SOA Security: Were Halfway

1

• SOA Security Were Halfway

K. Scott Morrison Director, Layer 7 Technologies
2
Bio K. Scott Morrison

• Director, Architecture at Layer 7 Technologies
• http//www.layer7tech.com
• Layer 7 is based in Vancouver BC, Canada
• Co-author of Sams Java Web Services Unleashed
  and Wroxs Professional JMS
• Over 40 other publications in academic journals
  and trade magazines
• Co-editor WS-I Basic Security Profile
• Frequent speaker on Web services, XML,
  mobile/wireless computing systems, distributed
  systems architecture, and Java design issues

3
SOA Fundamentals
SOA Producer (Server)
Message
SOA is still ultimately about basic application
communication
SOA Consumer (Client)
4
The SOA Security Gateway
SOA Producer (Server)
Gateway acting as Policy Enforcement Point (PEP)
Last mile
Identity Mgmt
Access Mgmt
LDAP
Policy Decision Points (PDPs)
SOA Consumer (Client)
5
WSDL
The Problem with Gateways
SOA Producer (Server)
WSDL Security Changes
Which API do you program to?
First mile
Shift of burden to client
Administrative changes to policy change API
Security implemented in code is difficult to
change
SOA Consumer (Client)
Very programmer intensive
6
We Need Policy Application Points
SOA Producer (Server)
Gateway acting as Policy Enforcement Point (PEP)
Policy Application Point
WS-Policy from enforcement point
WS-MetadataExch.
WS-Policy from trusted repository
Local WS-Policy
Policy Repository
7
Case Study BC Government
Internal Firewall
SecureSpan Gateway
Oracle Servers
External Firewall
SecureSpan Bridge
Secured XML/SOAP Message
HTTP/HTML
SecureSpan Management Console
Portal Servers
Browser Client