FIMS Media SOA Framework - AMWA

More documents

Recommendations

Info

FIMS Media SOA Framework Phase1 (Preliminary)9.5 Security and Identity (Informative)Due to the high value of the intellectual property passing through the system, it is critical that security bemaintained and access provided only to those with proper authorization. There are several types of security thatcan be implemented across the SOA: agent‐based security, message based security, watermarking, and DigitalRights Management. Typical media enterprises will require most if not all of the security provisions. Agent‐basedsecurity involves keeping track of the various participants in the SOA, and doing this correctly will no doubtrequire some sort of identity management infrastructure.Identity management technology is well developed in IT, and can be put to very good use in SOA middleware.Instead of using disparate repositories and application‐specific methods to authenticate users and securesystems, identity management tools allow the integrator to unify all of an enterprise under a single repositoryand management system of user data. This allows easy changes to user information and quick provisioning ofnew users. In an integrated SOA, identity management solutions also allow for role‐based views into data.In the FIMS Framework, we propose to select the technologies as appropriate from the existing securitystandards, and to provide guidelines on how to use them specifically for the FIMS Framework.9.5.1 Security ConcernsFunctional aspects of security: These aspects of security are standard in the sense that they exist even withtraditional applications as well. These are:• Authentication— Verifying identity of users.• Authorization— Deciding whether or not to permit action on a resource.• Data confidentiality— Protecting secrecy of sensitive data.• Data integrity— Detecting data tampering and making sure neither the sender nor the receiver candeny the message they sent or received.• Protection against attacks— Making sure attackers do not gain control over applications.• Privacy— Making sure the application does not violate the privacy of the users.Nonfunctional aspects of security: These aspects are nonfunctional in the sense that they do not directly relateto security. Instead, they are required to make sure that a security solution works well in an enterprise setting.These are:• Interoperability— This concern is specific to SOA, where different security solutions must not breakcompatibility of services that are otherwise compatible.• Manageability— This concern is bigger for SOA, as a security solution needs to protect many differentservices.Ease of development— This concern is common for any security solution. Be it SOA or traditional applicationdevelopment, complexity reduces adoption of any security solution.9.5.2 SOA Application Security ModelsBy lowering long-standing barriers between applications, SOA forces us to rethink how we approach security. Atthe same time, SOA fortunately allows a few new approaches, thanks to the standards it supports, that fit thechanged requirements of application security. These include:• Message-level security• Security as a service• Policy-driven securityPrivate committee documentWorking Draft for review by FIMS Rev v1, Nov-16-2010 Page 86 of 89
FIMS Media SOA Framework Phase1 (Preliminary)9.5.3 Message-level SecurityMessage-level security entails encrypting or otherwise securing the messages that pass between services. WebServices, the most widely used technology for implementing SOA within an enterprise, is an XML‐basedcommunication protocol for exchanging messages between loosely coupled systems. Web Services provides anexcellent toolset to accomplish message‐based security, with technologies like XML encryption and signature. Inaddition, the most well‐accepted technique for achieving message‐based security in a Web services based SOAis to use a standard known as WS‐Security. WS‐Security goes hand‐in‐hand with standardized technologies likeSOAP to secure messages and endpoints. It provides end‐to‐end security, which means that a message issecure even if it passes through a number of routing steps in between its source and destination.9.5.3.1 Security as a ServiceFigure xxx - NIST SOA Message Based Security PatternA security service can offer applications the ability to authenticate, authorize, encrypt/decrypt messages, signmessages/verify signatures, and log messages. It may also scrub messages to protect applications againstknown and unknown vulnerabilities. Applications might still need to know a little bit about security—forexample, they may need to know how to invoke a security service and use the information provided by thesecurity service in return—but the meat of the security logic can be executed by a central security service.The idea of a security service is in some ways similar to the idea of an application service, and in some waysdifferent. Like an application service, a security service should be usable by any application; technologydifferences should not be a barrier. Unlike an application service, a security service is infrastructural and maycome into play even if it is not explicitly invoked. For example the security service may be implemented as partof the ESB or by application-aware network devices.9.5.3.2 Policy-driven SecurityThe idea behind policy-driven security is simple. Security requirements and mechanisms must not be hard-wiredinto applications. Instead, security requirements of an enterprise should be declared separately as a "securitypolicy."Private committee documentWorking Draft for review by FIMS Rev v1, Nov-16-2010 Page 87 of 89
Page 1 and 2:
FIMS Media SOA FrameworkAMWA Specif
Page 3 and 4:
FIMS Media SOA Framework Phase1 (Pr
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36: FIMS Media SOA Framework Phase1 (Pr
Page 85: FIMS Media SOA Framework Phase1 (Pr
Page 89: FIMS Media SOA Framework Phase1 (Pr
show all

FIMS Media SOA Framework - AMWA

Create successful ePaper yourself

Delete template?

Save as template?