SlideShare a Scribd company logo

SOA Security Architecture

N
nbann
1 of 6
Download to read offline
SECURITY ARCHITECTURES “We have no future because our present is too volatile. We have only risk management. The spinning of the given moment’s scenarios. Pattern recognition...” -William Gibson “Pattern Recognition” Context New software system paradigms demand that information security keep pace with the chang- ing software landscape. With Web Services and Service Oriented Architectures (SOA), software de- velopment is in the third phase of an evolution that began with object oriented programming and progressed to component based program- ming. In object oriented and component based programming, security designers could rely on common languages, security models, and tech- nologies in a distributed system to secure both the clients’ and servers’ transactions and end- points. For example, EJB clients and servers can Service Oriented assume and use a common J2EE security stan- dard for authentication and authorization for Security Architecture both its client and server. However, in Web Ser- vices and Service Oriented Architecture, systems are loosely coupled. Clients and servers may be written in different languages and running on Gunnar Peterson disparate operating systems. Service Oriented Architecture agree upon interface and data Arctec Group schema, but the implementations may vary from client to server, and services may be chained cre- ating a peer to peer model. As programming models and implementations change, the secu- rity assumptions and designs must be refreshed and updated to manage the emerging threats that result from new architectures. Problem Statement The primary security mechanisms deployed to- day rely on notions of perimeters and central- ized security models. However, the nature of business is moving rapidly towards decentral- ized “intertwingled-ness” (non-hierarchical con- nectivity) and perimeters are eroding. Central- ized security systems do not apply in SOA’s de- centralized peer to peer architecture. Security design assumptions based on outmoded technol- ogy create brittle and ineffective systems when deployed in a SOA paradigm. Malicious attack- ers exploit the seams left between the existing security mechanisms deployed based on out- moded assumptions and the reality of the threats to the connected systems on the ground. Solution In keeping with the design spirit of SOA, the way forward in software security architecture is viewing security as service that is decoupled and composeable. Service Oriented Security (SOS) ar- chitecture does not solely focus on perimeters, but rather provides a framework to analyze and manage risk to the system’s assets, such as data, services, and identities. SOS and its architectural Information Security Bulletin, November 2005 Volume 10, Page 325 Copyright ©2005 CHI Publishing Ltd - All rights reserved - Do not copy without written permission
SECURITY ARCHITECTURES - Deployment View: deals with the defense in depth 5 layer model: physical, network, host, ap- Message plication, and data Identity - Transaction Use Case Life Cycle View: deals with the key behavioral flows and relationships in a Transaction system and its actors from an end-to-end per- Use Case spective Life Cycle Each of the individual views is composed of do- main specific elements, constraints, threats, risks, Deployment vulnerabilities, and countermeasures. Each view Service also includes a set of key architectural patterns and principles. By partitioning concerns security designers are able to first decouple concerns to Figure 1 - Service Oriented Security Views analyze security domains and analyze tradeoffs and dependencies among the domains. The re- views provide a framework for reasoning about sultant architecture takes the concerns from each software security in a service oriented system. domain into account and provides holistic solu- This framework can be used by security archi- tions based on the risk management of digital as- tects to harmonize designs across infrastructure, sets like identities and data. The following sec- applications, and data based on business risk. tions examine each SOS viewpoint in more de- Service Oriented Security Architecture provides tail and provide an example usage. a set of views that can be used in a larger enter- prise security architecture, such as SABSA [7]. In Architecting with the SOS Views a SABSA model, the five main Service Oriented Software security architecture is an iterative pro- Security architecture views detail the Conceptual cess that includes decomposing complex prob- and Logical Security Views. lem spaces, drilling down on granular details to gain traction in a domain; and then synthesizing across domains, building up design views, iden- Service Oriented Security tifying relationship vectors that illustrate the sys- Architecture Overview tem’s security design goals. Each SOS View con- In software architecture, the word “security” can tains the following constituents: often do more harm than good. Frequently, stakeholders have differing, conflicting, and - Elements: describe the key components in the overloaded definitions of the term. In order to system and their logical organization including build a coherent system, the architects must pro- the subjects and objects that the view interacts vide specific guidance to the development and with operational teams. Service Oriented Security - Constraints: show the business, political, legal, (SOS) Architecture provides a set of software ar- and technical constraints for the view chitecture viewpoints that allow security archi- tects to construct a holistic system design based - Risk Model: illustrates the threats, assets, vul- on a set of views. No single view is sufficient to nerabilities, and countermeasures in the view. analyze and understand the system’s security as Conduct architectural risk analysis to manage a whole. The combination of the SOS views and risks [8] their relationships demonstrate the security deci- sions and design. Since security is not a zero - Relationships: conveys the nature and direction sum game, the views provide a framework in of the views’ relationships with other views which to conduct security architecture tradeoff The chief utility of separation of concerns in SOS analysis and to convey design decisions to devel- is that each of the views’ elements, constraints, opment and operational staff. As Kruchten ob- risk models, and relationships are unique and served [1], views enable the software architect to decoupled inside their view. The design deci- separate concerns in a complex system. The sions made about securing the elements will im- views in Service Oriented Security consist of the pact other views, but separating the concerns al- following: lows for decoupling the concerns and handling the domain specific risks. - Identity View: deals with the generation, com- munication, recognition, negotiation, and Identity View transformation of identity Using Kim Cameron’s definition we will exam- ine identity as “a set of claims made by one digi- - Service View: deals with the service, its meth- tal subject about itself or another digital subject." ods and component parts [2. This definition rewards careful study because it reveals that identity is not a passive entity, but - Message View: deals with the service’s message rather the result of an active set of processes that payload can be judged against a dynamic set of criteria. Volume 10, Page 326 Information Security Bulletin, November 2005 Copyright ©2005 CHI Publishing Ltd - All rights reserved - Do not copy without written permission
SECURITY ARCHITECTURES When identity is defined as a set of claims, each service can decide what claims it will accept and from what SecurityDomain SecurityDomain authorities. App Federation Key elements of the Identity View include: App/Resources - Authentication mecha- Betsy nisms, events, and princi- User Store Red Green pals including Kerberos Fed Fed tickets, X.509, Windows Server Server sessions, and web server sessions - Identity Federations in- cluding the portable, Figure 2 - Using Identity Federation strong identities like SAML, Liberty, and WS- anywhere a digital subject is mapped, con- Federation identities sumed, stored, and transformed. The Identity - Monitoring and audit systems: provide trace- View has relationships with the other SOS ability of identity-related events like authenti- Views. The Identity View provides information cation about subjects to the other SOS Views, other views both consume and query principal data - Identity domain-specific attributes provided by the processes generated by Identity View elements. Due to its criticality as a founda- Identity is a fundamental element in access con- tion element for other views, the elements in the trol decisions, hence the protocols that generate, Identity View should be hardened using the communicate and negotiate identity information strongest security controls that are reasonably require security analysis to ensure a robust possible for all the states of the system that the system. identity is in. Identity information is a very valuable asset to attackers and so systems designers must design Service View its implementation and usage to withstand a va- The Service provides the interface to the rest of riety of attacks. Phishing attacks that continue to the system and brokers the identity, messages, grow in distribution and sophistication are just and transactional data. The Service View is con- one example of attacks that exploit weak identity cerned with the risks around the service and the systems [3]. Privacy, regulatory, and legal do- service’s ability to broker information flows with mains all impose constraints on identity imple- requisite confidentiality, integrity, and availabil- mentations and what information may be shared ity. Services require access control protection and and used by parties. Identity information may may consume identity and domain attribute in- “leak” inadvertently to other systems and users formation from other domains, so the service can that are not allowed to access the information. typically make a minimum of assumptions about what it receives. From a detection and response Identity View Pattern: Federated Identity standpoint, services require logging mechanisms to vouch for the health of the system. Standard - Context: Security domains Red and Green want technology specific service hardening and secu- to integrate disparate systems with unique pol- rity guidelines apply in the services view, such icies and management. The systems have dis- as the OWASP guidelines for Web Applications. parate identity repositories, operating systems, and application languages, but want to ex- Key elements of the Service View include: change XML documents for order processing - Application Servers and Services: such as data- - Problem: User credentials must be securely bases, web servers, and web services ported across domains and security informa- tion must be recognizable to both parties - Logging Services - Solution: Use federated identity for access con- - Integrity Services trol. Red Client (Alice) logs onto local Red sys- tem, generates/sends encrypted SAML token Service risks include denial of service, forcing ex- with app request to the Green Service. Green ception conditions, attacks against validation sys- server validates assertions for access rights. tems, attacks against program and service logic. Since services are an endpoint for incoming re- Federation is one example of a service in the quests, they must broker access and data flows identity view. Many other will come into play in between the domains with disparate security a system, including access control mechanisms, models. Information Security Bulletin, November 2005 Volume 10, Page 327 Copyright ©2005 CHI Publishing Ltd - All rights reserved - Do not copy without written permission
