Accenture Slides - Soa Workshop Starter Kit Web Services Security, v2.0 (Jul 2006)(1).ppt

serviceorientedarchitecturesoaworkshopstarterkitwebservicessecurity lastupdated july 2006 2 copyright 2006accentureallrightsreserved soaworkshopstarterkit webservicessecurity 3 copyright 2006accentureallrightsreserved contents securityandwebservicesindustrystandardsws indetailplatformsupportrecommendations 4 copyright 2006accentureallrightsreserved businessopportunities newbusinessmodelsserviceprovidersthatprovideidentityrelatedservicesserviceprovidersthatprovide traditional value addedservices e g hrorpayroll whichcanbemoreeasilyintegratedintoacustomer senterprisedriverevenuegrowthimproveandstreamlinetheprocessforidentifyingandacquiringnewcustomersstreamlineabilityforcollaborationwithbusinesspartnerscostsavingsreduceuseradministrationcoststhroughautomationreduceapplicationdevelopment integrationcoststhroughreusabilityimproveuserexperiencehaveasingleidentitythatcanbeusedgloballyimprovetheoverallsecuritythroughthereductionofdatasourcesandduplicatedata significantopportunitiesexistfororganizationstodriverevenuegrowth createnewbusinessmodels realizecostsavings andimprovetheuserexperienceleveragingsecurityconcepts 5 copyright 2006accentureallrightsreserved securityconcernslimitsuse source webservicessecurity marko neil 2003 source scmagazine january2004 source makingsenseofwebservicessecuritystandards gartneraug 03 securityconcernshavehistoricallybeenoneofthekeyreasonsthatbusinesseshavenottakenadvantageofthebenefitsthatwebservicesandserviceorientedarchitectureshavetooffer theprospectofsoftwarefromdifferentcompaniescommunicatingtogether whilepowerful isfraughtwithsecurityconcerns unlesssecurityandmanagementissuesareaddressedeffectivelytheywillholdwebservicesbackfrombecomingatrulymainstreamtechnologywithinenterpriseapplicationintegrationprojects conflictingstandardsmakewebservicessecuritydecisionscomplexanddifficult companiesshould beginwithsimplewebservicesdeploymentsthatsupportonlyyourcurrentbusinessneeds thisisnotjustatechnologyissue 6 copyright 2006accentureallrightsreserved businesschallenges mitigatingriskandensuringqualitybetweenpartiesinthecircleoftrustcanbeperformedthrough definitionofbusinessstandardsdefinitionofminimumrequirementsenforcementthroughcertificationandaudits mutualconfidence trust pooledknowledge sharingofcustomer identityinformation e g ofcustomers customernames etc betweenorwithinenterprises dataprivacyrevocationprocedures increasedrelianceonthirdpartiesforauthenticationfraudprotection broadenedpotentialforfraudifanidentityisevercompromisedsecurityincidentprocedures coordinatedeffortforanalysisandcorrelationofauditlogsamongpartiesinvolved risk whoisatfaultifacriticaltransactionfailedduetofailure towhatextent definitionofliabilitydefinitionofdisputeresolutionprocess liability privacylegislation ensureprivacytermsarenotviolatedwhenfederatinganidentitybetweenenterpriseswhoinitiatedeachtransaction audittrailbacktoinitiatinguser compliance keyfactorsforwidespreadadoptionofwebservicesincludetheidentificationofsoundbusinessmodelsandmoreexperiencewiththecontractualframeworksthatdefinetrustrelationships mostcurrentimplementationsareinternalthoughthisischanging 7 copyright 2006accentureallrightsreserved whatareyoursecurityrequirements non repudiation confidentiality integrity identification authentication administration authorization accountability thereareseveralnewbusinesschallengesthatmustbeaddressedbeforewebservicescanbesecurelydeployed caniensureprivacyofthetransactions sensitivebusiness clientdataregulatorycompliance etc caniguaranteethattransactionsarenottamperedwith caniensurethatonlyauthorizedtransactionsarebeingperformedonthesystem caniensurethattherewillbeadequatecontrols recordstoguaranteetheresultsofaprocessedtransaction caniquicklydeploynewserviceswithoutcompromisingmyinternalbusinessprocesses caniensurethattransactionsareonlybeingperformedbytrustedparties sendorreceive 8 copyright 2006accentureallrightsreserved overcomingthesecuritybarriers accenturehasproventhatnewstandardsandnewproductsarenowabletoprovidecustomizedsolutionstoovercomethesecuritychallenges 9 copyright 2006accentureallrightsreserved whatiswebservicesecurity thew3cdefinesawebserviceasthefollowing