Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.

Published byTrystan Guy Modified over 10 years ago

Similar presentations

Presentation on theme: "Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing."— Presentation transcript:

1 Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing

2 Outline Disclaimer Requirements are from a user perspective to cover the use of web services in our environment Some of these requirements are met by existing technologies Requirements WS data/transaction/orchestration Infrastructure General Examples

3 WS Transaction/Orchestration Protection Requirements Data protection Integrity Confidentiality Privacy support Attack resistant to Replay attacks Person in the middle attacks Orchestration hijacking Evidence to support non-repudiation Signature Timestamp Audit trail

4 Infrastructure Protection Requirements Transport Integrity Confidentiality Authentication Multiple mechanisms – certificates, shared secrets, Kerberos/AD Application authentication User authentication Access control Multiple mechanisms – RBAC, directory based Credential propagation Credential caching Transaction level granularity – resource or application access authorized separately from individual transaction authorization

5 More Infrastructure Protection Requirements Resource protection Server and network isolation Server resource control Network bandwidth control Centralized Policy administration Provisioning Access control Auditing Monitoring

6 General Requirements User transparent (AMAP) Standards based Vendor neutral Interoperable – no proprietary value-added extensions IPR Free Compatible with existing security technology VPNs – IPSec, TLS PKI LDAP Performance Support for real time applications Reliable Redundancy Extensible Development environment that enables and promotes the creation of secure web services

7 Future Requirements Secure context passing between different web services Pass a security context through an integration broker including support for: End to end access The ability to switch between environments such as J2EE and.NET

8 Example 1: Web Single Sign On (WSSO) based end to end security WSSO accepts user credentials Account, password, X.509 certificate Front end to multiple applications Using the same approach to provide web service to web service application security

9 3 3 2 2 WSSO – Desired Service Requesting web service Request Service 1 1. Client request 2. Application request3. Service response

10 2 2 2 2 WSSO – Needed Security Requesting web service Service 1 Request Service protection Access control User authentication Enterprise protection Application authentication Confidentiality Message integrity Audit trail Signature

11 2 2 2 2 WSSO – Existing Security Requesting web service Service 1 Authentication Service Directory Request Validation Service 1. Client logon 3. Application certificate 9. Service response 2. Client request 4. Authentication Request 5. Check for revocation 6. Directory attribute check 8. Application request 7. Credential cache SSL/TLS Perimeter to protect application

12 Example 2: Engineering Drawing Application (EDA) Supports engineering drawings and parts lists Total database size = 1.5TB, About 15M documents, Average document size = 100KB Query to retrieval time < 2 seconds Supports 1500 concurrent users, average of 1000 TPM, peak of 2000 TPM Currently undergoing an expansion and conversion to web services

13 EDA Architecture Internet Intranet User HTTP Server Web Server EJB Container New Datastore Legacy Datastore Other systems and data Datastore Manager LoadBalLoadBal SOAP Messages For web pages For SOAP objects

14 EDA Needed Security Internet Intranet User HTTP Server Web Server EJB Container New Datastore Legacy Datastore Other systems and data Datastore Manager LoadBalLoadBal Enterprise protection Confidentiality User authentication Service resource protection Access control Application authentication Confidentiality Message integrity Audit trail Signature User authentication

15 EDA Existing Security Internet Intranet User HTTP Server Web Server EJB Container Directory based Authentication And access Control Service New Datastore Legacy Datastore Other systems and data Datastore Manager RevProxyRevProxy FirewallFirewall LoadBalLoadBal

16 Centralized Parts Inventory (CPI) Descriptions of parts Current parts stock level information Originally a collection of disparate web sites linked to different databases In the process of being converted to a centralized service that provides a common look and feel and navigation services

17 CPI Architecture Navigation Services Object Database Access Rules Database Parts Descriptions Descriptions Access Rules Descr. Obj 1 Descr. Obj 2 Descr. Obj n … Parts Inventory Status Inventory Access Rules Inv. Obj 1 Inv. Obj 2 Inv. Obj n … Common Look And Feel Services …

18 CPI Needed Security Navigation Services Object Database Access Rules Database Parts Descriptions Descriptions Access Rules Descr. Obj 1 Descr. Obj 2 Descr. Obj n … Parts Inventory Status Inventory Access Rules Inv. Obj 1 Inv. Obj 2 Inv. Obj n … Common Look And Feel Services … Enterprise protection User authentication User Authorization Confidentiality Message integrity Audit trail Signature Application access control

19 CPI Existing Security Navigation Services Object Database Access Rules Database Parts Descriptions Descriptions Access Rules Descr. Obj 1 Descr. Obj 2 Descr. Obj n … Parts Inventory Status Inventory Access Rules Inv. Obj 1 Inv. Obj 2 Inv. Obj n … Common Look And Feel Services … Directory and Certificate based Authentication And access Control Service Perimeter Services

20 Conclusions We need data protection for web services messages SSL/TLS is insufficient because it only provides integrity at the packet level, not at the XML message level We need interoperable, multivendor solutions Security solutions need to integrate with existing security technologies Security solutions must work between enterprises as well as within them

Download ppt "Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing."

Similar presentations

HCQ P MEDICARES HEALTH CARE QUALITY IMPROVEMENT PROGRAM QualityNet Exchange Dennis Stricker Director, Information Systems Group Office of Clinical Standards.

HCQ P MEDICARES HEALTH CARE QUALITY IMPROVEMENT PROGRAM QualityNet Exchange Dennis Stricker Director, Information Systems Group Office of Clinical Standards.
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
17 March 2010 Workshop on Efficient and Effective eGovernment FASTeTEN : a Flexible Technology in Different European Administrative Contexts

17 March 2010 Workshop on Efficient and Effective eGovernment FASTeTEN : a Flexible Technology in Different European Administrative Contexts
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Overview of Web Services

Overview of Web Services
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation

SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.

Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey

Similar presentations

Ads by Google