SECURITY ARCHITECTURES Message View Pattern: WS-Security Manufacturer Supplier Web Context: data is in- SOAP App Server Data- creasingly shared Web Service Service SPI base across technological and policy bound- Filters and Analyses Data aries. The technology Figure 3 - Security Pipeline Interface Provides Data Integrity and Logging stack is unpredict- able in SOA systems, Service View Pattern: Security Pipeline Interface hence command and control security systems do not apply. - Context: host must mediate activity between remote client system and back end resources Problem: message must be protected beyond the span of control of the service and systems, since - Problem: host system cannot trust incoming re- it can traverse multiple domains. How does the quests and data principle of complete mediation [5] apply in a “fire and forget” service oriented world? - Solution: Use Security Pipeline Interface (SPI) [4] to enforce the principle of Separation of Privi- Solution: Use WS-Security standard to sign and lege [Saltzer75] and reduce risk of data integ- encrypt persistent XML documents. WS-Security rity threats. Run SPI in separate physical, pro- uses XML Encryption and XML Signature, and cess and memory space from business logic can accept tokens such as SAML, Kerberos, and aware services. Execute logging of access con- X.509 to provide assurance through authentica- trol and related security event at the SPI. tion, authorization, and validation Message View Deployment Environment View Information security is concerned with protect- The Deployment Environment view is focused ing valuable digital assets, in many cases the on the classic information security Defense in most valuable assets from a risk management Depth layers: perspective is not network access, but rather the company’s data. As distributed systems continue - Physical: such as guards and locks to evolve and become more connected to each - Network: such as firewalls, IDS other in ways not foreseen by their original de- signers, such as decades old legacy systems be- - Host: such as HIDS, Host Integrity Monitoring ing connected to the web, data and messages and server hardening emerge in ways not intended when their protec- tion mechanisms were implemented. The net re- - Application: such as Input Validation, logging sult of this evolution is to move security mecha- systems nisms closer to the asset level, in this case the - Data: such as database hardening, and data data elements. Encryption and related technol- level access controls ogy standards are used to constrain access to persistent data while it is at rest and ensure The Deployment Environment view is where the integrity and auditability over its life cycle. lions share of IT security resources are deployed currently. The patterns in place in the Deploy- Key elements in the Message View include: ment Environment are more mature than those - Message Payload: typically a XML document in the emerging SOA-centric views like Identity, and related schema information Message, and Service views. The risks that are present in the defense in depth layers currently - Interface Information: for example WSDL in Web must be baselined against the SOA applications Services that are deployed on these foundations. - Security Tokens: such as digital signature infor- Deployment Environment View Anti-Patterns: mation and cryptographic keys Trusted Versus Untrusted Considered Harmful Risks in the Message view include attacks - Do not architect using dualistic concepts like against data at rest and in transit. Since data “trusted versus untrusted”. Deperimeterization flows in service oriented systems cannot be pre- renders these definitions meaningless. Instead dicted in an end to end sense with a high degree focus on layers of verification based on avail- of confidence, encryption is a primary consider- able protection, detection, and response mech- ation for protecting messages as it traverses a anisms. host of states, and security domains. As with us- Additional Deployment Environment View Pat- ing PGP for email security, encrypting the mes- terns: sage payload provides fine grained protection even without the designer’s knowing the precise - Use Honeypots for understanding the actual details of the system that the message will threat profile on the ground of each domain to traverse. vet trust zone assumptions. Develop metrics Volume 10, Page 328 Information Security Bulletin, November 2005 Copyright ©2005 CHI Publishing Ltd - All rights reserved - Do not copy without written permission
SECURITY ARCHITECTURES and reporting to feed forward into future secu- ship outcome changes the base flow of the Use rity designs. Case. In the case of including an access control Use Case like Authenticate User, the outcome - Utilize security metrics across layers to develop of this (usually boolean pass/fail) directly a scoring system and track performance over changes the behaviors of the related use case. time for decision support The extends relationship does not alter behav- ior of the preceding use case, so if a use case Transaction Use Case Life cycle View extends to a monitor event use case and that Use Cases are used to show the end-to-end view monitor server is down, it may not make sense of the system. Use cases provide a synthetic to alter the flow of the preceding Use Case. model that correlates requirements from differ- ent domains’ concerns into a coherent model - Mapping Use Cases to Threat Models: Security and flow. Use Case models contain many prop- cannot only focus on functional requirements, erties that are critical to secure system design: but must also consider the attacker viewpoint. Threat modelling and abuse cases are tech- - Stakeholders: In Information Security, it pays to niques used in the development life cycle to find allies who have a vested interest in sys- map possible threats, vulnerabilities, and im- tem security. Stakeholders who may be con- pacts onto the system so that appropriate secu- cerned about security implications in the sys- rity countermeasures can be built into the sys- tem that is being built include not just the core tem. The Use Case model allows the Threat development staff, but also the legal staff, busi- Model to refer to functions in a context-sensi- ness owners, domain experts, operational staff, tive manner. customers, shareholders, and users. - Pre and Post Conditions: Pre and post conditions Brokering Relationships describe the set conditions that must be satis- To facilitate communication across views and se- fied for the Use Case to execute (Pre-condi- curity domains, a common mechanism is needed tions) and the set of states that the system can to generically create, validate, and exchange se- be in after it has completed (Post-conditions). curity information. WS-Trust provides a stan- Pre-conditions allow the Information Security dard framework for request/response communi- team to articulate the security conditions, such cation for a variety of security tokens including as authentication and authorization processes SAML, Kerberos, and X.509. Integration patterns that must be completed before accessing the of these relationships can be distilled from the Use Case functionality so that developers have Use Cases. The directionality of the relationship a consistent spec to build from. and the nature of the relationships (includes ver- sus extends) shows how the system must be - Exceptional and Alternate Flows: A fundamental built to satisfy security and privacy requirements principle in security design is to design for fail- across domains. ure. Development projects are mainly focused on base flows of the system since these imple- ment business valuable features. However Architecture Issues from a security standpoint, exceptional and al- The SOS views describe a way of seeing security ternate flows highlight paths that often be- architecture across a complex system to make come attack vectors. These flows are worth ex- and convey security design decisions. The soft- amination by Information Security to ensure ware security space contains issues that are still that the system is designed to deal with these being worked to achieve optimal effectiveness. exceptions and has deployed security mecha- nisms such as audit logs and IDS tools to catch security exceptions when they occur. XML Security Research has shown various flaws with XML Se- - Actors: Actors can include computer systems, curity [6] related to its reliance on XML for en- users, and other resources like schedulers. By cryption and signature as well as replicating a analyzing the actors involved in the Use Case number of problems in legacy technologies. model, the Information Security team can be- Since a large number of emerging security solu- gin to build a picture of the access control tions, particularly WS-* rely on XML security structures such as roles and groups that may mechanisms it is worth revisiting this depend- be required for design as the system is built. ency to see if XMPP or other technology can Where delegation or impersonation is used, ac- remedy these issues. tors can identify where this is accomplished and what actors are mapped onto other actors at runtime. Emerging Toolsets and Standards The software security space is evolving at a rapid - Relationships: Much of the power in the Use pace; investment paths are not clear in a long Case model comes from its simplicity. Use term sense. Deploying resources based on to- Case models feature two types of relation- day’s assumptions about standards, for example ships: includes and extends. These have direct SAML vs. WS-*, implementation, and threat security implications, in the includes relation- models inserts a higher degree of variability into Information Security Bulletin, November 2005 Volume 10, Page 329 Copyright ©2005 CHI Publishing Ltd - All rights reserved - Do not copy without written permission
SECURITY ARCHITECTURES the system’s longevity based on the outcomes of [7] http://www.sabsa-institute.org/ the technical and standards challenges. [8] Steven Lavenhar and Gunnar Peterson, Ar- Changing Threat Landscape: chitectural Risk Analysis, Cigital Copyright Attacker Co-Evolution 2005 As with any security design, the opponent is homo sapiens meaning that the opponent is ever https://buildsecurityin.us-cert.gov/portal/ adaptable and resourceful. As security designs article/bestpractices/ become more robust, then business deploy more architectural_risk_analysis/ resources and transactions to the online world, architectural_risk_assessment.xml thus attracting more attackers. References About the Author [1] Philippe Kruchten, Architectural Blueprints – Mr. Peterson is CTO of Arctec Group, a consult- The “4+1” View Model of Software Architecture, ing firm focused on building strategic technology IEEE Software, 1995 blueprints for its clients. [2] Kim Cameron, What is a digital identity?, 2005 http://www.identityblog.com/2005/03/ He has served organizations as a Software Archi- 07.html#a152 tecture consultant for distributed systems includ- ing smart card, databases, middleware, messa- [3] Anti-Phishing Working Group, Phishing Ac- ging, application layer, embedded systems, and tivity Trends Report, June, 2005 commercial packages. Mr. Peterson has provided http://antiphishing.org/APWG_Phishing consulting services on software security design, _Activity_Report_Jun_05.pdf process, and training to some of the largest fi- nancial systems, financial exchanges, manufac- [4] Security Pipeline Interface”, Hoffman and turing, and healthcare organizations and sys- Davis, Proceedings of the Sixth Annual Com- tems. puter Security Applications Conference, 1990 [5] Saltzer and Schroeder, The Protection of Infor- Mr. Peterson has presented on software security mation in Computer Systems, Proceedings of topics for numerous conferences and organiza- the IEEE, 1975) tions, including ISSA, Black Hat, OWASP, and [6] Peter Gutmann, Why XML Security is Broken, SANS. He has published papers on the Dept 2005 Homeland Security portal: Build Security In on Identity Architecture and on Architectural Risk http://www.cs.auckland.ac.nz/~pgut001/ Assessment. Mr. Peterson is an associate editor pubs/xmlsec.txt of Information Security Bulletin. There is only one way to get all issues of Information Security Bulletin: SUBSCRIBING! Please use the form in the journal, or visit http://www.isb-online.net Volume 10, Page 330 Information Security Bulletin, November 2005 Copyright ©2005 CHI Publishing Ltd - All rights reserved - Do not copy without written permission

