services Remote Portlets Company Remote Portal Portals How do we identify and authenticate the service requester ?How to we identify and authenticate the source of the message ?Is the client authorized to send this message?Can we ensure message integrity & confidentiality ?How can I audit the access to Web Services? Multiple layers of enforcement perimeter, gateway, app server, application Anthony Nadalin SOA Security Programming Model Page 14 15. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation End to End Message Security (trust relationship) (trust relationship)(trust relationship) Anthony Nadalin SOA Security Programming Model Page 15 16. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation Managing TrustAudit Anthony Nadalin SOA Security Programming ModelPage 16 17. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation Managing Integrity Manage trustUse Infrastructure components May be shared Need to be trusted components (they are the enforcement points) Interaction (with partners, etc) and role played by infrastructure is managed Delegated authority to LOBsApplication specific policies Shared infrastructure but different policies (specific to LOB, application, etc) Gives flexibility and controlCompliance Audit and monitoring Accountability and integrityAnthony Nadalin SOA Security Programming ModelPage 17 18. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM CorporationWeb Services Security Roadmap Federation LayerWS-SecureConversation WS-FederationWS-Authorization Spec: 18 Dec 2002 Spec: 8 July 2003 Spec: 28 May 2003WS-Policy Policy Layer WS-PolicyFramework WS-TrustWS-PrivacyWS-PolicyAttachments WS-PolicyAssertions Spec: 18 Dec 2002Spec: 5 Apr 2002 WS-Security OASIS StandardToday Spec: 8 May 2000Time SOAP Foundation TBASpecifications AnnouncedImplementations Available TodayAnthony Nadalin SOA Security Programming Model Page 18 19. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM CorporationApplication lifecycle and security policies Corporate policies and line of business/domain specific policiesRelevance to business process and business applicationsPlatform specific modelsImpact on IT infrastructure Compliance and monitoringAnthony Nadalin SOA Security Programming Model Page 19 20. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation Business driven application security Define businessand corporate Security policy officer security Security auditorpolicies Business analyst Model security requirementsand application security Manage security of theModelbusiness application; Business Monitor behavior andchangepolicies as necessary Security architectsApplication architects Develop IterativelyIT administratorFocus on Architecture Analyze &Security administratorManage & DesignOperator Monitor Continuously Ensure Quality Manage Change & AssetsApplication programmerSecurity developerApplication administratorImplementSecurity administrator DeployDeclare application security policies; Configure infrastructure for Build and test application security; secure applications Subscribe and customizesecurity policies Anthony Nadalin SOA Security Programming ModelPage 20 21. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation Business application policies Analyzing relevance to business processes and applicationsTranslating intent/goals into enforceable policiesBusiness vocabulary vs. implementation Anthony Nadalin SOA Security Programming ModelPage 21 22. Application modeling andColorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation security policies Anthony Nadalin SOA Security Programming ModelPage 22 23. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation Programming model: Infrastructure vs. application managed Infrastructure managed (gateways, application container) Let application concentrate on business logic Let the infrastructure enforce the intended policies Policies aligned with business goals and deployment patterns Policies may come fromapplication artifacts (e.g., deployment descriptors),system configuration (e.g., based on topology), andpublished policies (based on target interactions e.g. ws-policy)Application managed Architected and standardized call-outs Abstract out as a security provider (e.g., JAAS, JACC)Anthony Nadalin SOA Security Programming ModelPage 23 24. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation Deployment and managementService SubscribeSolution InstallRequestor(consumer)ProviderApplication policy Corporate, IT policies, etc(e.g., in deployment descriptors)(e.g., use corporate LDAP)Consumer Subscription time changes administrator (e.g., High level security, Fabrikam as certificate authority)Application Server runtimeTransform, persist and distribute policies to security provider(e.g., Security XACML policies and coordinates withERP Runtime Publication of Policies Tivoli AccessManager )Travel app(e.g., WS -Policy) Initial policies are pushed or stored; updates are pushed or pulled:(e.g., 128 bit SSL required,X.509 certs from Verisign )XACML policy docs Security Policy Managere.g. Tivoli AccessManager Administer policiesManage/Administer & RuntimeAnthony Nadalin SOA Security Programming Model Page 24 25. Identity Management & Service Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM CorporationOriented ArchitectureNew CapabilityIdentity Existing Capability Service SOA Security Enterprise Identity mgmt (Web Services Security Management)Services ViewFederated Identity Management (Federated User LifecycleWeb Single Sign-On Management)Access ManagementServices TransformationIdentity ManagementService Oriented Architecture (SOA)Services Identity Management Market Identity Identity transformation from a product-centric view to a service-centric view move to adoption of service-oriented architectures with federation characteristics for simplifying identity management and strengthening corporate complianceAnthony Nadalin SOA Security Programming ModelPage 25 26. