Web Services Security Kerry Champion CTO, Westbridge Technology June 8, 2004

Successful Internet Standards Person SMTP S/MIME Instant Messaging PersonProgram HTML DHTML Applets XML Schema SOAP WSDL WS-Security Broadly Accepted Loosely Coupled Cross Organization Extensible

Service-Oriented Architecture (SOA) organizing business systems as reusable components not fixed processes SOA = standards based + loosely-coupled + robust Reusable =

Diverse Web Services XML allows all to play Most heavily used Services have most primitive standards support. Systems doing billions in transactions today began development 18+ months ago New code written with current version of J2EE and.NET Legacy applications, Packaged applications, Specialized devices

Diverse Service Consumers Outsourced Call Center Accounts Receivable On-line Marketing Programs Employees’ Contact Managers Independent Agents Common Customer Data Repository

Key Characteristics Thousands of distinct consumers Identity of human that triggered the request is commonly used in program-to-program communication Spread over hundreds of organizations With different tools and IT teams. In practice it is unknowable to service what tools will be used by consumer. At different levels of standards support XML Schema, SOAP, WSDL, WS- Security, WS-Policy Outsourced Call Center Accounts Receivable On-line Marketing Programs Employees’ Contact Managers Independent Agents Common Customer Data Repository

Key Characteristics With different network architectures and transports in use HTTP, HTTPS, MQ, TIBCO, JMS With different security mechanisms deployed Authentication, encryption, signature, content scanning, malicious attack protections, message validation With identity data in multiple non- federated systems Directories, ID management systems, certificates supported by PKIs, single sign-on systems, etc. Outsourced Call Center Accounts Receivable On-line Marketing Programs Employees’ Contact Managers Independent Agents Common Customer Data Repository

Key Question How do you secure all Web Services while enabling appropriate access, given diversity of security mechanisms and policies?

What to do –Make every endpoint behave the same way –Make single repository for all shared data –Make every endpoint capable of behaving every way –Negotiate preferences at runtime –Have federated sharing across multiple repositories –Use infrastructure to define Service Views –Services and consumers stay as is –Service View abstraction layer mediates between them Naïve Response Elegant Response Practical Response

Service Views Present Secure Interfaces Each Service View Provide instant security, interoperability, monitoring, routing, and auditing Enables contracts between consumer and provider supporting local and global policies Automatically supports latest standards Support instant interoperability Leverage existing infrastructure Hide back end complexity Requires No Change of Base Services Service View.NET J2EE Packaged App Legacy System ESB, MQ,JMS Composite Services Security for SOA Infrastructure Security Management Standards Interoperability XML Acceleration SOA Related Infrastructure Flexible Deployment Scalable Administration Auth Directory Identity Mgmt PKI Network Mgmt UDDI System Mgmt

Advantages of Service Views design Base web service does not change Consumer does not change Service View appears as native web service to consumer Allows different security mechanism assumptions at service and consumer Allows different standards assumptions at service and consumer Allows different transport assumption at service and consumer Offloads from service developer need to support full range of security standards and mechanisms Is deployable today Implements loose-coupling while satisfying practical requirements

Implementation of Secure Service Views Needed Web Services infrastructure goes by many names: Service Virtualization, Web Services Management Platform, XML Firewall, SOAP Gateway, Web Service Gateway, etc. etc. Multiple vendors provide offerings Key Review Criteria: Security Monitor, Report, Alert Interoperability Interface Management

Security Authentication, Access Control Encryption, Signature Malicious Attack, Content Inspection Schema Validation, Standards Westbridge XMS Service Consumer Existing Security Infrastructure Web Service Network Firewall Authentication, Access Control Authorities, RSA, Oblix, Netegrity, LDAP, SAML,X.509, HTTP, Authentication, Active Directory, PKI Infrastructure, CRL, OCSP, 3DES, SHA, XML Encryption, XML Signature, WS Security Existing Security Infrastructure Network Attack Application Attack HTTP JMS MQ HTTPS

Last Request Latency Messages per Second Avg. Message Size Failed Requests SLA Monitoring Troubleshooting Perf. Monitoring Real-time View Malicious Attacks Requests > $10,000 Authorization Failed Weekend Activity Audit Trails Regulatory Debugging SLA Reporting Malicious Attack Paging Exceed Message Rate sends SNMP Trap Triggers Exceptions Debugging SLA Enforcement Example Benefits Monitor, Report, Alert Variety of status notifications can be utilized Service Tracker Monitors connected services SAP Mainframe.NET PeopleSoft J2EE MS Excel Monitoring ReportingAlerting Service Tracker

Interoperability Standards Support XML, SOAP, WSDL.NET, SunOne, IBM, WS-I, Oasis, W3C, BEA, Oracle, Microsoft, etc. Transport –HTTP, HTTPS (SSL), JMS, MQ, Tibco Security –XML Signature, signatures (RSA-SHA1, DSA SHA1), XML Encryption, encryption (RSA Keys, 3DES, AES, 128/192/256 bit keys), –SAML, LDAP, WS-Security, HTTP-based authentication –Active Directory, XKMS, OCSP, PKI Infrastructure (including PKCS#7, #10, #11, #12), CRL, X.509 Certificates, XML –XML Schema, DTD –XPath, XSLT –Alerting: SNMP and SMTP Data Transformation Routing Transport Mediation Credential Mapping X.509Liberty XMS Gateway SAMLLDAPWS Sec.Etc… Web Services XMS Gateway Web Service XMS Gateway Web ServicesWeb Service Web Services Service Consumer

Interface Management Publishing Workflow Service Upgrades Provisioning Versioning XMS Manager Configure StageTest Publish Customers Partners Sales Web Service Service View

Summary Real-world considerations create barriers to the loosely- coupled vision of Web Services and SOA, while maintaining required security. The “naïve” response creates tight-coupling and does not scale up The “elegant” response requires a couple more generations of standards and tools development The “practical” response uses current tools to implement Service Views.