Recommended

InfoSec Technology Management of User Space and Services Through Security Thr...
InfoSec Technology Management of User Space and Services Through Security Thr...InfoSec Technology Management of User Space and Services Through Security Thr...
InfoSec Technology Management of User Space and Services Through Security Thr...ecarrow
 
XP-Manchester 2013 Software Architecture for Agile Developers Intro
XP-Manchester 2013 Software Architecture for Agile Developers IntroXP-Manchester 2013 Software Architecture for Agile Developers Intro
XP-Manchester 2013 Software Architecture for Agile Developers IntroChris F Carroll
 
Security Authorization: An Approach for Community Cloud Computing Environments
Security Authorization: An Approach for Community Cloud Computing EnvironmentsSecurity Authorization: An Approach for Community Cloud Computing Environments
Security Authorization: An Approach for Community Cloud Computing EnvironmentsBooz Allen Hamilton
 
International approaches to critical information infrastructure protection ...
International approaches to critical information infrastructure protection ...International approaches to critical information infrastructure protection ...
International approaches to critical information infrastructure protection ...owaspindia
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust
 
An explicit trust model towards better system security
An explicit trust model towards better system securityAn explicit trust model towards better system security
An explicit trust model towards better system securitycsandit
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Anindya Ghosh,
 
Safe Code Software Integrity Controls0610
Safe Code Software Integrity Controls0610Safe Code Software Integrity Controls0610
Safe Code Software Integrity Controls0610Tommy Tracx Xaypanya
 

Recommended

InfoSec Technology Management of User Space and Services Through Security Thr...
InfoSec Technology Management of User Space and Services Through Security Thr...InfoSec Technology Management of User Space and Services Through Security Thr...
InfoSec Technology Management of User Space and Services Through Security Thr...ecarrow
 
XP-Manchester 2013 Software Architecture for Agile Developers Intro
XP-Manchester 2013 Software Architecture for Agile Developers IntroXP-Manchester 2013 Software Architecture for Agile Developers Intro
XP-Manchester 2013 Software Architecture for Agile Developers IntroChris F Carroll
 
Security Authorization: An Approach for Community Cloud Computing Environments
Security Authorization: An Approach for Community Cloud Computing EnvironmentsSecurity Authorization: An Approach for Community Cloud Computing Environments
Security Authorization: An Approach for Community Cloud Computing EnvironmentsBooz Allen Hamilton
 
International approaches to critical information infrastructure protection ...
International approaches to critical information infrastructure protection ...International approaches to critical information infrastructure protection ...
International approaches to critical information infrastructure protection ...owaspindia
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust
 
An explicit trust model towards better system security
An explicit trust model towards better system securityAn explicit trust model towards better system security
An explicit trust model towards better system securitycsandit
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Anindya Ghosh,
 
Safe Code Software Integrity Controls0610
Safe Code Software Integrity Controls0610Safe Code Software Integrity Controls0610
Safe Code Software Integrity Controls0610Tommy Tracx Xaypanya
 
Security of,for & by cloud
Security of,for & by cloudSecurity of,for & by cloud
Security of,for & by cloudLakshmi Subramanian
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defenseZsolt Nemeth
 
Monitoring Smart Grid Operations and Maintaining Missions Assurance
Monitoring Smart Grid Operations and Maintaining Missions AssuranceMonitoring Smart Grid Operations and Maintaining Missions Assurance
Monitoring Smart Grid Operations and Maintaining Missions Assurancenamblasec
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsZsolt Nemeth
 