awebserviceisasoftwaresystemdesignedtosupportinteroperablemachine to machineinteractionoveranetwork ithasaninterfacedescribedinamachine processableformat specificallywsdl othersystemsinteractwiththewebserviceinamannerprescribedbyitsdescriptionusingsoap messages typicallyconveyedusinghttpwithanxmlserializationinconjunctionwithotherweb relatedstandards webservicesecurityencompassesthefollowingareas transportationlayersecurity providingconfidentialityandintegrityintransit messagelayersecurity ensuringthatmessagesareaccordingtospecification identityandaccessmanagement providingauthentication authorizationandidentification securityadministrationofwebservices enablingaudittrailsandsecurityadministration intrusiondetectionandprevention protectingagainstcommonwsthreats 10 copyright 2006accentureallrightsreserved withoutpropercontrolswebservicescanbevulnerable oneofthemostenticingaspectsofwebservicesisthatalargedegreeofcomplexityisabstractedawayfromtheviewofthedeveloper makingtheservicesveryeasy andcheap todevelop addinga webmethod parametertoamethodallowsforalmostinstantpublishing net similarpossibilitiesinjava processingofhttprequests serializationofxmlandparsingofsoapmessageistotallyinvisibletothedeveloper soaplayerwilltakecareofdataserializationandde serialization easyisdangerous makingawebserviceissoeasythatyoueasilyforgetthatsecurityisnotapartofthesoapstack noauthenticationorauthorization outoftheboxanyonewithaccesstoyourwebservercanexecuteyourwebmethods inputdatanotcleansed butneatlypackedincomplexclassstructures alotofprocessingisdonebeforereachingthedeveloper protectingtheunderlyingstackcannotbedonefromwithinthecode richfunctionalityisoncemoreprovidedforaccessfromoutsideofthefirewall 11 copyright 2006accentureallrightsreserved howtosecurewebservices tosecurewebserviceswehavetoensurethat onlyproperlyauthenticatedandauthorizedusersareallowedtoexecuteourwebmethods messagesareprotectedbothwithregardstointegrityandconfidentiality duringtransportandstorage sothatthirdpartiescannotaltermessagesorreadconfidentialcontentsofmessages applicationserversareprotectedagainstthecommonthreatstosoap xmlstacks webserviceapplicationsarewrittenwithsecurityinmindtopreventcommonsecuritythreatstonetworkawareapplications tomeettheaboverequirementswewillhavetodeployprotectionalongtwomainaxes technicalsecurityfunctionalsecurity 12 copyright 2006accentureallrightsreserved technicalsecurityoverview whatdowemeanbytechnicalsecurityforwebservices protectionagainstmaliciousmessageformatsthatmayleadtoacompromiseofsecurityinthesoapandxmllayersoftheapplicationserver protectionagainstmaliciouscontentsthatdoesnotconformtothedefinedmessagingstandardforthewebservice protectionagainstdifferentformsofdenialofserviceattacks therearethreemainavenuesofattackthatcanbeusedwhenattackingawebserviceapplicationstack application anyexposedbusinesslogicispronetoerrors eitherbydesignorbycodingerror webservicesareasvulnerableasotherapplications soap themessagingprotocolhasambiguitiesthatcanbechallengedbyanattacker xml parsingofcomplexxmlmessagescancreatesecurityvulnerabilities 13 copyright 2006accentureallrightsreserved applicationattacks theopenwebapplicationsecurityprojectliststhetoptenthreatsagainstwebapplications mostareequallyvalidagainstwebserviceapplications fourarespecifictotheapplicationlevel unvalidatedinputbufferoverflowsinjectionflawsimpropererrorhandling 14 copyright 2006accentureallrightsreserved soapattacks thesoapprotocolwhichistheunderlyingprotocolformostwebservicestodayhasnobuilt insecurity allmethodcallsareunprotected apiispubliclyavailablethroughdynamicallycreatedwsdlfiles soapisstateless 15 copyright 2006accentureallrightsreserved xmlattacks xmlisthebasisofwebservices successfulattacksonwebservicesgenerallymeanscraftingavalidxmlfilethatismisinterpretedbyeitherparserordeveloper invalidxmldroppedbyparserearlyon xmldocumentsarevalidatedagainsttheirpublishedschema tamperingwiththeschemaisacommonapproach 16 copyright 2006accentureallrightsreserved solutionstrategy validateyourinput mostattacksagainstawebservicearebasedonpoorlyvalidatedinput wellcontrolledinputwillenableyoutogainfullcontroloverthedatathatispassedontotheapplicationlayer duetotheobfuscationpossibilitiesitishighlyrecommendedtovalidateusinganxmlawarevalidator