SolutionsProductsPlatformsCase StudiesPartnersNewsCompany
ProductsSOA SecurityPrint Version

Last Mile Policies that Enforce and Manage SOA Security

Along with their many benefits, service oriented architectures bring new security challenges. Distributed, loosely coupled systems comprising Web services and XML documents create unprecedented requirements for authentication, authorization, confidentiality, integrity and non-repudiation. Here are a few reasons why:

  • Evolving standards: As industry standards mature, interoperability issues between vendor implementations need to be continually addressed.
  • Heterogeneous and beyond direct control: SOA environments require a flexible approach to defining policies, as the underlying set of services are not uniform, under direct control or pre-determined.
  • Multiple hops: Business transactions often touch multiple intermediaries and end-points, requiring security appropriate for a multi-hop environment.
  • Extend network and perimeter security: Security must extend beyond the perimeter and account for more than just network IP packets. Each end-point within the firewall might require a unique set of policies. Further, these policies need to be “aware” of SOAP header and body content, as that data can have relevance to the security of the service.
  • Leverage the existing infrastructure: It’s important that a SOA security solution leverages the existing infrastructure such as LDAP/Active Directory, identity management systems and XML appliances and firewalls.

Easily manage and monitor a comprehensive set of security policies
Easily manage and monitor a comprehensive set of security policies

AMBERPOINT SECURITY

AmberPoint lets you easily define and enforce policies for endpoints and clients to secure distributed, heterogeneous service-oriented architectures. AmberPoint’s security capabilities provide:
  • Policy-based runtime security to easily define, enforce and monitor security policies. Dynamic application of policies across the SOA using attributes of services and endpoints.
  • Broad coverage for SOA security — Full range of policies for authentication (against identity management systems, containers or LDAP), authorization, crypto (XML Signatures & Encryption), censorship and credential mapping. Policies are extensible to include XML content and context, instrument data, user profiles, etc.
  • Distributed security enforcement — Manage security events and exceptions within a distributed environment across both message requests and responses
  • Last-mile security — Enforce policies within the service to prevent any exposure of the message "on-the-wire."
  • First-mile security — Enforce policies on the client side.
  • Leverage the security infrastructure — Easily interoperate with identity management system, container, XML firewalls, etc using AmberPoint’s policy-based infrastructure.
  • Standards-based security — Support for current versions of WS-Security, XML Signatures, XML Encryption, SAML, etc.

Common Architecture for Security and Management
AmberPoint leverages the same enterprise-class architecture to perform both security and management tasks. To give an example of why this is important, a management solution might need to decrypt messages in order to inspect its content or sign a log to maintain integrity. Similarly, a security solution needs to log information, display dashboards and aggregate throughput (say, to determine denial-of-service attacks). AmberPoint achieves industry-leading efficiencies by using a common security and management infrastructure for SOAs.

Leveraging the Security Infrastructure
To effectively provide XML and SOA security for distributed and heterogeneous environments, AmberPoint is designed to work with the existing security infrastructure. AmberPoint integrates with:

  • Platforms: AmberPoint leverages platform-provided security features from Microsoft, IBM, BEA and Sun for XML-based security features, container-based authentication, digest-based authentication and authentication against LDAP or Active Directory.
  • Identity management: AmberPoint provides out-of-the box support for CA eTrust SiteMinder, Oblix, and Tivoli Access Manager. AmberPoint leverages security capabilities such as certificate-based authentication, single-sign on (SSO) and existing access control policies.
  • XML appliances: AmberPoint can be deployed with appliance and software solutions that function as XML firewalls or gateways. These security brokers could be deployed in the DMZ to send trusted assertions to an AmberPoint management agent. AmberPoint can also consolidate security information from its agents and the XML firewall to provide a consolidated security dashboard. AmberPoint agents can send instructions to the firewall to take security actions on its behalf.

AMBERPOINT SECURITY FEATURES

Policy Manager and Services Console

  • Easy-to-use graphical configuration of security policies for authentication (leveraging third-party products), authorization, encryption/decryption, signature/validation, credential mapping and censorship.
  • Policy creation, mediation across endpoints, administration and storage
  • Applicable for input, output or fault processing and for AmberPoint management tasks
  • Interactive where clause to previews how the policy will be applied across the SOA
  • Role-based policies

Extensible Policies
Create fine-grained custom policies that utilize powerful tools (indexed instruments, contextual documents, drag-and-drop XPATH editor, custom actions, etc.) that leverage existing security infrastructure as needed.

Policy Monitoring
View representations of your policies across your entire SOA and the impact it is having over the last hour and 24-hours.

Distributed Agents for policy enforcement and decisions

  • Command-and-control runtime components for application-specific policies
  • High-performance and fault-tolerant architecture
  • Lightweight, easily proliferated across the enterprise as needed
  • Efficiently combines security and management actions
  • Runtime policy enforcement and decision points distributed as-needed across the enterprise — on endpoints or clients. Agents process XML documents and take appropriate actions.

Content and context awareness

  • Enables fine-grained security policies defined on content of SOAP header and/or body
  • Extend access control policies beyond username, password and protected resource
  • Utilize contextual information (inherent, retrieved or calculated) about XML requests and responses
  • Easy-to-use editor for drag-and-drop creation of XPATH expressions

XML encryption/decryption and XML signatures/validation

  • WS-Security compliant, apply to parts of message, across multiple hops
  • Transport, language & vendor independent
  • Java and .NET demo key stores provided for development and pilots

Role-based security

  • AmberPoint enables role-based security of the managed Web services
  • Businesses can define selected views based on user roles within the organization
  • AmberPoint can leverage existing authentication mechanisms to verify identity

AmberPoint components within a secure environment

  • AmberPoint can also secure its own runtime components, which are Web services themselves
  • AmberPoint provides easy establishment and transmission of identity information
  • Users logging in to the AmberPoint portal are authenticated and provided with an appropriate level of access

BENEFITS

  • Centralized infrastructure for management and security
  • Utilizes existing investments and enables IT to use a common set of tools and architectures for management and security
  • Reduces exposure of service-based assets that weren’t originally designed to be exposed to other internal or external groups
  • Incrementally deploy increasingly sophisticated security policies as the SOA evolves
  • Easy monitoring of security events using AmberPoint’s unique dashboard-creation capabilities

Tim Freeman
.