Security Policy Management

advertisement
SOA Security
Challenges, Patterns and Solutions
Click to edit Master title style
Martin Borrett
Lead Security Architect
Technical Staff Member
NE Europe
IBM SWG
What is different now?

Trends






Increased focus on compliance and governance
Service oriented architecture
Web 2.0 and collaboration models
User centric identity
Trusted identity
Implications




Porous perimeter with trust extending beyond traditional ‘boundaries’
Composite applications and business process transformation challenge traditional
approaches to define and manage security policies
Empowering users to make selection – sharing of identity info, who they trust,..
Need to factor in reputation, trust models, and information leakage
New identity and access management
challenges

Composite application and mash-ups
adoption



Compliance driving a need for closed-loop
solution



Need consistent enforcement of policies
Requires enterprise to ensure consistent and integration identity
management, access control and data security
Need unified identity & access management with delegation &
change control
Audit accountability needs to relate activities to ‘end users’ not
just ids or systems
Deployment of heterogeneous IT
infrastructures creates costly islands of
security administration


Mature standards exist today (WS-Policy, WS-Trust, XACML)
Need common, pluggable framework (authentication,
authorization)
Architectural principles

Consistent policy enforcement (Runtime)*



Externalization of policies from applications



Security as a service - Service orientation
Federation through mediation
Flexibility to deal with change
Does not mean applications need to be re-written, necessarily
Consistent policy management (Administration)
–* note: enforcement in this context is inclusive of decision points

Interoperability and integration

Open approach – open standards and open source
Consistent runtime enforcement - Example
Proxy/
Intermediary
Firewall
Client System
(browser,
rich client)
Firewall
Enterprise
Information
System
Web Application
Server/Portal
Server
Centralized Security Services
‘Security as a Service’
Existing
Application
Challenge: How to apply policy consistently?
The corporate policy is to
protect disclosure of
social security numbers
Message encryption
policy
Integration
Architect
Security
Officer
Compliance
Officer
Service Service policy
Registry
Corporate
Intranet
Service
Manage and
enforce the
policies
IT Operations
Operations Console
Should I code
entitlements into
the application
Developer
Policies and configurations are currently specific to the various products, with
tool-specific definitions. How do you check compliance across all of them?
Solution Pattern - Components & Interaction
For Policy Administration, Decision and
Enforcement
1
Discovery
Policy
Administration Point Publish
(PAP)
3
Policy Enforcement
Point (PEP)
7
4 Policy Information
Point (PIP )
2
Policy decision
Policy Decision
Point (PDP)
Information
Message Security Policy for Authentication & Identity Propagation




What assertions are needed? What is the trust policy?
How to secure messages for integrity & confidentiality?
How to authenticate, validate and transform identity claims/tokens across boundaries
z42
Jon
Client System
(browser,
rich client)
Firewall

Applications need end user’s identity for controlling access and compliance
Identity information needs to be mediated for access
Authentication service
Firewall

Proxy/
Intermediary
Web Application
Server/Portal
Server
Enterprise
Information
System
Existing
Application
<Jdoe_token>
jdoe@us.ibm.com
jdoe@us.ibm.com
WS-Trust
Authentication
Services
Mapped to
z42
IT Security Runtime
Services
Identity Services
What identity token?
Trust policy?
Policy Enforcement
Message confidentiality &
integrity policies What to sign? Encrypt?
Authorization Policy for Access & Entitlements

Access decisions to take following into considerations



Identity context. resource context, Request context
Need an efficient way to externalize access control out of application logic
Authorization service

Centralized decision point for access and entitlements
Enterprise
Information
System
Can Jon
access apps
Obtain identity
information,
attributes to make
decisions
Proxy/
Intermediary
Firewall
Client System
(browser,
rich client)
Firewall
Jon
Web Application
Server/Portal
Server
Existing
Application
Can Jon
access finance
apps
Authorization
Services
Identity Services
Can Jon access Alice’s
investment record, given
Jon is Alice’s financial advisor?
IT Security Runtime
Services
Access Decisions;
Entitlements;
Use claims
Policy Enforcement
Security Policy Management



Multiple heterogeneous enforcement points
Potential inconsistency in managing policies and configuration across those
Unified security policy management


Federate policies to enforcement points (including decision points/services)
Canonical form of policy expressions – and local transformations as necessary
Manage authorization
policies &
entitlements
Manage trust
relationships across
domains
Service Registry
Trust policies
Identity policies
Author
Transform
Enforce
Canonical form
(e.g., WS-SecurityPolicy, XACML)
Policy lifecycle
Monitor
Local transformation
Firewall
Firewall
Proxy/
Intermediary
Policy management
Canonical form
(e.g., WS-SecurityPolicy, XACML)
Local transformation
Client System
(browser,
rich client)
Authorization policies
Web Application
Server/Portal
Server
Local transformation
Existing
Application
Enterprise
Information
System
Logical Architecture
Business Security Services
Compliance &
Reporting
Data Protection, Privacy
& Disclosure Control
Identity &
Access
Trust
Management
Author
Transform
Authentication
Services
Proxy/
Intermediary
Local transformation
Firewall
Firewall
Policy lifecycle
Monitor
Canonical form
(e.g., WS-SecurityPolicy, XACML)
Local transformation
Identity Services
Secure Systems
& Networks
Enforce
Canonical form
(e.g., WS-SecurityPolicy, XACML)
Client System
(browser,
rich client)
Non-repudiation
Services
Web Application
Server/Portal
Server
IT Security Runtime Services
Authorization &
Privacy Services
Confidentiality &
Integrity Services
Local transformation
Existing
Application
Audit
Services
Non-repudiation
Services
Enterprise
Information
System
… and Interoperability & integration with open
standards

Service interfaces



Policy expressions




WS* - WS-Trust, XACML
Java – Declarative model in J2EE; programming APIs through Java
Authentication and Authorization service (JAAS), Java Authorization
Contract for Containers (JACC)
Collaborators on open standards


Authorization policies - XACML
Message protection policies – e.g., WS-SecurityPolicy
Programming model


Token exchange and authorization - WS-Trust
Identity service – IdAS (open source effort in progress - Project Higgins
@ Eclipse)
Microsoft, Oracle, SAP, Sun, and others
Open source – Project Higgins at Eclipse.org
IBM Product Capability

Tivoli Federated Identity Manager

Identity transformation/propagation



Token
Attributes
Tivoli Security Policy Manager

Author, administer, transform and
distribute security policies
Download