enablestrictschemavalidation andutilizeonlyschemasthataredefinedbyyouandthatarestoredlocallyonyourdevice xmlschemascandefinedetailedrequirementsperfield thisallowsyoutodefineallowedcharactersandfieldlengths challengesschemavalidationisprocessorintensiveandrequiresalargeamountofmemory leavesapplicationservervulnerabletodenialofserviceattacks validationwillbecomeapartoftheapplicationserverstack introducesmanageabilityissues 17 copyright 2006accentureallrightsreserved solutionproducts xmlsecuritygatewayseitherserverdeployedsoftwareorappliance functionsasasoapproxy firewallbetweenclientandapplicationserver mainfeaturesinclude xmlschemavalidationsslconnectionterminationstateawareroutingofxmlmessages denialofserviceprotection centralizedsecurityauditingforwebservices mostproductssupportbeingclusteredforincreaseperformance someproductsincludehardwaresecuritymodulesforimprovedsslandws securityperformance soapstackenhancementsvendorsprovidesomeofthesamefunctionalityasextensionstotheirbasicsoapstack 18 copyright 2006accentureallrightsreserved functionalsecurityoverview wehavetalkedaboutsecuritythreatsagainstanunprotectedsoapwebservice protectingagainstsoapattackswithanxmlgatewayorsimilarproductswillprotectagainstmaliciousmessagesanddenialofserviceattacks itwillnotgiveyouaccesscontrol confidentialityormessageintegrity itwillnotgiveyoueasysecurityadministrationofyourwebservices whatarethechallenges nativesoapdoesnotincludeanysecurityfeatures earlyadoptersusedtransportationlayerprotectionmechanisms eitherhttporssl thisdoesnotprotectmessageswhentransportedoverothermediums e g smtp 19 copyright 2006accentureallrightsreserved solutionavailabilitymatrix transportlayersecurityworksonlypeer to peer willhavetobere establishedifmessageisrelayed protectsentireconversation sessionawarenessavailable messagelayersecurityprotectsmessageandcontentsofmessage protectionpersistsacrossmultiplehops nosessionawareness 20 copyright 2006accentureallrightsreserved securityrecommendations webservicesstandardsarestillemerging howeverpreparationandimplementationofbasicfederatedbuildingblocksshouldbeconsiderednow accesscontrol identifywhoyouwantinyourcircleoftrustandhowmuchyoutrustthem maintainidentity whoinitiatedthetransaction audit connectedtrailofactivities importantforcomplianceefforts identityandaccessmanagement i am integratedintoyourserviceorientedarchitecturetosupporttheabove othertechnologycontrols integrityandconfidentialityasrequired preparation consumerportalsshouldlooktoareaslikelibertyandsamltoseeiftherearegainstobeachievedfromsupportingsomeoftheexistingfederatedsolutionsinareaswhereportal to portalsinglesign onhasalreadybeencustom built replacethesewithpointtopointsamlsolutionsusesamlforallnewsinglesign oninitiativesthatcrossorganizationalboundaries implementation 21 copyright 2006accentureallrightsreserved contents securityandwebservicesindustrystandardsws indetailplatformsupportrecommendations 22 copyright 2006accentureallrightsreserved ws vs libertyalliance ws moregenericframeworkdevelopedbymicrosoft ibmandselectedvendors e g verisign oblix noworacle sap rsa etc subjecttoasomewhatambiguousroyaltyfree rf process libertyalliancemorepurpose specificsolutions identityfederation insteadofagenericframeworkdevelopedbyindustry lessvendor centric sun vodaphone ibm fidelityinvestmentsamericaonline nokia ericsonmoreopenprocess competingandsomewhatoverlappingstandardsexpectdusttosettleinoasisandws i 23 copyright 2006accentureallrightsreserved standards ws security thews securityinitiativeisdrivenbytheoasisstandardsorganization andledbymicrosoft ibmandverisign thegoalofws securityistoconstructsecuresoapmessageexchanges initialspecifications follow onspecifications 24 copyright 2006accentureallrightsreserved libertyallianceproject federatednetworkidentityandidentity basedservicesid ff1 2 final november2003 cross domainsinglesign onaccountlinkingmainlybrowserbasedinteractionsid wsf1 1 final may2004 discoveryserviceinteractionserviceauthenticationserviceid sis1 1personalprofileemployeeprofilecontactbookgeolocationservicepresenceservice purpose specific deeplydefinedspecifications 25 copyright 2006accentureallrightsreserved standardslifecycle developing notastandard