433 438
433 438433 438
433 438Editor IJARCET
 
Removing the Cloud of Insecurity
Removing the Cloud of InsecurityRemoving the Cloud of Insecurity
Removing the Cloud of InsecurityRackspace
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 
Big data Propels SIEM into the era of Security Analytics
Big data Propels SIEM into the era of Security Analytics Big data Propels SIEM into the era of Security Analytics
Big data Propels SIEM into the era of Security Analytics EMC
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingRaghuraman Ramamurthy
 
Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...CSCJournals
 
WP82 Physical Security in Mission Critical Facilities
WP82 Physical Security in Mission Critical FacilitiesWP82 Physical Security in Mission Critical Facilities
WP82 Physical Security in Mission Critical FacilitiesSE_NAM_Training
 
Solutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceSolutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceTrend Micro
 
VESPA- Multi-Layered Self-Protection for Cloud Resources, OW2con'12, Paris
VESPA- Multi-Layered Self-Protection for Cloud Resources, OW2con'12, ParisVESPA- Multi-Layered Self-Protection for Cloud Resources, OW2con'12, Paris
VESPA- Multi-Layered Self-Protection for Cloud Resources, OW2con'12, ParisOW2
 
Vertualisation
VertualisationVertualisation
VertualisationChkifa Khalid
 
CRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff CrumeCRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff CrumeKrisValerio
 
kelly meaux resume 2016
kelly meaux resume 2016kelly meaux resume 2016
kelly meaux resume 2016kelly meaux
 
BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...Dana Gardner
 
An Overview of Visual Cryptography based Video Watermarking Schemes: Techniqu...
An Overview of Visual Cryptography based Video Watermarking Schemes: Techniqu...An Overview of Visual Cryptography based Video Watermarking Schemes: Techniqu...
An Overview of Visual Cryptography based Video Watermarking Schemes: Techniqu...idescitation
 
Privacy preserving distributed profile matching in proximity-based mobile soc...
Privacy preserving distributed profile matching in proximity-based mobile soc...Privacy preserving distributed profile matching in proximity-based mobile soc...
Privacy preserving distributed profile matching in proximity-based mobile soc...IEEEFINALYEARPROJECTS
 
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performanceDeepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performanceUNIT4 IT Solutions
 
Asignación no. 2 diagnostico de los sistemas y tecnologías de información e...
Asignación no. 2 diagnostico de los sistemas y tecnologías de información e...Asignación no. 2 diagnostico de los sistemas y tecnologías de información e...
Asignación no. 2 diagnostico de los sistemas y tecnologías de información e...ted_em
 
trainings history 2013 cac mercedes
trainings history 2013 cac mercedestrainings history 2013 cac mercedes
trainings history 2013 cac mercedesChristian Recker
 

More Related Content

What's hot

Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defenseZsolt Nemeth
 
Monitoring Smart Grid Operations and Maintaining Missions Assurance
Monitoring Smart Grid Operations and Maintaining Missions AssuranceMonitoring Smart Grid Operations and Maintaining Missions Assurance
Monitoring Smart Grid Operations and Maintaining Missions Assurancenamblasec
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsZsolt Nemeth
 
Removing the Cloud of Insecurity
Removing the Cloud of InsecurityRemoving the Cloud of Insecurity
Removing the Cloud of InsecurityRackspace
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 
Big data Propels SIEM into the era of Security Analytics
Big data Propels SIEM into the era of Security Analytics Big data Propels SIEM into the era of Security Analytics
Big data Propels SIEM into the era of Security Analytics EMC
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingRaghuraman Ramamurthy
 
Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...CSCJournals
 
WP82 Physical Security in Mission Critical Facilities
WP82 Physical Security in Mission Critical FacilitiesWP82 Physical Security in Mission Critical Facilities
WP82 Physical Security in Mission Critical FacilitiesSE_NAM_Training
 
Solutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceSolutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceTrend Micro
 
VESPA- Multi-Layered Self-Protection for Cloud Resources, OW2con'12, Paris
VESPA- Multi-Layered Self-Protection for Cloud Resources, OW2con'12, ParisVESPA- Multi-Layered Self-Protection for Cloud Resources, OW2con'12, Paris
VESPA- Multi-Layered Self-Protection for Cloud Resources, OW2con'12, ParisOW2
 
CRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff CrumeCRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff CrumeKrisValerio
 
kelly meaux resume 2016
kelly meaux resume 2016kelly meaux resume 2016
kelly meaux resume 2016kelly meaux
 
BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...Dana Gardner
 
An Overview of Visual Cryptography based Video Watermarking Schemes: Techniqu...
An Overview of Visual Cryptography based Video Watermarking Schemes: Techniqu...An Overview of Visual Cryptography based Video Watermarking Schemes: Techniqu...
An Overview of Visual Cryptography based Video Watermarking Schemes: Techniqu...idescitation
 
Privacy preserving distributed profile matching in proximity-based mobile soc...
Privacy preserving distributed profile matching in proximity-based mobile soc...Privacy preserving distributed profile matching in proximity-based mobile soc...
Privacy preserving distributed profile matching in proximity-based mobile soc...IEEEFINALYEARPROJECTS
 
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performanceDeepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performanceUNIT4 IT Solutions
 

What's hot (20)

Security of,for & by cloud
Security of,for & by cloudSecurity of,for & by cloud
Security of,for & by cloud
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defense
 
Monitoring Smart Grid Operations and Maintaining Missions Assurance
Monitoring Smart Grid Operations and Maintaining Missions AssuranceMonitoring Smart Grid Operations and Maintaining Missions Assurance
Monitoring Smart Grid Operations and Maintaining Missions Assurance
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systems
 
433 438
433 438433 438
433 438
 
Removing the Cloud of Insecurity
Removing the Cloud of InsecurityRemoving the Cloud of Insecurity
Removing the Cloud of Insecurity
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutions
 
Big data Propels SIEM into the era of Security Analytics
Big data Propels SIEM into the era of Security Analytics Big data Propels SIEM into the era of Security Analytics
Big data Propels SIEM into the era of Security Analytics
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcing
 
Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...
 
WP82 Physical Security in Mission Critical Facilities
WP82 Physical Security in Mission Critical FacilitiesWP82 Physical Security in Mission Critical Facilities
WP82 Physical Security in Mission Critical Facilities
 
Solutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceSolutions for PCI DSS Compliance
Solutions for PCI DSS Compliance
 
VESPA- Multi-Layered Self-Protection for Cloud Resources, OW2con'12, Paris
VESPA- Multi-Layered Self-Protection for Cloud Resources, OW2con'12, ParisVESPA- Multi-Layered Self-Protection for Cloud Resources, OW2con'12, Paris
VESPA- Multi-Layered Self-Protection for Cloud Resources, OW2con'12, Paris
 
Vertualisation
VertualisationVertualisation
Vertualisation
 
CRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff CrumeCRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff Crume
 
kelly meaux resume 2016
kelly meaux resume 2016kelly meaux resume 2016
kelly meaux resume 2016
 
BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...
 
An Overview of Visual Cryptography based Video Watermarking Schemes: Techniqu...
An Overview of Visual Cryptography based Video Watermarking Schemes: Techniqu...An Overview of Visual Cryptography based Video Watermarking Schemes: Techniqu...
An Overview of Visual Cryptography based Video Watermarking Schemes: Techniqu...
 
Privacy preserving distributed profile matching in proximity-based mobile soc...
Privacy preserving distributed profile matching in proximity-based mobile soc...Privacy preserving distributed profile matching in proximity-based mobile soc...
Privacy preserving distributed profile matching in proximity-based mobile soc...
 
