A Conceptual Technique for Modelling Security as a Service in Service Oriented Distributed Systems

Similar documents
NIST s Guide to Secure Web Services

This Working Paper provides an introduction to the web services security standards.

Federated Identity Management Solutions

Web Services Security: What s Required To Secure A Service-Oriented Architecture. An Oracle White Paper January 2008

WEB SERVICES SECURITY

An Oracle White Paper Dec Oracle Access Management Security Token Service

Service Virtualization: Managing Change in a Service-Oriented Architecture

A Service Oriented Security Reference Architecture

Software Requirement Specification Web Services Security

Securely Managing and Exposing Web Services & Applications

Web Service Security Vulnerabilities and Threats in the Context of WS-Security

Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact

Principles and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards)

Secure Authentication and Session. State Management for Web Services

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

Federated Identity and Trust Management

XML Signatures in an Enterprise Service Bus Environment

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Securing Web Services From Encryption to a Web Service Security Infrastructure

Using WS-Federation and WS-Security for Identity Management in Virtual Organisations

Cloud-based Identity and Access Control for Diagnostic Imaging Systems

Securing Web Services Using Microsoft Web Services Enhancements 1.0. Petr PALAS PortSight Software Architect

OIO SAML Profile for Identity Tokens

Research and Implementation of Single Sign-On Mechanism for ASP Pattern *

Security Issues In Cloud Computing and Countermeasures

IBM Tivoli Federated Identity Manager

An Oracle White Paper November Oracle Primavera P6 EPPM Integrations with Web Services and Events

Table of Contents. 1 Executive Summary SOA Overview Technology Processes and Governance... 8

T-Check in Technologies for Interoperability: Web Services and Security Single Sign-On

Federation Proxy for Cross Domain Identity Federation

Redbook Overview Patterns: SOA Design with WebSphere Message Broker and WebSphere ESB

2 Transport-level and Message-level Security

AquaLogic Service Bus

Authentication and Authorization Systems in Cloud Environments

Szolgáltatásorientált rendszerintegráció. WS-* standards

A Security Framework for Access Control in Web Services

GENERIC SECURITY FRAMEWORK FOR CLOUD COMPUTING USING CRYPTONET

OPENIAM ACCESS MANAGER. Web Access Management made Easy

The Use of Service Oriented Architecture In Tax and Revenue

OpenHRE Security Architecture. (DRAFT v0.5)

CS 356 Lecture 28 Internet Authentication. Spring 2013

The increasing popularity of mobile devices is rapidly changing how and where we

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

Grid Security : Authentication and Authorization

JVA-122. Secure Java Web Development

Secure Semantic Web Service Using SAML

Improving performance for security enabled web services. - Dr. Colm Ó héigeartaigh

An Open Policy Framework for Cross-vendor Integrated Governance

Flexible Identity Federation

How To Manage Identity On A Cloud (Cloud) With A User Id And A Password (Saas)

REST and SOAP Services with Apache CXF

Chapter 12 GRID SECURITY ARCHITECTURE: Requirements,fundamentals, standards, and models

<Insert Picture Here> Oracle Web Services Manager (WSM)

Trend of Federated Identity Management for Web Services

A pattern for the WS-Trust standard for web services

Federated Identity and Single Sign-On using CA API Gateway

Secure Document Circulation Using Web Services Technologies

Identity Security Using Authentication and Authorization in Cloud Computing

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

CryptoNET: Security Management Protocols

A Quick Introduction to SOA

Secure Identity in Cloud Computing

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Contents at a Glance. 1 Introduction Basic Principles of IT Security Authentication and Authorization in

IBM WebSphere Data Power SOA Applicances V3.8.1 Solution IMP. Version: Demo. Page <<1/10>>

Accelerate your SOA Projects through Service Simulation

Managing SOA Security and Operations with SecureSpan

Federated Identity in the Enterprise

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

IDENTITY INFORMATION MANAGMENT ARCHITECTURE SUMMARY Architecture and Standards Branch Office of the CIO Province of BC People Collaboration Innovation

