SOA Security Chapter 12 SOA for Dummies

Outline User Authentication/ authorization Authenticating Software and Data Auditing and the Enterprise Service Bus SOA security in summary

Authentication Who’s That User?

Authorization Can I Let You Do That? If you already know who is making a request, all you then need to do is find out whether the user is allowed to do what she is requesting. – if our esteemed user has a perfect right to do what she has requested, you’d really rather not get in her way. She’ll only get upset if you hold her up. Example – Consider a business rule that only a manager can approve an order with a value of more than $15,000. – If a user who is not a manager tries to approve such an order, the order needs to be redirected to a manager for authorization rather than just being processed.

Security Challenges You need to know/keep track of information at all times, not just when he logs in. – who the user is and – what rights he has Solution? – Manage Identity

Identity Management software The software that determines what a user is allowed to do. It provides an identity service that can span a network — even multiple networks, if necessary. Add the identity service – A part of SOA – SOA really needs such a service.

Identity Management W/SOA Portal – as a window that contains a menu of all the applications available throughout the whole network that the user is able to run. – the user can home in on a particular application found on this menu, activate it, and then run with it. identity management software – provides the portal with all the identity information it needs to connect the user to the application. – is complicated because it can mean logging on to other computers and providing one or more passwords and doing it all securely. – knows what the user is entitled to run and knows what hurdles need to be jumped, so it can provide whatever validation is required at any point in order to get the user connected to the application.

Identity Management W/SOA You are no longer connected to an application but rather to a business service. You are dealing with components that have been connected together to provide service. What if you want to use only a particular component of that application. – system better provide user credentials to every component.

How it works? User logged in Identity management service create security token security token contains credentials, including the identity of the user and the details of the access rights of the user. security token is encrypted, so it can be read only by software you trust. The user requests a business service through the portal The portal contacts the service broker, passing it a security token The service broker can deliver this token to every component the user accesses. When received, it can be decrypted by each component so that “who is doing what” is known.

Benefits Keep track of who did what and how – issued credentials Making security policy and storing it in the SOA registry – no longer store authorization rules in the application You need to store them along with the business process metadata in, of course, the SOA registry. – don’t really need to authorize staff to use an application, you need to authorize them for specific business processes. – may need to authorize them only up to certain limits for specific business processes.

Software fingerprints One of the things that anti-virus software vendors do is have their programming teams come up with “signatures” of undesirable software – undesirable software: Trojans, worms, viruses, and other malware – so that the anti-virus software can recognize a virus when it comes across one. These signatures are software fingerprints, – in the sense that they are unique to the virus. Every time a new virus emerges, a new fingerprint is created and distributed to the anti-virus software running on your PC.

Software Authentication The authentication of software identity can be carried out in a way similar to the authentication of user identity. – hold something that is unique to the software, – Before allow it to run, you carry out an authentication test to make sure nobody has tampered with the software since it was last used. This approach stops any illegitimate programs from running.

How it works? Consider first that no business service will be put into operation without going through governance procedures. – When a new version of a business service has been adequately tested and is ready, every software component of it is fingerprinted, – and its unique fingerprint is updated. – These fingerprints are stored in the signature file by the software authentication component. When a request is made to the service broker to run a business service, – the broker passes the address of each component of the service to the software authentication process, which then tests it and passes it (or rejects it). – the service broker then executes each component, the service is available for use.

Data Security Establishing SOA data governance and auditing services is to enable and manage the enforcement of business and security policy as it is applied to data Data auditing ensures that an organization can manage and adhere to requirements imposed by regulatory agencies and that access to data is kept confidential. – Who has access to sensitive data? – When was it accessed and by whom? – How can I track data that may have been deleted?

Auditing and the Enterprise Service Bus Does your own staff isn’t using your software in an entirely “legitimate” way? – For example, if they have access rights to the payments system, they might simply start writing themselves checks. Need to monitor all the activities – audit trails

Audit Challenge Problem with audit trails within a SOA is – the operation of the business service is split across multiple components Solution – The use of an enterprise service bus for all messaging will resolve the problem – because the ESB can keep an audit trail of all the messages that are passed – Additionally, if there is any concern about data privacy in passing data from one component to another most enterprise service buses will also be able to encrypt the data as it passes back and forth. – Void some hidden listening software taking notes

Summary In order to address this risk, three aspects of SOA business services need attention: – Identity management – Software and data authentication – Audit trails