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performanceDeepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
 

Viewers also liked

Asignación no. 2 diagnostico de los sistemas y tecnologías de información e...
Asignación no. 2 diagnostico de los sistemas y tecnologías de información e...Asignación no. 2 diagnostico de los sistemas y tecnologías de información e...
Asignación no. 2 diagnostico de los sistemas y tecnologías de información e...ted_em
 
trainings history 2013 cac mercedes
trainings history 2013 cac mercedestrainings history 2013 cac mercedes
trainings history 2013 cac mercedesChristian Recker
 
Ar doc 640616
Ar doc 640616Ar doc 640616
Ar doc 640616xendock
 
‘Truth in Medicine’ Ad Campaign To Help Health Care Consumers Decipher Fact f...
‘Truth in Medicine’ Ad Campaign To Help Health Care Consumers Decipher Fact f...‘Truth in Medicine’ Ad Campaign To Help Health Care Consumers Decipher Fact f...
‘Truth in Medicine’ Ad Campaign To Help Health Care Consumers Decipher Fact f...South Nassau Communities Hospital
 
traineeship heimrich & hannot certificat
traineeship heimrich & hannot certificattraineeship heimrich & hannot certificat
traineeship heimrich & hannot certificatChristian Recker
 
DENISEAGUILARRESUME.docx%20(2)
DENISEAGUILARRESUME.docx%20(2)DENISEAGUILARRESUME.docx%20(2)
DENISEAGUILARRESUME.docx%20(2)Denise Aguilar
 
Invaciones a la peninsula iverica y su influencia en la formacion del castell...
Invaciones a la peninsula iverica y su influencia en la formacion del castell...Invaciones a la peninsula iverica y su influencia en la formacion del castell...
Invaciones a la peninsula iverica y su influencia en la formacion del castell...Daniela Diaz
 
PTS Consolidation Action Plan
PTS Consolidation Action PlanPTS Consolidation Action Plan
PTS Consolidation Action PlanMia Montilla
 
重症外傷に対する免疫応答
重症外傷に対する免疫応答重症外傷に対する免疫応答
重症外傷に対する免疫応答Akinori Osuka
 
Measuring Safety Effects of Commercial Motor Vehicle Driver Training Program
Measuring Safety Effects of Commercial Motor Vehicle Driver Training ProgramMeasuring Safety Effects of Commercial Motor Vehicle Driver Training Program
Measuring Safety Effects of Commercial Motor Vehicle Driver Training ProgramTexas A&M Transportation Institute
 
CÓMO HACER DULCE DE LECHE
CÓMO HACER DULCE DE LECHECÓMO HACER DULCE DE LECHE
CÓMO HACER DULCE DE LECHEmajocastilla
 
Prarthana sweeekarikkaathirikkaanulla patthu kaaranangal
Prarthana sweeekarikkaathirikkaanulla patthu kaaranangalPrarthana sweeekarikkaathirikkaanulla patthu kaaranangal
Prarthana sweeekarikkaathirikkaanulla patthu kaaranangalshabeel pn
 
Distribuição eletrônica
Distribuição eletrônica Distribuição eletrônica
Distribuição eletrônica Karol Maia
 

Viewers also liked (19)

Asignación no. 2 diagnostico de los sistemas y tecnologías de información e...
Asignación no. 2 diagnostico de los sistemas y tecnologías de información e...Asignación no. 2 diagnostico de los sistemas y tecnologías de información e...
Asignación no. 2 diagnostico de los sistemas y tecnologías de información e...
 
trainings history 2013 cac mercedes
trainings history 2013 cac mercedestrainings history 2013 cac mercedes
trainings history 2013 cac mercedes
 
Unidade 3
Unidade 3Unidade 3
Unidade 3
 
Hoja de vida
Hoja de vidaHoja de vida
Hoja de vida
 
Storyboard
StoryboardStoryboard
Storyboard
 
Ar doc 640616
Ar doc 640616Ar doc 640616
Ar doc 640616
 
‘Truth in Medicine’ Ad Campaign To Help Health Care Consumers Decipher Fact f...
‘Truth in Medicine’ Ad Campaign To Help Health Care Consumers Decipher Fact f...‘Truth in Medicine’ Ad Campaign To Help Health Care Consumers Decipher Fact f...
‘Truth in Medicine’ Ad Campaign To Help Health Care Consumers Decipher Fact f...
 
visual resume
visual resumevisual resume
visual resume
 
Cuanto
CuantoCuanto
Cuanto
 
Efactor on Networking
Efactor on NetworkingEfactor on Networking
Efactor on Networking
 
traineeship heimrich & hannot certificat
traineeship heimrich & hannot certificattraineeship heimrich & hannot certificat
traineeship heimrich & hannot certificat
 
DENISEAGUILARRESUME.docx%20(2)
DENISEAGUILARRESUME.docx%20(2)DENISEAGUILARRESUME.docx%20(2)
DENISEAGUILARRESUME.docx%20(2)
 
Invaciones a la peninsula iverica y su influencia en la formacion del castell...
Invaciones a la peninsula iverica y su influencia en la formacion del castell...Invaciones a la peninsula iverica y su influencia en la formacion del castell...
Invaciones a la peninsula iverica y su influencia en la formacion del castell...
 
PTS Consolidation Action Plan
PTS Consolidation Action PlanPTS Consolidation Action Plan
PTS Consolidation Action Plan
 
重症外傷に対する免疫応答
重症外傷に対する免疫応答重症外傷に対する免疫応答
重症外傷に対する免疫応答
 
Measuring Safety Effects of Commercial Motor Vehicle Driver Training Program
Measuring Safety Effects of Commercial Motor Vehicle Driver Training ProgramMeasuring Safety Effects of Commercial Motor Vehicle Driver Training Program
Measuring Safety Effects of Commercial Motor Vehicle Driver Training Program
 
CÓMO HACER DULCE DE LECHE
CÓMO HACER DULCE DE LECHECÓMO HACER DULCE DE LECHE
CÓMO HACER DULCE DE LECHE
 
Prarthana sweeekarikkaathirikkaanulla patthu kaaranangal
Prarthana sweeekarikkaathirikkaanulla patthu kaaranangalPrarthana sweeekarikkaathirikkaanulla patthu kaaranangal
Prarthana sweeekarikkaathirikkaanulla patthu kaaranangal
 
Distribuição eletrônica
Distribuição eletrônica Distribuição eletrônica
Distribuição eletrônica
 

Similar to SOA Security Architecture

Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS RealityKVH Co. Ltd.
 
BlockChain Enabled-Cloud Delivered For Network Secuirty
BlockChain Enabled-Cloud Delivered For Network SecuirtyBlockChain Enabled-Cloud Delivered For Network Secuirty
BlockChain Enabled-Cloud Delivered For Network SecuirtyHappiest Minds Technologies
 
Software Architecture Intro
Software Architecture IntroSoftware Architecture Intro
Software Architecture IntroSadhana Ghalsasi
 
The real time publisher subscriber inter-process communication model for dist...
The real time publisher subscriber inter-process communication model for dist...The real time publisher subscriber inter-process communication model for dist...
The real time publisher subscriber inter-process communication model for dist...yancha1973
 
Resarch paper i cloud computing
Resarch paper i cloud computingResarch paper i cloud computing
Resarch paper i cloud computingBharat Gupta
 
IRJET- Developing an Algorithm to Detect Malware in Cloud
IRJET- Developing an Algorithm to Detect Malware in CloudIRJET- Developing an Algorithm to Detect Malware in Cloud
IRJET- Developing an Algorithm to Detect Malware in CloudIRJET Journal
 
