Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Science and Engineering 1 Service-Oriented Architecture Security 2.

Published byLaureen Lucas Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Science and Engineering 1 Service-Oriented Architecture Security 2."— Presentation transcript:

1 Computer Science and Engineering 1 Service-Oriented Architecture Security 2.

2 Reading 1.New: Security Fundamentals for Web Services, Microsoft patterns and practices, http://msdn.microsoft.com/en-us/library/ff648318.aspxhttp://msdn.microsoft.com/en-us/library/ff648318.aspx Computer Science and Engineering 2

3 3 SOA Security Components 1.Software-level (single service) security 2.Business-level (service composition) security 3.Network-level security

4 Computer Science and Engineering 4 Network-Level Security Authentication and identification Access Control middlewareMessaging middleware –Communication security –End point security Protocol assurance Security PatternsSecurity Patterns

5 Service-level Patterns Exception Shielding Message Validation Trusted Subsystem Service Perimeter Guard Computer Science and Engineering 5

6 Exception Shielding Computer Science and Engineering 6

7 Message Validator Computer Science and Engineering 7

8 8 Trusted Subsystem GoalGoal: prevent customers from circumventing a service and directly accessing the resources of the service ProblemProblem: –Customer may perform incorrect modifications –May lead to undesirable forms of implementation coupling SolutionSolution: service is designed to use own credentials for authentication with backend resources

9 Trusted Subsystem Computer Science and Engineering 9

10 10 Perimeter Guard GoalGoal: protect internal resources from users that remotely access internal computers ProblemProblem: –External attacker may gain access to services running within a private network, and thus to the resources within the private network SolutionSolution: establish an intermediate service at the perimeter of the private network as a secure contact point

11 Service Perimeter Guard Computer Science and Engineering 11

12 Service Interaction Patterns Data Confidentiality Data Origin Authentication Direct Authentication Brokered Authentication Computer Science and Engineering 12

13 Data Confidentiality Computer Science and Engineering 13 Symmetric keyPublic key

14 Data Origin Authentication Computer Science and Engineering 14 Symmetric keyPublic key

15 Direct Authentication Computer Science and Engineering 15

16 Single Sign-On Authentication of a user within multiple systems: use Digital Certificates and private keys Reduces security administration Services can pass requester’s identity to other services

17 Brokered Authentication Computer Science and Engineering 17

18 Brokered Alternatives Computer Science and Engineering 18 Security Token ServiceX.509 Digital Certificate

19 Computer Science and Engineering 19 Service-Composition Security Ongoing activitiesOngoing activities: –Business process execution across heterogeneous domains –Identity management –Trust management Upcoming research areasUpcoming research areas: –Web Services Composition –Web Service Transactions –Service-Level Dependencies

20 Computer Science and Engineering 20 Web Services Composition Create complex applications on the fly from individual services BPEL4WS, WSBPEL How to express security and reliability needs? How to verify that these needs are satisfied? How to resolve conflict between business needs and security requirements?

21 Computer Science and Engineering 21 Web Services Transactions Traditional database transaction managements vs. SOA application needs How can we evaluate correct execution? ACID properties? Serializability? WS transaction framework: –Atomic (short-term) transactions –Business activity (long-term) transac –Business activity (long-term) transactions What are the security implications of WS transactions?

22 Computer Science and Engineering 22 Service-Level Dependencies Old threats reappearing in new context: deadlocks, denial-of-service, network flooding, etc. How to detect and prevent the occurrence of these threats? In composition, independently developed services are dependent on each other No information about internal processing of the workflow components

23 MLS SOA MLS: control information flow –Permitted flow: from low level to high level Revisit read/write operations –Subject reads object: info flow from object to subject –Subject writes object: info flow from subject to object WS communication: message transfer (write operation) Computer Science and Engineering 23

24 MLS Messages Metadata: represent proper classification Communication from High to Low services: message must be de-classified How can we achieve it? –Manual classification –Automated classification – TRUST? Computer Science and Engineering 24

25 MLS Service Interactions Over multiple domains Input/output messages Service broker: –Discover services –Enforces flow control: up-classify/down-classify data Computer Science and Engineering 25

26 Metadata management Data classification –Confidentiality –Integrity –Data access policy {s, f, d, c} s service f in/out d data classification level c conditions Computer Science and Engineering 26

27 Computer Science and Engineering 27 New Approaches to Improve Security and Reliability Develop criteria to evaluate correctness of composite application execution –E.g., WS transactions: compensation-based transactions Increase reliability using redundant services Offer security as service Develop defense models using distributed and collaborative components –E.g., detect malicious behavior based on collaborative nodes, verify execution correctness by comparing outcome of different services, deploy intelligent software decoy, etc.

28 Computer Science and Engineering 28 Conclusion and Future Work All aspects of SOA security must be addressed Standards are not enough to provide security! New security concepts applicable to SOA environment must be developed Security must be incorporated during the system development process collaboration SOA developers, business experts, and security professionalsRequires collaboration among SOA developers, business experts, and security professionals

Download ppt "Computer Science and Engineering 1 Service-Oriented Architecture Security 2."

Similar presentations

NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
Operating System Security

Operating System Security
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.

CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.
A Successful RHIO Implementation

A Successful RHIO Implementation
Securing the Broker Pattern Patrick Morrison 12/08/2005.

Securing the Broker Pattern Patrick Morrison 12/08/2005.
OASIS Reference Model for Service Oriented Architecture 1.0

OASIS Reference Model for Service Oriented Architecture 1.0
Security Controls – What Works

Security Controls – What Works
Chapter 21 Successfully Implementing The Information System

Chapter 21 Successfully Implementing The Information System
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.

Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Trust, Privacy, and Security Moderator: Bharat Bhargava Purdue University.

Trust, Privacy, and Security Moderator: Bharat Bhargava Purdue University.
1 Review Topics 1.Basic understanding of a business process 2.The relationship of a business process with a work flow 3.The different types aspects and.

1 Review Topics 1.Basic understanding of a business process 2.The relationship of a business process with a work flow 3.The different types aspects and.
Aligning Business Processes to SOA B. Ramamurthy 6/16/2015Page 1.

Aligning Business Processes to SOA B. Ramamurthy 6/16/2015Page 1.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Data Security in Local Networks using Distributed Firewalls

Data Security in Local Networks using Distributed Firewalls
Web services security I

Web services security I
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Similar presentations

Ads by Google