governance and security solution patterns
TRANSCRIPT
![Page 1: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/1.jpg)
Governance and Security
Solution Patterns
Gillian Dass and Dakshitha Ratnayake
![Page 2: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/2.jpg)
About WSO2
• Providing the only complete open source componentized cloud platform • Dedicated to removing all the stumbling blocks to enterprise agility • Enabling you to focus on business logic and business value
• Recognized by leading analyst firms as visionaries and leaders
• Gartner cites WSO2 as visionaries in all 3 categories of application infrastructure • Forrester places WSO2 in top 2 for API Management
• Global corporation with offices in USA, UK & Sri Lanka
• 200+ employees and growing • Business model of selling comprehensive support & maintenance for our products
![Page 3: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/3.jpg)
150+ globally positioned support customers
![Page 4: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/4.jpg)
• Introduction to Patterns
• Why Service Oriented Architecture?
• What is Governance?
• Governance Business Problems and Patterns
• Need for Security in SOA
• Security Requirements and Solution Patterns
Agenda
![Page 5: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/5.jpg)
• Expose legacy system components as services
• Loose Coupling
• Interoperability
• Flexibility
• Business Process Composition
Why SOA?
![Page 6: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/6.jpg)
A generic solution for a common recurring problem
• Used it before
• Error proof
• Catalog to pick one
Image Source: http://www.forbes.com/fdc/welcome_mjx.shtml
A Pattern
![Page 7: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/7.jpg)
Managing the three Ps of Governance
• People roles & responsibilities
• Process design, execution and monitoring
• Policy definition and enforcements
Image Source: http://www.governanceinnovation.org/?pageID=whatis
What is Governance?
![Page 8: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/8.jpg)
An organization has metadata related to different data types. They
need to capture relationships such as associations and
dependencies.
Business Scenario
![Page 9: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/9.jpg)
• Model custom data types in a data repository
• Artifact governance
Pattern
![Page 10: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/10.jpg)
Implementation
![Page 11: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/11.jpg)
Implementation
![Page 12: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/12.jpg)
An artifact is deployed across different environments: Dev, QA, Prod.
This artifact references some external resources, where the resource
need to change for each environment.
Business Scenario
![Page 13: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/13.jpg)
/_...
Implementation
![Page 14: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/14.jpg)
- Manage service quality
- Manage business transactions
- Monitor and analyze transaction data
- Create dashboard and reports
Why Runtime Governance
![Page 15: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/15.jpg)
An online travel reservation application allows users to
create/edit and cancel bookings.
- If >5 cancellations within 24 hours from a single user send
a notification to administrators
- Create dashboards and reports for MI purposes
Business Scenario
![Page 16: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/16.jpg)
- Real time events monitoring and notifications - Data analysis and presentation
Solution Pattern
![Page 17: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/17.jpg)
Implementation
![Page 18: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/18.jpg)
Patterns Security Patterns
Image Source - http://www.coresecuritypatterns.com/blogs/?tag=ws-security
![Page 19: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/19.jpg)
• Business assets exposed to the outside as services to
be discovered
• Should facilitate interoperability and flexibility
Why Security in SOA?
![Page 20: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/20.jpg)
After identifying the need for security in SOA, determine
the security requirements.
Security Requirements can fall under many categories.
A few examples:
• Identification and Authentication
• Authorization
Security Requirements
![Page 21: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/21.jpg)
Image Source - http://www.mikeeckman.com/2013/02/how-much-do-you-think-about-privacy-on-the-internet/
Identification and Authentication
![Page 22: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/22.jpg)
• Services need to identify and verify the claimed identity of internal users of the organization.
• Services need to identify and verify the claimed identity of external users from external organizations.
• Facilitate communication between clients and services which talk in different authentication mechanisms.
• Avoid user credentials to be passed to backend services and avoid user bypassing security processing.