ZORA MDE Short Presentation 3.2
ZORA MDE Short Presentation 3.2ZORA MDE Short Presentation 3.2
ZORA MDE Short Presentation 3.2Momir Boskovic
 
Building Secure Services in the Cloud
Building Secure Services in the CloudBuilding Secure Services in the Cloud
Building Secure Services in the CloudSumo Logic
 
Forging a Secure Path to Private 5G Networks for Enterprises
Forging a Secure Path to Private 5G Networks for EnterprisesForging a Secure Path to Private 5G Networks for Enterprises
Forging a Secure Path to Private 5G Networks for EnterprisesPanoptica
 
Security for v mware
Security for v mwareSecurity for v mware
Security for v mwareReadWrite
 
The Datacenter Of The Future
The Datacenter Of The FutureThe Datacenter Of The Future
The Datacenter Of The FutureCTRLS
 
Requirements and Challenges for Securing Cloud Applications and Services
Requirements and Challenges for Securing Cloud Applications and ServicesRequirements and Challenges for Securing Cloud Applications and Services
Requirements and Challenges for Securing Cloud Applications and ServicesIOSR Journals
 
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Editor IJCATR
 

Similar to SOA Security Architecture (20)

Information Security Governance
Information Security GovernanceInformation Security Governance
Information Security Governance
 
Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS Reality
 
BlockChain Enabled-Cloud Delivered For Network Secuirty
BlockChain Enabled-Cloud Delivered For Network SecuirtyBlockChain Enabled-Cloud Delivered For Network Secuirty
BlockChain Enabled-Cloud Delivered For Network Secuirty
 
Software Architecture Intro
Software Architecture IntroSoftware Architecture Intro
Software Architecture Intro
 
The real time publisher subscriber inter-process communication model for dist...
The real time publisher subscriber inter-process communication model for dist...The real time publisher subscriber inter-process communication model for dist...
The real time publisher subscriber inter-process communication model for dist...
 
Tinysec
TinysecTinysec
Tinysec
 
Tinysec
TinysecTinysec
Tinysec
 
Resarch paper i cloud computing
Resarch paper i cloud computingResarch paper i cloud computing
Resarch paper i cloud computing
 
IRJET- Developing an Algorithm to Detect Malware in Cloud
IRJET- Developing an Algorithm to Detect Malware in CloudIRJET- Developing an Algorithm to Detect Malware in Cloud
IRJET- Developing an Algorithm to Detect Malware in Cloud
 
ZORA MDE Short Presentation 3.2
ZORA MDE Short Presentation 3.2ZORA MDE Short Presentation 3.2
ZORA MDE Short Presentation 3.2
 
Building Secure Services in the Cloud
Building Secure Services in the CloudBuilding Secure Services in the Cloud
Building Secure Services in the Cloud
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Forging a Secure Path to Private 5G Networks for Enterprises
Forging a Secure Path to Private 5G Networks for EnterprisesForging a Secure Path to Private 5G Networks for Enterprises
Forging a Secure Path to Private 5G Networks for Enterprises
 
Security for v mware
Security for v mwareSecurity for v mware
Security for v mware
 
Private cloud day session 5 a solution for private cloud security
Private cloud day session 5 a solution for private cloud securityPrivate cloud day session 5 a solution for private cloud security
Private cloud day session 5 a solution for private cloud security
 
04812167
0481216704812167
04812167
 
The Datacenter Of The Future
The Datacenter Of The FutureThe Datacenter Of The Future
The Datacenter Of The Future
 
Requirements and Challenges for Securing Cloud Applications and Services
Requirements and Challenges for Securing Cloud Applications and ServicesRequirements and Challenges for Securing Cloud Applications and Services
Requirements and Challenges for Securing Cloud Applications and Services
 
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...
 

