computer science and engineering 1 service-oriented architecture security 2

Computer Science and Engineering 1

Service-Oriented ArchitectureSecurity 2.Security 2.

ReadingReading

1. New: Security Fundamentals for Web Services, Microsoft patterns and practices, http://msdn.microsoft.com/en-us/library/ff648318.aspx


http://msdn.microsoft.com/en-us/library/ff648318.aspx


SOA Security ComponentsSOA Security Components

1. Software-level (single service) security

2. Business-level (service composition) security

3. Network-level security


Network-Level SecurityNetwork-Level Security

• Authentication and identification • Access Control• Messaging middlewaremiddleware

– Communication security– End point security

• Protocol assurance• Security PatternsSecurity Patterns

Service-level PatternsService-level Patterns

• Exception Shielding• Message Validation• Trusted Subsystem• Service Perimeter Guard


Exception ShieldingException Shielding


Message ValidatorMessage Validator



Trusted SubsystemTrusted Subsystem

• GoalGoal: prevent customers from circumventing a service and directly accessing the resources of the service

• ProblemProblem: – Customer may perform incorrect modifications– May lead to undesirable forms of implementation

coupling• SolutionSolution: service is designed to use own credentials for

authentication with backend resources

Trusted SubsystemTrusted Subsystem



Perimeter GuardPerimeter Guard

• GoalGoal: protect internal resources from users that remotely access internal computers

• ProblemProblem: – External attacker may gain access to services running

within a private network, and thus to the resources within the private network

• SolutionSolution: establish an intermediate service at the perimeter of the private network as a secure contact point

Service Perimeter GuardService Perimeter Guard


Service Interaction PatternsService Interaction Patterns

• Data Confidentiality• Data Origin Authentication• Direct Authentication• Brokered Authentication


Data ConfidentialityData Confidentiality


Symmetric key Public key

Data Origin AuthenticationData Origin Authentication


Symmetric key Public key

Direct AuthenticationDirect Authentication


Single Sign-On

• Authentication of a user within multiple systems: use Digital Certificates and private keys

• Reduces security administration• Services can pass requester’s identity to other services

Brokered AuthenticationBrokered Authentication


Brokered AlternativesBrokered Alternatives


Security Token Service X.509 Digital Certificate


Service-Composition Service-Composition SecuritySecurity

• Ongoing activitiesOngoing activities:– Business process execution across heterogeneous

domains– Identity management– Trust management

• Upcoming research areasUpcoming research areas:– Web Services Composition– Web Service Transactions– Service-Level Dependencies


Web Services CompositionWeb Services Composition

• Create complex applications on the fly from individual services

• BPEL4WS, WSBPEL• How to express security and reliability needs?• How to verify that these needs are satisfied?• How to resolve conflict between business needs and

security requirements?


Web Services TransactionsWeb Services Transactions

• Traditional database transaction managements vs. SOA application needs

• How can we evaluate correct execution? ACID properties? Serializability?

• WS transaction framework:– Atomic (short-term) transactions– Business activity (long-term) transacBusiness activity (long-term) transactions

• What are the security implications of WS transactions?


Service-Level DependenciesService-Level Dependencies

• Old threats reappearing in new context: deadlocks, denial-of-service, network flooding, etc.

• How to detect and prevent the occurrence of these threats?

• In composition, independently developed services are dependent on each other

• No information about internal processing of the workflow components

MLS SOAMLS SOA

• MLS: control information flow– Permitted flow: from low level to high level

• Revisit read/write operations– Subject reads object: info flow from object to subject– Subject writes object: info flow from subject to

object• WS communication: message transfer (write operation)


MLS MessagesMLS Messages

• Metadata: represent proper classification• Communication from High to Low services: message

must be de-classified• How can we achieve it?

– Manual classification– Automated classification – TRUST?


MLS Service InteractionsMLS Service Interactions

• Over multiple domains• Input/output messages• Service broker:

– Discover services– Enforces flow control: up-classify/down-classify

data


Metadata managementMetadata management

• Data classification– Confidentiality– Integrity– Data access policy {s, f, d, c}

• s service

• f in/out

• d data classification level

• c conditions



New Approaches to Improve New Approaches to Improve Security and ReliabilitySecurity and Reliability

• Develop criteria to evaluate correctness of composite application execution– E.g., WS transactions: compensation-based transactions

• Increase reliability using redundant services• Offer security as service• Develop defense models using distributed and

collaborative components– E.g., detect malicious behavior based on collaborative nodes,

verify execution correctness by comparing outcome of different services, deploy intelligent software decoy, etc.


Conclusion and Future WorkConclusion and Future Work

• All aspects of SOA security must be addressed• Standards are not enough to provide security!• New security concepts applicable to SOA environment

must be developed• Security must be incorporated during the system

development process• Requires collaborationcollaboration among SOA developers, SOA developers,

business experts, and security professionalsbusiness experts, and security professionals

computer science and engineering 1 service-oriented architecture security 2

Documents

engineeringcomputer

intermediate service

security fundamentals

perimeter guardgoal

private networksolution

internal resources

security token servicex

digital certificates