FIMS Media SOA Framework - AMWA

FIMS Media SOA Framework Phase1 (Preliminary)A security policy declaration becomes handy in many ways: It separates security logic from business logic,leaving the former to security specialists. It becomes easier to ensure consistency of security enforcementacross multiple applications. Most importantly, interoperability is enhanced as policies of involved parties can becompared to figure out how to make their security implementations compatible.9.5.3.3 Service securityThe framework should support WS-I Basic Security Profile 1.1 standards and X.509 v3 security tokens anddigital certificates for public keys and message encryption and signing. Support level used will depend onfeatures of third party systems used and configuration desired by customer.9.5.3.3.1 Access management9.5.3.4 Media security9.5.3.4.1 Digital Rights Management (DRM)9.5.3.5 Client & Message SecurityMost services require a user to establish his identity before his requests are served. This is because:• Security restrictions require that services be provided only to authorized users. While it is not alwaysnecessary to determine user identity to figure out if a user is authorized, most often it is.• Service logic requires the knowledge of who the user is. For example, if you are checking email, theemail service needs to know whose messages it needs to return.9.5.3.5.1 AuthenticationAuthentication of a client or user can be provided by the organization’s existing Identity Managementinfrastructure (LDAP, Active Directory, etc.) or by a local (within the Media SOA system) identity database. Thefunction of authentication is to validate the user’s identity – username and password – so that his/her rights,permissions, and privileges can be established.Most secure media systems require that each user have a unique identity and password. Shared logincredentials are not permitted.9.5.3.5.2 AuthorizationAfter the user’s identity has been confirmed by a trusted system, his/her rights, permissions, and privilegesmust be established. This may be a local function (within the Media SOA system) or a service provided by theorganization’s existing Identity Management infrastructure.Traditional IT based systems often use membership in security groups to define permissions and privileges forusers. Controls can be very granular and are based on projects, file systems, directories, or individual files.9.5.3.5.3 IdentityOnce identity and permissions are established, these may be encoded into a security token which can be usedby the client process to request access to media and services.9.5.3.5.4 LoggingMedia systems typically have a requirement that all actions and operations that “touch” media files be logged ina secure database. This allows forensic analysis of any improper or unauthorized access or modification ofsensitive media content.This requirement can be difficult to support in many facilities that allow direct access to SAN and NAS filesystems by user workstations and applications.9.5.3.6 Database Security9.5.3.7 Network SecurityPrivate committee documentWorking Draft for review by FIMS Rev v1, Nov-16-2010 Page 88 of 89