SOA Security Architecture

  • 1. SECURITY ARCHITECTURES “We have no future because our present is too volatile. We have only risk management. The spinning of the given moment’s scenarios. Pattern recognition...” -William Gibson “Pattern Recognition” Context New software system paradigms demand that information security keep pace with the chang- ing software landscape. With Web Services and Service Oriented Architectures (SOA), software de- velopment is in the third phase of an evolution that began with object oriented programming and progressed to component based program- ming. In object oriented and component based programming, security designers could rely on common languages, security models, and tech- nologies in a distributed system to secure both the clients’ and servers’ transactions and end- points. For example, EJB clients and servers can Service Oriented assume and use a common J2EE security stan- dard for authentication and authorization for Security Architecture both its client and server. However, in Web Ser- vices and Service Oriented Architecture, systems are loosely coupled. Clients and servers may be written in different languages and running on Gunnar Peterson disparate operating systems. Service Oriented Architecture agree upon interface and data Arctec Group schema, but the implementations may vary from client to server, and services may be chained cre- ating a peer to peer model. As programming models and implementations change, the secu- rity assumptions and designs must be refreshed and updated to manage the emerging threats that result from new architectures. Problem Statement The primary security mechanisms deployed to- day rely on notions of perimeters and central- ized security models. However, the nature of business is moving rapidly towards decentral- ized “intertwingled-ness” (non-hierarchical con- nectivity) and perimeters are eroding. Central- ized security systems do not apply in SOA’s de- centralized peer to peer architecture. Security design assumptions based on outmoded technol- ogy create brittle and ineffective systems when deployed in a SOA paradigm. Malicious attack- ers exploit the seams left between the existing security mechanisms deployed based on out- moded assumptions and the reality of the threats to the connected systems on the ground. Solution In keeping with the design spirit of SOA, the way forward in software security architecture is viewing security as service that is decoupled and composeable. Service Oriented Security (SOS) ar- chitecture does not solely focus on perimeters, but rather provides a framework to analyze and manage risk to the system’s assets, such as data, services, and identities. SOS and its architectural Information Security Bulletin, November 2005 Volume 10, Page 325 Copyright ©2005 CHI Publishing Ltd - All rights reserved - Do not copy without written permission
  • 2. SECURITY ARCHITECTURES - Deployment View: deals with the defense in depth 5 layer model: physical, network, host, ap- Message plication, and data Identity - Transaction Use Case Life Cycle View: deals with the key behavioral flows and relationships in a Transaction system and its actors from an end-to-end per- Use Case spective Life Cycle Each of the individual views is composed of do- main specific elements, constraints, threats, risks, Deployment vulnerabilities, and countermeasures. Each view Service also includes a set of key architectural patterns and principles. By partitioning concerns security designers are able to first decouple concerns to Figure 1 - Service Oriented Security Views analyze security domains and analyze tradeoffs and dependencies among the domains. The re- views provide a framework for reasoning about sultant architecture takes the concerns from each software security in a service oriented system. domain into account and provides holistic solu- This framework can be used by security archi- tions based on the risk management of digital as- tects to harmonize designs across infrastructure, sets like identities and data. The following sec- applications, and data based on business risk. tions examine each SOS viewpoint in more de- Service Oriented Security Architecture provides tail and provide an example usage. a set of views that can be used in a larger enter- prise security architecture, such as SABSA [7]. In Architecting with the SOS Views a SABSA model, the five main Service Oriented Software security architecture is an iterative pro- Security architecture views detail the Conceptual cess that includes decomposing complex prob- and Logical Security Views. lem spaces, drilling down on granular details to gain traction in a domain; and then synthesizing across domains, building up design views, iden- Service Oriented Security tifying relationship vectors that illustrate the sys- Architecture Overview tem’s security design goals. Each SOS View con- In software architecture, the word “security” can tains the following constituents: often do more harm than good. Frequently, stakeholders have differing, conflicting, and - Elements: describe the key components in the overloaded definitions of the term. In order to system and their logical organization including build a coherent system, the architects must pro- the subjects and objects that the view interacts vide specific guidance to the development and with operational teams. Service Oriented Security - Constraints: show the business, political, legal, (SOS) Architecture provides a set of software ar- and technical constraints for the view chitecture viewpoints that allow security archi- tects to construct a holistic system design based - Risk Model: illustrates the threats, assets, vul- on a set of views. No single view is sufficient to nerabilities, and countermeasures in the view. analyze and understand the system’s security as Conduct architectural risk analysis to manage a whole. The combination of the SOS views and risks [8] their relationships demonstrate the security deci- sions and design. Since security is not a zero - Relationships: conveys the nature and direction sum game, the views provide a framework in of the views’ relationships with other views which to conduct security architecture tradeoff The chief utility of separation of concerns in SOS analysis and to convey design decisions to devel- is that each of the views’ elements, constraints, opment and operational staff. As Kruchten ob- risk models, and relationships are unique and served [1], views enable the software architect to decoupled inside their view. The design deci- separate concerns in a complex system. The sions made about securing the elements will im- views in Service Oriented Security consist of the pact other views, but separating the concerns al- following: lows for decoupling the concerns and handling the domain specific risks. - Identity View: deals with the generation, com- munication, recognition, negotiation, and Identity View transformation of identity Using Kim Cameron’s definition we will exam- ine identity as “a set of claims made by one digi- - Service View: deals with the service, its meth- tal subject about itself or another digital subject." ods and component parts [2. This definition rewards careful study because it reveals that identity is not a passive entity, but - Message View: deals with the service’s message rather the result of an active set of processes that payload can be judged against a dynamic set of criteria. Volume 10, Page 326 Information Security Bulletin, November 2005 Copyright ©2005 CHI Publishing Ltd - All rights reserved - Do not copy without written permission
  • 3. SECURITY ARCHITECTURES When identity is defined as a set of claims, each service can decide what claims it will accept and from what SecurityDomain SecurityDomain authorities. App Federation Key elements of the Identity View include: App/Resources - Authentication mecha- Betsy nisms, events, and princi- User Store Red Green pals including Kerberos Fed Fed tickets, X.509, Windows Server Server sessions, and web server sessions - Identity Federations in- cluding the portable, Figure 2 - Using Identity Federation strong identities like SAML, Liberty, and WS- anywhere a digital subject is mapped, con- Federation identities sumed, stored, and transformed. The Identity - Monitoring and audit systems: provide trace- View has relationships with the other SOS ability of identity-related events like authenti- Views. The Identity View provides information cation about subjects to the other SOS Views, other views both consume and query principal data - Identity domain-specific attributes provided by the processes generated by Identity View elements. Due to its criticality as a founda- Identity is a fundamental element in access con- tion element for other views, the elements in the trol decisions, hence the protocols that generate, Identity View should be hardened using the communicate and negotiate identity information strongest security controls that are reasonably require security analysis to ensure a robust possible for all the states of the system that the system. identity is in. Identity information is a very valuable asset to attackers and so systems designers must design Service View its implementation and usage to withstand a va- The Service provides the interface to the rest of riety of attacks. Phishing attacks that continue to the system and brokers the identity, messages, grow in distribution and sophistication are just and transactional data. The Service View is con- one example of attacks that exploit weak identity cerned with the risks around the service and the systems [3]. Privacy, regulatory, and legal do- service’s ability to broker information flows with mains all impose constraints on identity imple- requisite confidentiality, integrity, and availabil- mentations and what information may be shared ity. Services require access control protection and and used by parties. Identity information may may consume identity and domain attribute in- “leak” inadvertently to other systems and users formation from other domains, so the service can that are not allowed to access the information. typically make a minimum of assumptions about what it receives. From a detection and response Identity View Pattern: Federated Identity standpoint, services require logging mechanisms to vouch for the health of the system. Standard - Context: Security domains Red and Green want technology specific service hardening and secu- to integrate disparate systems with unique pol- rity guidelines apply in the services view, such icies and management. The systems have dis- as the OWASP guidelines for Web Applications. parate identity repositories, operating systems, and application languages, but want to ex- Key elements of the Service View include: change XML documents for order processing - Application Servers and Services: such as data- - Problem: User credentials must be securely bases, web servers, and web services ported across domains and security informa- tion must be recognizable to both parties - Logging Services - Solution: Use federated identity for access con- - Integrity Services trol. Red Client (Alice) logs onto local Red sys- tem, generates/sends encrypted SAML token Service risks include denial of service, forcing ex- with app request to the Green Service. Green ception conditions, attacks against validation sys- server validates assertions for access rights. tems, attacks against program and service logic. Since services are an endpoint for incoming re- Federation is one example of a service in the quests, they must broker access and data flows identity view. Many other will come into play in between the domains with disparate security a system, including access control mechanisms, models. Information Security Bulletin, November 2005 Volume 10, Page 327 Copyright ©2005 CHI Publishing Ltd - All rights reserved - Do not copy without written permission