earlyadopters mature ssl tls saml2 0march2005 saml1 1august2003 ws securitymarch2004 xml encryptionxml signaturedec2002 ws securityextensions indicatesthedatethataspecificationbecameanofficialstandard usage acceptance 26 copyright 2006accentureallrightsreserved contents securityandwebservicesindustrystandardsws indetailplatformsupportrecommendations 27 copyright 2006accentureallrightsreserved interactionmodel 2001 2002internationalbusinessmachinescorporation microsoftcorporation 28 copyright 2006accentureallrightsreserved standards ws soap ws security ws secureconversation ws federation ws authorization ws policy ws trust ws privacy w3cfoundationstandardwidelysupported oasisstandardwidelysupported royaltyfreespecsunderdevelopmentpossiblemovetooasisinthefuture undevelopedandunpublished 29 copyright 2006accentureallrightsreserved standards ws security soap ws security ws secureconversation ws federation ws policy ws trust soapsecurityenvelopemessageintegrity confidentiality authenticationofendpointsatmessagelevelmultipletokenssupported x509certs saml kerberos etc 30 copyright 2006accentureallrightsreserved standards ws secureconversation soap ws security ws secureconversation ws federation ws policy ws trust providessecuritycontextforseriesofsoapmsgssecuritycontextestablishmentsessionkeynegotiation 31 copyright 2006accentureallrightsreserved standards ws policy soap ws security ws secureconversation ws federation ws policy ws trust providesmechanismsforcommunicatingpolicyrequirements confidentiality authentication etc 32 copyright 2006accentureallrightsreserved standards ws trust soap ws security ws secureconversation ws federation ws policy ws trust providesmethodsforissuingandexchangingsecuritytokenssupportsabilitytoissue renew validateanddelegatetokensindependentoftokenformat 33 copyright 2006accentureallrightsreserved standards ws federation soap ws security ws secureconversation ws federation ws policy ws trust leveragesws trust enablingssoincludesownsinglelog outmessageprofilesforfrontchannel browser andbackchannel ws useattributeandpseudonymservices 34 copyright 2006accentureallrightsreserved webservicessecuritystandards authorization verifythatanentityisallowedtoperformarequestedaction authentication verifythatanentityiswhotheyclaimthattheyare integrity verifythatthecontentsofamessagehavenotbeentamperedwith confidentiality hidethecontentofamessagefromeveryoneexcepttheintendedrecipient non repudiation theabilitytocorrelateamessagebacktoaspecificpersonorentitywithoutdeniability administrationandmanagement theabilitytocentrallymanagesecurityservicesforusersandapplications keysecurityconcepts 35 copyright 2006accentureallrightsreserved webservicessecurityarchitecture internaladministrationandprovisioning externallymanagedservices policystorestores webbrowserapplications wirelessapps enterpriseasp webservicesconsumers clientapps ws securitystandards httpcommunicationchannel sslprotected accesscontrol w3cxmlstandards authorizationstores identitymanagement businesspartners ws securityextensions saml algorithms signatures sha1 hmac encryption xacml xml digitalsignature xml encryption authenticationstores identitymanagement rsa enterpriseprovisioningsolution pki xkms webservicessecuritylayers accessmanagement provisioning supportingservices pki webservicecommunicationscanbesecuredatthetransportlayerusingssl ws securityleveragesxml sigandxml enctosignandencryptpartofthesoapmessages xkmsisusedtodistributekeystothinclientapplications samlandxacmlareusetodefineauthorizationrulesfortheprocessingofsoapmessages managementsystemsareusedtocontrolthedatathatisusedbythewebservicesecuritystandards thesemanagementsystemsmaybein houseorout sourced securityarchitecturelayer howmightalloftheavailablesecurityfeaturesfittogether 36 copyright 2006accentureallrightsreserved webservicessecurityarchitecture internalpolicyenforcementandaccesscontrol protectedenterprisedata enterpriseapplicationservers transportlayersecuritythroughws security extensions andssl transportlayersecuritythroughssl lightweightpkiandkeydistributiontoamobileuser managementandadministration enterprisesecurityarchitecture asamplediagramofhowsecuritywouldfitintoatypicalwebservicesapplicationarchitecture 37 copyright 200