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation Identity Integration Problem How to share informationPartners using with trusted providers?WS-Federation Identity SAP Platform Identity IdentityPartners using IdentityLibertyMulti Protocol Federation Gateway WebSphere PlatformIdentityPartners usingIdentitySAML in theirPortal or Web IdentityMS .NET PlatformIdentity Management as a businessPartners using WS-Securityprocess for cross-enterprisecollaboration Anthony Nadalin SOA Security Programming Model Page 26 27. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM CorporationIdentity & Web Services - LandscapeIndustry leveraging Federation to simplify Service Delivery and providesuperior end user experience New Service Enablers are driving need for identity sharing based on WebservicesPresence, Location, Group Management etc HTTP Centric Services still a dominant delivery modeli.e. Services are Built and Delivered using normal HTTP to browser-based clientsE.g. Location-based Services, Third-Party ContentEnables Mobile Operator to assume the role of Trusted Identity Provider/Authority in mediatingvalue-add data services with third-partiesHTTP Identity Services Standards in Mobile Industry Current Deployments happening with Liberty ID FF 1.1/1.2 Role of SAML 1.0/1.1 very minimal in mobile industry (due to Liberty uptake) SAML 2.0 will converge Liberty ID FF 1.1/1.2 and SAML 1.0/1.1 but adoption of SAML 2.0 not likely until 2006 WS-Federation becomes a critical strategy for integration with Microsoft Active Directory and Microsoft .NETServicesFederation of Web Services is a dominant theme in Service OrientedArchitecturei.e. Services are discovered using Web Services (WSDL)Dominant Web Services Security Platform is WS-SecurityWS-Security now an official OASIS standard and implementations available from leading middlewareplatforms from Microsoft .NET and IBMAnthony Nadalin SOA Security Programming Model Page 27 28. Best Practice Enterprise UserColorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation Provisioning Password Delegated Account Sync/Workflow AdminProvisioning Administrator/CSR Reset Self- CareIdentity ManagementPartner Users Enterprise Identity LegacyLegacyHR Feed Foundation ERP ERPPortalBi-directional PortalProvisioning Directory LDAP AuthoritativeFeedsDAML/DSML Anthony Nadalin SOA Security Programming Model Page 28 29. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM CorporationBest Practices Access Management Third-Party Partner AccessPartners usingPartners usingMicrosoft SAML Federate d AccessThird PartyThird-party User WS- Partners using Federation/SAML/Liberty Liberty WS-Security/WS- Federation/SAML/Liberty Direct Federated IDAccess Web Access /Micro Web SSOSSO/Authentication/AuthorizationUserWebWeb SSOWeb SSOSSOPortalBenefits Service Billing ServiceServiceAnthony Nadalin SOA Security Programming ModelPage 29 30. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM CorporationDeployment Patterns & Roles Federated Web ServicesPatternsRoles C2B / E2B HTTP Identity Provider, Service Provider C2B Web Services Web Services Client, WS Provider B2B Web Services Web Services Client, WS Provider Composite Patterns C2B + B2B Identity Provider; WS Client, Service Provider; WS Provider Consumer-2-Business (C2B) Employee-2-Business (E2B) Business-to-Business (B2B, e.g. Portal to Portal) Anthony Nadalin SOA Security Programming ModelPage 30 31. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation C2B2B - Portal to Portal Deployment SecurityToken ServiceTokenThird PartySOAP RequestThird-party WS-Security Provider/WSP User PORTAL(Identity Provider) XML/Web XML/WebServicesServices Web ServicesGateway Gateway ProviderWeb Services ClientUsers WS-Trust WS-Trustlocal IDToken Token local IDIdentity Security Identity Security ServiceService Enterprise ServiceServiceEnterpriseDirectoryDirectory Policy Service Policy Service Anthony Nadalin SOA Security Programming Model Page 31 32. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation Identity + Web Services -Architecture ClientsFederatedFederated BrowserIdentityIdentity Rich Client Provider Provider (Liberty)(SAML) Mobile TerminalSMBFederated Partner SpokesIdentity Provider Identity Services (Liberty)Enterprise Web Enterprise IDServices PlatformsLiberty Gateway WS-Trust/WS- Security Web ServicesSAML FederatedIdentity SecurityProvidersIdentity (RemoteProviderServices Services(SAML)Portals)WS-SecurityWS-FederationSAML Federated IdentityWeb Services Provider Providers(WS-Federation)I know this subscriber from my(Remote I know how to connect thepartner company user to authorized services Portals)Anthony Nadalin SOA Security Programming Model Page 32 33. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM CorporationCompliance Auditing the Integrity ofMortgage Approval Business Process Anthony Nadalin SOA Security Programming ModelPage 33 34. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation SIMPLE IDENTITY & CHANGE AUDIT FOR CONTINUOUS COMPLIANCEINPUTOUTPUTAuditWorkplace for Process BCRCEI, CBE (Communicate, Business Services CARSTrack) XML PolicyChange Events/ CEI, CBE Events/State ChangesAlerts Central Audit ServiceCCMDB/Processes/ Dashboard Warehouse WBISQL Business & IT DB2CEI, CBE ReportsAlphaBlox Audit Analytics/Security Events/Alerts ComplianceCorrelation ProcessData (Security, Change, EngineIdentity, Access Archive) TPM, TCM, TIM,(Company & Partner) TAM, FIMXML Security Policy Change Network Remediation & RemediationTIM/TAMFIM,SCM ERP/ CRM Database AbnormalProcessEvents/AlertsRational Requisite ProEU/Japan Privacy CorporateSOX Basel II Visa CISPUS Patriot ActLaw Security PoliciesCompliance Drivers Anthony Nadalin SOA Security Programming ModelPage 34 35. Colorado Software Summit: October 23 28, 2005 Copyright 2005, IBM Corporation SummarySecurity is about business, no longer just abouttechnology SOA enables better Application Integration Web Services Security standards optimizes thedevelopment, deployment and management ofComposite Applications Federation is the bridge by which web servicessecurity integrates with Service Oriented ArchitecturesAnthony Nadalin SOA Security Programming Model Page 35