  • 4. SECURITY ARCHITECTURES Message View Pattern: WS-Security Manufacturer Supplier Web Context: data is in- SOAP App Server Data- creasingly shared Web Service Service SPI base across technological and policy bound- Filters and Analyses Data aries. The technology Figure 3 - Security Pipeline Interface Provides Data Integrity and Logging stack is unpredict- able in SOA systems, Service View Pattern: Security Pipeline Interface hence command and control security systems do not apply. - Context: host must mediate activity between remote client system and back end resources Problem: message must be protected beyond the span of control of the service and systems, since - Problem: host system cannot trust incoming re- it can traverse multiple domains. How does the quests and data principle of complete mediation [5] apply in a “fire and forget” service oriented world? - Solution: Use Security Pipeline Interface (SPI) [4] to enforce the principle of Separation of Privi- Solution: Use WS-Security standard to sign and lege [Saltzer75] and reduce risk of data integ- encrypt persistent XML documents. WS-Security rity threats. Run SPI in separate physical, pro- uses XML Encryption and XML Signature, and cess and memory space from business logic can accept tokens such as SAML, Kerberos, and aware services. Execute logging of access con- X.509 to provide assurance through authentica- trol and related security event at the SPI. tion, authorization, and validation Message View Deployment Environment View Information security is concerned with protect- The Deployment Environment view is focused ing valuable digital assets, in many cases the on the classic information security Defense in most valuable assets from a risk management Depth layers: perspective is not network access, but rather the company’s data. As distributed systems continue - Physical: such as guards and locks to evolve and become more connected to each - Network: such as firewalls, IDS other in ways not foreseen by their original de- signers, such as decades old legacy systems be- - Host: such as HIDS, Host Integrity Monitoring ing connected to the web, data and messages and server hardening emerge in ways not intended when their protec- tion mechanisms were implemented. The net re- - Application: such as Input Validation, logging sult of this evolution is to move security mecha- systems nisms closer to the asset level, in this case the - Data: such as database hardening, and data data elements. Encryption and related technol- level access controls ogy standards are used to constrain access to persistent data while it is at rest and ensure The Deployment Environment view is where the integrity and auditability over its life cycle. lions share of IT security resources are deployed currently. The patterns in place in the Deploy- Key elements in the Message View include: ment Environment are more mature than those - Message Payload: typically a XML document in the emerging SOA-centric views like Identity, and related schema information Message, and Service views. The risks that are present in the defense in depth layers currently - Interface Information: for example WSDL in Web must be baselined against the SOA applications Services that are deployed on these foundations. - Security Tokens: such as digital signature infor- Deployment Environment View Anti-Patterns: mation and cryptographic keys Trusted Versus Untrusted Considered Harmful Risks in the Message view include attacks - Do not architect using dualistic concepts like against data at rest and in transit. Since data “trusted versus untrusted”. Deperimeterization flows in service oriented systems cannot be pre- renders these definitions meaningless. Instead dicted in an end to end sense with a high degree focus on layers of verification based on avail- of confidence, encryption is a primary consider- able protection, detection, and response mech- ation for protecting messages as it traverses a anisms. host of states, and security domains. As with us- Additional Deployment Environment View Pat- ing PGP for email security, encrypting the mes- terns: sage payload provides fine grained protection even without the designer’s knowing the precise - Use Honeypots for understanding the actual details of the system that the message will threat profile on the ground of each domain to traverse. vet trust zone assumptions. Develop metrics Volume 10, Page 328 Information Security Bulletin, November 2005 Copyright ©2005 CHI Publishing Ltd - All rights reserved - Do not copy without written permission
  • 5. SECURITY ARCHITECTURES and reporting to feed forward into future secu- ship outcome changes the base flow of the Use rity designs. Case. In the case of including an access control Use Case like Authenticate User, the outcome - Utilize security metrics across layers to develop of this (usually boolean pass/fail) directly a scoring system and track performance over changes the behaviors of the related use case. time for decision support The extends relationship does not alter behav- ior of the preceding use case, so if a use case Transaction Use Case Life cycle View extends to a monitor event use case and that Use Cases are used to show the end-to-end view monitor server is down, it may not make sense of the system. Use cases provide a synthetic to alter the flow of the preceding Use Case. model that correlates requirements from differ- ent domains’ concerns into a coherent model - Mapping Use Cases to Threat Models: Security and flow. Use Case models contain many prop- cannot only focus on functional requirements, erties that are critical to secure system design: but must also consider the attacker viewpoint. Threat modelling and abuse cases are tech- - Stakeholders: In Information Security, it pays to niques used in the development life cycle to find allies who have a vested interest in sys- map possible threats, vulnerabilities, and im- tem security. Stakeholders who may be con- pacts onto the system so that appropriate secu- cerned about security implications in the sys- rity countermeasures can be built into the sys- tem that is being built include not just the core tem. The Use Case model allows the Threat development staff, but also the legal staff, busi- Model to refer to functions in a context-sensi- ness owners, domain experts, operational staff, tive manner. customers, shareholders, and users. - Pre and Post Conditions: Pre and post conditions Brokering Relationships describe the set conditions that must be satis- To facilitate communication across views and se- fied for the Use Case to execute (Pre-condi- curity domains, a common mechanism is needed tions) and the set of states that the system can to generically create, validate, and exchange se- be in after it has completed (Post-conditions). curity information. WS-Trust provides a stan- Pre-conditions allow the Information Security dard framework for request/response communi- team to articulate the security conditions, such cation for a variety of security tokens including as authentication and authorization processes SAML, Kerberos, and X.509. Integration patterns that must be completed before accessing the of these relationships can be distilled from the Use Case functionality so that developers have Use Cases. The directionality of the relationship a consistent spec to build from. and the nature of the relationships (includes ver- sus extends) shows how the system must be - Exceptional and Alternate Flows: A fundamental built to satisfy security and privacy requirements principle in security design is to design for fail- across domains. ure. Development projects are mainly focused on base flows of the system since these imple- ment business valuable features. However Architecture Issues from a security standpoint, exceptional and al- The SOS views describe a way of seeing security ternate flows highlight paths that often be- architecture across a complex system to make come attack vectors. These flows are worth ex- and convey security design decisions. The soft- amination by Information Security to ensure ware security space contains issues that are still that the system is designed to deal with these being worked to achieve optimal effectiveness. exceptions and has deployed security mecha- nisms such as audit logs and IDS tools to catch security exceptions when they occur. XML Security Research has shown various flaws with XML Se- - Actors: Actors can include computer systems, curity [6] related to its reliance on XML for en- users, and other resources like schedulers. By cryption and signature as well as replicating a analyzing the actors involved in the Use Case number of problems in legacy technologies. model, the Information Security team can be- Since a large number of emerging security solu- gin to build a picture of the access control tions, particularly WS-* rely on XML security structures such as roles and groups that may mechanisms it is worth revisiting this depend- be required for design as the system is built. ency to see if XMPP or other technology can Where delegation or impersonation is used, ac- remedy these issues. tors can identify where this is accomplished and what actors are mapped onto other actors at runtime. Emerging Toolsets and Standards The software security space is evolving at a rapid - Relationships: Much of the power in the Use pace; investment paths are not clear in a long Case model comes from its simplicity. Use term sense. Deploying resources based on to- Case models feature two types of relation- day’s assumptions about standards, for example ships: includes and extends. These have direct SAML vs. WS-*, implementation, and threat security implications, in the includes relation- models inserts a higher degree of variability into Information Security Bulletin, November 2005 Volume 10, Page 329 Copyright ©2005 CHI Publishing Ltd - All rights reserved - Do not copy without written permission
  • 6. SECURITY ARCHITECTURES the system’s longevity based on the outcomes of [7] http://www.sabsa-institute.org/ the technical and standards challenges. [8] Steven Lavenhar and Gunnar Peterson, Ar- Changing Threat Landscape: chitectural Risk Analysis, Cigital Copyright Attacker Co-Evolution 2005 As with any security design, the opponent is homo sapiens meaning that the opponent is ever https://buildsecurityin.us-cert.gov/portal/ adaptable and resourceful. As security designs article/bestpractices/ become more robust, then business deploy more architectural_risk_analysis/ resources and transactions to the online world, architectural_risk_assessment.xml thus attracting more attackers. References About the Author [1] Philippe Kruchten, Architectural Blueprints – Mr. Peterson is CTO of Arctec Group, a consult- The “4+1” View Model of Software Architecture, ing firm focused on building strategic technology IEEE Software, 1995 blueprints for its clients. [2] Kim Cameron, What is a digital identity?, 2005 http://www.identityblog.com/2005/03/ He has served organizations as a Software Archi- 07.html#a152 tecture consultant for distributed systems includ- ing smart card, databases, middleware, messa- [3] Anti-Phishing Working Group, Phishing Ac- ging, application layer, embedded systems, and tivity Trends Report, June, 2005 commercial packages. Mr. Peterson has provided http://antiphishing.org/APWG_Phishing consulting services on software security design, _Activity_Report_Jun_05.pdf process, and training to some of the largest fi- nancial systems, financial exchanges, manufac- [4] Security Pipeline Interface”, Hoffman and turing, and healthcare organizations and sys- Davis, Proceedings of the Sixth Annual Com- tems. puter Security Applications Conference, 1990 [5] Saltzer and Schroeder, The Protection of Infor- Mr. Peterson has presented on software security mation in Computer Systems, Proceedings of topics for numerous conferences and organiza- the IEEE, 1975) tions, including ISSA, Black Hat, OWASP, and [6] Peter Gutmann, Why XML Security is Broken, SANS. He has published papers on the Dept 2005 Homeland Security portal: Build Security In on Identity Architecture and on Architectural Risk http://www.cs.auckland.ac.nz/~pgut001/ Assessment. Mr. Peterson is an associate editor pubs/xmlsec.txt of Information Security Bulletin. There is only one way to get all issues of Information Security Bulletin: SUBSCRIBING! Please use the form in the journal, or visit http://www.isb-online.net Volume 10, Page 330 Information Security Bulletin, November 2005 Copyright ©2005 CHI Publishing Ltd - All rights reserved - Do not copy without written permission