Identification and Authentication Requirements
![Page 23: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/23.jpg)
Requirement - Identify and verify the claimed identity of internal users of the organization.
Authentication Pattern:
Direct Authentication • Authenticating users with credentials stored internally. • Credentials can be :
§ Username/password § Username token § X.509 certificates
Identification and Authentication Requirements
![Page 24: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/24.jpg)
Implementation: Direct Authentication Pattern
![Page 25: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/25.jpg)
Configuring a Secured Proxy in ESB
![Page 26: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/26.jpg)
Configuring a Secured Proxy in ESB
![Page 27: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/27.jpg)
Requirement - Identify and verify the claimed identity of
external users – from external organizations.
Authentication Pattern:
Brokered Authentication
• Authenticating users outside the organization boundary.
• Trusting a token issued by a trusted party in partner organization.
• Brokered authentication based on WS-Trust with SAML.
Identification and Authentication Requirements
![Page 28: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/28.jpg)
Implementation: Brokered Authentication Pattern
![Page 29: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/29.jpg)
Requirement - Facilitate communication between clients and services which talk in different authentication mechanisms.
Resource Access Pattern:
Protocol Transition
• ESB authenticates clients with the authentication mechanism that they understand – e.g. Username Token
• Transform credentials to the form that service understands e.g. Basic Auth
Identification and Authentication Requirements
![Page 30: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/30.jpg)
Implementation: Protocol Transition Pattern
![Page 31: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/31.jpg)
Requirement - Avoid user credentials to be passed to backend service and avoid user bypassing security processing.
Resource Access Pattern:
Trusted Sub System
• User authenticates to ESB with his/her credentials.
• Backend service trusts ESB.
• ESB accesses backend service on behalf of authenticated user.
Identification and Authentication Requirements
![Page 32: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/32.jpg)
Image Source - http://www.toolsjournal.com/integrations-articles/item/274-direct-and-brokered-authentication
User Credentials Submitted to Service + Bypassing Security Processing
![Page 33: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/33.jpg)
Implementation: Trusted Sub System Pattern
![Page 34: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/34.jpg)
Image Source - http://onlinebusiness.volusion.com/articles/volusion-authorizenet-partnership/
Authorization
![Page 35: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/35.jpg)
• Control access based on privileges of the users
• Control access based on user’s claims, in a fine grained
manner
• Delegated access
Authorization Requirements
![Page 36: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/36.jpg)
Requirement - Control access based on privileges of the users.
e.g. Users in role ‘Teacher’ can update students’ reports while users in
role ‘Temporary Teacher’ can only view reports.
Authorization pattern:
Role Based Access Control
Assign users to roles.
Grant privileges to roles.
This is a coarse grained authorization model.
Authorization
![Page 37: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/37.jpg)
Configuring Role Based Access Control Pattern
![Page 38: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/38.jpg)
Requirement - Control access based on user’s claims, in a fine grained manner.
e.g. Reports of Art students could only be accessed by Teachers with job title “Art Teacher”.
Authorization pattern:
Claim Based Authorization
• Provides fine grained authorization
• Policy based access control with XACML – provides flexibility
Authorization
![Page 39: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/39.jpg)
Implementation: Claim Based Authorization Pattern
![Page 40: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/40.jpg)
Requirement - Delegated access.
e.g. An application in a teacher’s mobile device needs to retrieve
the time table for the day from his account in the school’s
information system.
Authorization pattern:
Constrained Delegation
• Using OAuth
Authorization
![Page 41: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/41.jpg)
Implementation: Constrained Delegation Pattern
![Page 42: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/42.jpg)
Questions?
![Page 43: Governance and Security Solution Patterns](https://reader035.vdocuments.mx/reader035/viewer/2022062710/55986a2b1a28ab1a0b8b4650/html5/thumbnails/43.jpg)
Engage with WSO2
• Helping you get the most out of your deployments • From project evaluation and inception to development
and going into production, WSO2 is your partner in ensuring 100% project success