Print this Page

SOA-Web Services Security
How to Extend Traditional Security for SOA-Web Services

Security remains an Achilles’ heel for organizations struggling to employ widely reusable and sharable Web Services in enterprise-scale Services Oriented Architectures (SOA).  Until they can properly secure services and applications, companies cannot safely utilize SOA to implement B2B relationships with their customers, partners and vendors.  And, companies increasingly find (sometimes the hard way) that traditional security protocols, such as SSL, often do not provide adequate security for multiple hop, high value and flexible SOA/Web Services.

SOA/Web Services Security explains how to use the message-based security protocols and models that the W3C, OASIS and the IEEE have developed specifically to support SOA/Web Services.  In this two-day seminar, participants will learn about these standards-based security approaches and how the major vendors, including IBM, Microsoft, Sun, BEA and Oracle, have implemented them in their SOA frameworks.

SOA/Web Services Security illustrates the vital SOA distributed security protocols and standards, describing each one’s role, clarifying when to use each one, evaluating the strengths and limitations of each, and discussing the need for more advanced security specifications & protocols:

  • The IBM-Microsoft Security Roadmap

    • Base Specification: WS-Security

      • Tokens (X.509, SAML, etc.)

      • XML Encryption

      • XML Signature

    • Higher-level Extensions

      • WS-Policy

      • WS-Trust

      • WS-Privacy

      • WS-SecureConversation

      • WS-Federation

      • WS-Authorization

  • Authorization Specifications

    • RBAC

    • XACML

SOA/Web Services Security focuses on:

  • Current security technologies…How to use them to design complex multi-service security strategies

  • Future security technologies…Where are we headed?

  • Risk Management…What it means and how to apply it in a SOA environment

SOA/Web Services Security shows how to extend traditional peer-to-peer security principles to create intelligent and effective distributed computing risk-management strategies.  You will receive in-depth, practical and timely information on the techniques and directions of distributed security.  And, you will receive insights into the future directions of security to prepare your company for tomorrow’s threats and protection tactics.

SOA/Web Services Security was developed and is taught by IT security expert Don Flinn.  Formerly the Chief Security Architect for Hitachi Computer Products (America), Don currently serves on the OASIS technical committees developing specifications for WS-SOA, WS-Security, SAML and XACML.  He acts as the Web Services Security Expert for SearchWebServices.com, an on-line IT Resource, and chaired the Object Management Group’s (OMG) Security SIG and the CSI v2 specification.

What You Will Learn

Key SOA/Web Services security concepts…

  • The real meanings, and challenges, of distributed security in a SOA/Web Services environment

  • The capabilities and limits of the various security models

Key SOA/Web Services security strategies…

  • How to secure a Services Oriented Architecture application using industry-standard techniques and protocols

  • How to architect and design an enterprise-wide distributed security system that can evolve as the enterprise and its application evolve

  • How to select and make cost-effective use of SOA security tools

  • How to reduce corporate risk factors via a secure SOA that can safely handle high-value transactions

  • How to take a risk-management approach that balances costs, vulnerability and impacts

  • How to avoid disastrous distributed security choices

Who Should Attend?

  • Chief Information Officers…who have responsibility for securing services and applications

  • Chief Security Officers…who have responsibility for end-to-end security

  • Architects…who oversee the design of secure business solutions

  • Analysts…who specify security requirements for applications

  • Project leaders…who lead the design, construction and deployment of secure application solutions

Course Duration: 2 Days

Course Prerequisites:

  • Understanding of traditional Client/Server distributed security principles and practices

  • Understanding of XML Principles (Understanding & Applying XML course, or equivalent)

  • Understanding of SOA/Web Services Principles (Understanding & Applying SOA course, or equivalent)

Seminar Outline

Part 1: The New Security Challenge

  • Problem description

    • The past – client/server

    • Multi-hop

    • Multi-entity

  • Just what is security’s role?

    • Protecting your business

    • Extending this to a highly distributed system

  • Securing the Medical Example (Case Study)

    • Privacy

    • Internal and external authorities

    • Cross enterprise security

    • Authentication/authorization

  • Basic security scenario

    • Limitations of basic scenario

    • Moving from basic security to highly distributed systems

  • SOA security challenges

    • Inversion of purpose

      • Let the good guys in

      • Example: non-employee access

    • Limitations of traditional security

    • Securing XML and SOAP

    • Differences from traditional security

    • Security critical to SOA adoption

  • End-to-end security

    • Why this is critical to a SOA?

    • Relate to Medical Example Case Study

  • Risk Management

    • Steps

      • Identify assets

      • Determine Vulnerabilities

      • Estimate Exploitation

      • Compute Expected Loss

      • Select Controls

      • Balance risk verses costs

    • Difficulties in security risk analysis

    • Managing the risk

      • Strategies

      • Organizational differences

  • Key Security Challenges

    • What makes distributed security different

  • Role of Traditional Security

    • Public key verses Symmetric key

    • SSL

    • PKI

    • HTTP Security

    • Middleware security models

    • Only unbreakable system

  • Interoperability

    • Service ownership

    • Non-homogeneous platforms

  • Trusted Computer Base

    • Principals of a TCB

    • How to apply it to an SOA

  • Delegation

    • A speaks for B

    • True delegation

  • Privacy

    • Authentication without identification

  • Distributed accountability

    • Tracing subjects

    • When audit trumps access control

Part 2: Securing SOA / Web Services

  • What makes SOA security different?

  • Message based security

    • How it works with SOA

  • Web Services security

  • Digital signature

  • XML encryption

  • Medical Example Case Study… Security requirements in depth

  • Specifications

    • What they are?

    • Why they are important?

  • WS-Security

    • Basic SOA security model

    • Tokens

    • Using Digital Signature & Encryption

  • WSS procedure

    • Relate to medical example

    • Using WS-Security

    • Integrity and confidentiality

  • SAML

    • Used with and independent of WS-Security

    • Single Sign-on

    • Trusted third person authorities

    • Liberty Alliance

  • XML Authorization

    • Neglected process

    • RBAC not sufficient

    • Permission and Obligation

    • Dynamic change of subject

    • Extended actions

  • Applying Trusted Computing Base

    • Use in analyzing system

    • Dangers

  • Nature of Intermediaries

    • Problems and solutions

  • Implementations

    • Where are they today

  • Building an integrated security system

    • Security Architecture

    • Security Framework

    • Deployment

    • The ‘illities’

      • Manageability

      • Extensibility

      • Reliability

      • Availability

      • Scalability

    • Securing the infrastructure

Part 3: Advanced SOA Security

  • Federated security

    • Distributed responsibilities

    • Implementations

  • Policy and security

    • Applying security

    • Service’s requirements

    • Integrity & Confidentiality

    • Who can see what

    • Negotiation

  • Trust

    • Degrees of

    • Change over time

    • Earned not granted

  • Privacy

    • Authenticate without knowing

    • Shibboleth

  • Non-repudiation

    • Authentication not sufficient

    • Court defensible

  • Secure Conversation

    • Security context

  • Protecting Coordination Scenarios

    • Multiple owners

    • Parent/Child

    • Peer to peer

Part 4: Looking to the Future

  • Where are we today

    • Intranet, Extranet, Internet security

  • Changing nature of the attackers

    • Types of distributed attacks

    • Script kiddies to criminal groups

    • Terrorist attacks

  • The future of SOA security

    • We’ve come a long way – But

    • Services as intermediaries

    • Patient record security

  • Security & the law

    • Federal laws

    • Court defensible security

  • On-line voting example

    • An unsolved problem

    • Social aspects

  • Summary

    • You are ultimately responsible