Friday, July 17, 2009

SOA Security

Authentication
Authorization and Access Control
- Logically separating duties into Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs)

Two types of Access Control
- Discretionary Access Control (DAC) (based on permissions, roles, attributes, and groups)
- Mandtory Access Control (MAC) (restricts access based on the security clearances and formal accesses of subjects and the security labels on the resources)

WS-Security SOAP Messaging
- Security Assertion Markup Language (SAML) Token
- WS-Security X.509 Certicate Token
- WS-Security Kerberos Token
- WS-Security Username Token

WS-Truse
- Security Token Servie (STS)
WS-Federation
WS-SecureConversation
WS-Policy
WS-SecurityPolicy
SAML
XACML (expressive) (data flow diagram)


XML Signature (XML-SIG or XML-DSIG)
XML Encryption

Separation of Security into Components and Services


Authentication and Identity Blueprints
- Identity Propagation for SSO Solutions (direct truse, transitive truse (service Provider trusts the identity of user based on an assertion of another party))
- Identity Propagation within an Application Server or ESB
- Assigtning Attesting Trust to a Limited Number of Entities
- Using a Trusted Token Service
- Identity Propagation with REST Using Browser SSO


Decision Diagram for Propagation and Trust - How Do You Decide?


Access Control Blueprints
- Controlling Access to Data, Not Just Services

Access Control Policy Enforcement Approaches
- The Purely Centralized PDP Model with Global Policy
- The Purely Decentralized PDP/PEP Model with Attribute Propagation
- Decentralized PDP/PEP with Identity Propagation
- Combining Local and Global Enterprise Policy
- Predetermined Authorization Decision-Based Models (PADBAC) (digital ly signed)

Decision Flow Chart for Access Control - How Do You Decide?

No comments:

Post a Comment