CHAPTER - 3 WEB APPLICATION AND SECURITY

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Transcription:

Volume 1, Number 2, December 2014 JOURNAL OF COMPUTER SCIENCE AND SOFTWARE APPLICATION A Conceptual Technique for Modelling Security as a Service in Service Oriented Distributed Systems Satish Kumar*, Avadhesh Kumar Gupta Institute of Management Studies, Ghaziabad, Uttar Pradesh, India. *Corresponding author: satishkumar.serg@gmail.com Abstract: Service-Oriented Architecture (SOA) is an architectural paradigm for developing distributed systems. One of the major challenge in the designing of SOA is developing its security requirements. SOA security is an overarching concern because it affects discovery and interaction of services and applications in an SOA environment. In recent years, a lot of solutions have been implemented such as Web Service Security (WS-Security), WS Trust and Web Service Security Policy (WS-Security Policy) standards. These standards are not sufficient for the promising enterprise system security. In this paper, we proposed a security model for SOA that constitute the foundation for our Security As A service (SAAS) approach. Based on the model for service interaction that describes exchange of secured messaging in distributed environment. Keywords: Service-Oriented Architecture; Security As A Service; WS-Trust; Web Services 1. INTRODUCTION Service-Oriented Architecture (SOA) has become a popular architecture pattern in enterprise application development. Due to the emergence of web services that are implemented by SOA is a solution of enterprise application development due to platform and language independent. SOA based application is a combination of services and these services could be implemented in different technologies and are deployed over heterogeneous networks [1]. In distributed environment, security is a critical issue for enterprise systems and it is necessary to ensure security in SOA based application. When the advance of Web services technologies have been used increasingly, the next issue which should be concerned is security for the information or message transferred across the network. There are several approaches for implement the security in SOA based application. In traditional security approaches make the impact of performance and high cost maintenance of application [2]. Another approach has come up with the solution of these problem is called Security As A Service (SAAS). For example: In traditional security approaches, application has built with few services and each service implemented its with own security which is invoked as a part of service consumer and provider as depicts in Figure 1. When enterprise needs to secure large number of services. The traditional security approach is not right way of security implementation due to replication of security enforcement machinery across all 1

Figure 1. Security implementation as part of each services service consumer. services and service consumers [2]. Worse still, if security requirements differ for each application then the security machinery of each security will check similar security leading to high maintenance cost. Security as service depicts in Figure 2 is a solution over traditional approach for building secure large number of services. This approach explores a way of shifting some of the security enforcement burden from service consumer and service to a shared security service. A shared service helps to enforce security polices consistently across all services. This approach is not completely suitable from the performance point of view. For example, suppose several service consumers want to access the service at the same time, the security credentials will be checked at the server side and take more time for validation. 2. RELATED WORK The well-known standard for security requirements of web services are integrity, confidentiality and availability. There are various techniques to tackle these three security aspects such as using XML Signature or digital signature in XML format to ensure the data integrity, using XML Encryption to provide confidentiality while a message is in transit over the network [3]. WS-Reliable Messaging Protocol to guarantee that a message transited in the network layer has been received by receiver [4]. Although, there are various standards for Web services security but perhaps the most important standard is WS-Trust, because it is used for identifying trust relationship by using concept of Security token services (STS) as well as WS-Policy. WS-Secure Conversation is designed to deal with tokens of message exchange in a short period of time whereas WS-Federation is designed for managing trust relationships in different types of system. The last one is WS-Authorization designed to support authorization mechanism for data transferred between applications. SOAP message security is one of the most vital concerns for security in Web services as a result of various types of attacks such as replay attack, man-in-the middle attack and token substitution attack which can break down message confidentiality and integrity [5]. So WS-Security is a security standard to deal with those problems by using XML Encryption and XML 2

