Security and SOA

Mark Skilton
Nov 8, 2005
3 min read

Security and SOA

INTRODUCTION

Security in orgnisations

Security is defined within and outside the organisation.

Outside the organisation

<>••••••• /

Security Technology

Specifically the technology you need to look at that I have used or put into proposals

In the past are:

- Oblix suite from Oracle - in particular the Oracle COREid solution supports:

Federated IDs using Liberty SAML 1.0 og 1.1

Delegated adminstration rights

Resource based URL and methd used control

Password controls

SSO possible via NetLogin (Active directory and LDAP)

Supports X.509 certificates

Supports delegation of access rights

Support Sarbanes Oxley Act 404

Supports external access directories RADIUS and LDAP + additional authentication plugins needed

- The BEA Aqualogic Security product is not available in Europe but the BEA Security framework is and supports:

Weblogic server supports SAML

Uses BEA Aqualogic data Services (ALDSP) for data level security

Uses SPNEGO for SSO

Supports X.509

Weblogic security is built ontop of standard JAAS architecture with auth checks for all J2EE and WS components

Used Weblogic Portal built in LDAP

Weblogic Security infra contains auditing and only input to SOX 404.

- SunOne LDAP

- DataPower - they have recently been taken over by IBM but see their XS40 XML Security router solution - its excellent.

- Intalio can build links to LDAP in the process but this is a high overhead performance issue possibly.

I would not recommend you do this with BPMS, it a common trap in focusing on enterprise packages and processes

Rather than services.

SAP may have a Web services management capability or you need to investgate further a 3rd party Registry and control system

Wth SAP XI consultants.

Performance will be a big issue - see the datapower and Oblix / COREid info at their web sites etc...

Example Vendor Security view and SOA

SECURITY SOLUTION IN SOA

I think you need to have the BP Security solution defined in at least 6 levels:

1. Field Level XML security

- use XML encrpton and Digital signatures at message or element level. - use WS-Security

2. Web services access control

- use SAML/ Liberty, XACML, WS-Security for new systems - see if they support it

- use LDAP/ Radius or SSO for old systems to control acess

3. Data Validation

- Use to vaidate the XML schema to guard against Denial of service (DoS) attacks

- this is Firewall filtering of messages schemas

4. Application access

- SAP Portal level - SSO with compliance through the apps - to be defined.

5. Distributed Security services

- UDDI security

- Federated Security certificates for 3rd parties e.g. X.509 certificates held by a thrid party.

6. a Security policy that states all application interactions and screens via the Portal SSO

And all integration messages with WS-Security framework. I know from my time at BP I was not allowed

To access the Databases direct in ISP for example as this violated BP IT from BP germany. It was seen

As a block at the time but its actually very important and should be addressed upfront early one.

From an end to end process view point you merntioned I think the security would be via the Portal access

And the Services integration as above. That is the security layer is maining in the Middleware messaging control

And access controls.

Overall my experience tells me that security must be on every Technology stack level. I include a couple of slides one from

My presentation recently and one from AmberPoint a Vendor in partnership with BEA.

Security and SOA

I feel some of your wording is a little confused around processes and services below. The key message is that a Security Platform

needs layers of security management from fine grained to coarse grained. E.g. HTTP security, Message security (WS-Security),

Role based security, SSO and IAM layers in the Portal and apps etc.

The other key point is that Security is built into a process - Sarbanes-Oxely etc are are key issues. You should be designing security into

The process. Its not a question of processes or services.

I strongly recommend you get hold of the BP Security policy for business and IT. This must exist somewhere. BP should also have a data protection

Officer and a Security department in the business or IT. You must get hold of the BP Policy documents on security to ensure compliance.

#Cyb #SOA #ArchitectureGovernance

Mark Skilton

home:

Security and SOA

Comments

Featured Posts

My podcast "Growing the UK AI and Data-Driven Economy" 30 April 2018 IPT HoC Event

Live on BBC World commentary on A.I. , Robotics and Automation impact

My interview talk on Cloud Computing and Outsourcing, Sourcing models at WBS with Panos Constantini

The Next Wave: What Is the Internet Of Things?

My Digital keynote “Battle for owning Digital spaces” at The Open Group SF 25 January 2016

Speaking live on BBC 24 Nov 2015 – Is your personal data safe ?

Recent Posts

4th Industrial Rev and AI Impact book in top 25% most downloaded eBooks on Amazon worldwide

Attending Robotics + AI 2020 March 3 TechCrunch & UC Berkeley

Attending MIT Media Lab Future Compute Event December 2 & 3 2019

Speaking at Bristol Innovation Showcase Nov 8 2019

Register Free lecture and book launch 19 Sept "Navigating the New Cyber Risks" The Shard

My New book with Prof Ganna Pogrebna now out! Navigating the new cyber risks: How business can Plan,

Advisor on practical adoption #AI in UK House of Lords 24 June 2019 Private Dinner business chair S

With Margot James MP, Digital & Creative Industry Minister, UK Government on AI Advisory Roundta

Teaching Business Impacts of AI Module - WBS Shard London July 2019

Delighted to help support Students Awards in Bengaluru/India Enzen Innovation #Climatechangerespons

Archive

Search By Tags

Follow Us