A Conceptual Technique for Modelling Security as a Service in Service Oriented Distributed Systems Figure 2. Security implementation as a separate service. Signature to protect confidentiality and integrity respectively. Furthermore, WS-Security supports security token which is commonly used to provide authentication and authorization. According to Zhang [6], there are several techniques for token-based authentication namely username, X.509 PKI certificates, Kerberos tickets, Security Assertions Markup Language (SAML) and Web Services Security Rights Expression Language (REL) or known as XML Rights Management Language (XrML) [3]. They can be categorized into three types which are unsigned security token namely username token profile, signed security token namely X.509 certificates and Kerberos tickets, XML security token namely SAML and XrM [7, 8]. The different between Kerberos tickets and X.509 certificates is encryption algorithm, the former uses symmetric encryption algorithm whereas the latter uses public key encryption [9]. According to Nordbotten [3], username token can prevent replay attacks by including nonce and timestamp in the message (this method can use in every security token mechanisms), Fournet and Gordon [10] shows that username token is not a strong authentication enough to prevent from attackers. However, they suggest solution that it may be stronger if XML digital signature is added in conjunction with username token. There are some research papers about performance comparison of Kerberos and X.509 token profile illustrated that transfer rate of Kerberos token profile is far outweigh X.509 token profile by 28% due to different type of cryptographic algorithm [9]. However, there is some threat engage to Kerberos token profile which is Kerberos is prone to key re-use. REL/XrML is different from SAML because it is based on license as a security token, used for providing key to authorization in the message. On the other hand, because of its format is in XML format so that it is similar to SAML, Nordbotten [3] suggested that using SAML rather than using REL/XrML due to the fact that SAML is more broadly accepted by many Web services applications. Potential threats of SAML and REL/XrML are same as other security token formats and can protect by using signature and encryption technique. 3

Figure 3. Security implementation as a separate service on ESB. 3. STANDARDS FOR IMPLEMENTING SECURITY AS A SERVICE A number of standards and technologies are available for implementing security as a service. Some of them are: WS-Trust: WS-Trust defines a standard interface for obtaining/issuing, renewing, cancelling, and validating security tokens such as SAML assertions. Specifically, a security token service (STS) is defined, providing these mechanisms as web services [11, 12]. So, after discovering what security token is required, the service consumer may use WS-Trust in order to obtain required token from an STS. Security Assertion Markup Language (SAML): SAML is used to exchange the security information among different security domain [13]. SAML provides two services such as authentication and authorization services. Based on SAML protocol, authentication service creates request and response which are used by Security Token Service (STS) for validating the user. WS-Addressing: Standardize SOAP specification explicitly supports the use of one or more intermediaries (such as secure services) in message path by laying down specific rule for preventing destination endpoint information when routing a message via the security service [7]. 4. NEW APPROACH FOR MODELLING SECURITY AS A SERVICE (SAAS) Security As A Service (SAAS) approach is a better choice to solve SOA security based on the concept of shared services. Security services are effectively and correctly implemented and also scaled locally outside the system or as a domain wide service [2, 14]. We proposed a new way of implementing the security by using SAAS approach shown in Figure 3. In this way, SAAS approach is implemented on the Enterprise Service Bus (ESB). An ESB has the ability to implement the shared security and improve the performance of application. On ESB, security credentials are validating during the transmission of data or request from the service consumer to service. The time will be reduced for processing the request due to security validation has validated on ESB and the overall performance of the system will be increased. 4

A Conceptual Technique for Modelling Security as a Service in Service Oriented Distributed Systems Figure 4. Shared security service architecture in a domain. 4.1 Proposed model for SAAS implementation The proposed architecture of SAAS approach is based on concept of shared security service implemented in University System as depicts in Figure 4. The higher part of this architecture shows the University System, which contain various service endpoints. The lover part shows SAAS components and security interfaces. The global request and response handlers are integrated with service endpoints. These handlers interrupt the incoming and outgoing message to or from a service endpoint and provide primitive security. Proposed SAAS based architecture approach breaks the security tasks into SAAS Component and service endpoint security architecture. Endpoint integrated security perform security task such as encryption/decryption, validation and key exchange by using Security Proxy Handler [14, 15]. SAAS components are the core which are deployed by security domain that provides shared security to all service endpoints in this domain. Policy Repository contains policies for different security requirements such as authentication, authorization etc. Authentication Service: Authentication Service provides user authentication inside or outside the domain. Authentication Services validate the user identity and send the signed authentication decision to endpoint. At the endpoint, SPH validates the signature before forwarding the authentication decision to intended services. Authorization Service: Authorization Service is used to verify the permission assigned to user from the policy repository. Authorization Service sends the authorization assertion to endpoint. At the endpoint, SPH validates the signature and then permits to valid user. Monitoring Service: Monitoring Service is responsible to handle the events which are generated by endpoint or security service of SAAS components. Logging Service: Logging Service registers the service request and response messages for access the information or resources from the system. 5

5. CONCLUSION In this paper, we presented an approach for implement the security in SOA based distributed systems. Our approach is based on Security As A Service (SAAS) concept that gives an idea for implements the separate security as service which reduced the burden of consumer services and providers. This approach needs more research for increasing message reliability and privacy of information in distributed system. References [1] M. H. Valipour, B. AmirZafari, K. N. Maleki, and N. Daneshpour, A brief survey of software architecture concepts and service oriented architecture, in Computer Science and Information Technology, 2009. ICCSIT 2009. 2nd IEEE International Conference on, pp. 34 38, IEEE, 2009. [2] R. Kanneganti and P. Chodavarapu, SOA Security. 2008. [3] N. A. Nordbotten, XML and Web services security standards, Communications Surveys & Tutorials, IEEE, vol. 11, no. 3, pp. 4 21, 2009. [4] C. Geuer-Pollmann and J. Claessens, Web services and web service security standards, Information Security Technical Report, vol. 10, no. 1, pp. 15 24, 2005. [5] E. Bertino, L. Martino, F. Paci, and A. Squicciarini, Security for web services and service-oriented architectures. Springer, 2010. [6] W. Zhang, Integrated security framework for secure web services, in 2010 Third International Symposium on Intelligent Information Technology and Security Informatics, pp. 178 183, 2010. [7] A. Nadalin, C. Kaler, R. Monzillo, and P. Hallam-Baker, Web services security: SOAP message security 1.1 (WS-Security 2004), http://docs.oasis-open.org/wss/v1.1/wss-v1. 1-spec-errata-os-SOAPMessageSecurity.pdf. [8] Z. Wu and A. C. Weaver, Using web services to exchange security tokens for federated trust management, in Web Services, 2007. ICWS 2007. IEEE International Conference on, pp. 1176 1178, IEEE, 2007. [9] A. Moralis, V. Pouli, M. Grammatikou, S. Papavassiliou, and V. Maglaris, Performance comparison of Web services security: Kerberos token profile against X. 509 token profile, in Networking and Services, 2007. ICNS. Third International Conference on, pp. 28 28, IEEE, 2007. [10] K. Bhargavan, C. Fournet, and A. D. Gordon, A semantics for web services authentication, Theoretical Computer Science, vol. 340, no. 1, pp. 102 153, 2005. [11] OASIS:WS-SecurityPolicy,tutorial. http://docs.oasis-open.org/. [12] A. Nadalin, M. Goodner, M. Gudgin, A. Barbir, and H. Granqvist, Web services security policy language 1.2, Public Draft Specification, 2007. [13] OASIS security assertion markup language (SAML). http://www.oasis-open.org. [14] M. Memon, M. Hafner, and R. Breu, SECTISSIMO: Security As A Service- A Reference Architecture for SOA Security, in ICT-FET-231101, FWF project, 2008. [15] A. Dikanski, C. Emig, and S. Abeck, Integration of a security product in service-oriented architecture, in Emerging Security Information, Systems and Technologies, 2009. SECURWARE 09. Third International Conference on, pp. 1 7, IEEE, 2009. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information