Business Security Services

In addition to securing business services, it is necessary to provide a secure deployment environment where business solutions can be deployed and hosted. Business Security Services are depicted in Figure 2-12.

Figure 2-12 Business Security Services

Business Security Services Identity and

Access

Data Protection and Disclosure Control Business Process and Policy Management Governance, Risk and Compliance Secure Systems and Networks Trust Management

Governance, risk, and compliance

Governance

of SOA Security is a subset of the overall SOA Governance function. Governance is very important for the security services, as managing the security policy and implementation is vital to the integrity of the environment.

A framework towards effective governance structure and decision making authority is needed in order to run the business. Tools and technologies can help facilitate governance initiatives and compliance evaluations. An effective security governance framework involves establishing chains of responsibility, authority and communication to empower people to effectively control the system. Because SOA extends interactions beyond the enterprise boundary, the governance of SOA Security must interact with similar groups in other

organizations to achieve a common set of standards for communication across the enterprise boundary.

Risk management

deals with the process of evaluating and assessing risk in the SOA environment, and developing strategies to manage those risks. Risk management is a cost-benefit exercise; it is not feasible to eliminate all risks in an SOA environment. The risk management process determines how to manage risk based on factors, such as probability and impact. While software tools can help implement a risk management process, people and processes are the main components.

Compliance management

measures the performance of the IT system relative to the measures established by the business policies. This might include verifying the working system against a set of internally created policies, and also against external Federal or State regulatory acts.

Audit records form the basis of the raw data required for compliance assessments. The compliance function described in this section may be a manual process, or an automated tool could be used to reconcile the business compliance requirements with the raw data extracted from the audit service. Managing the audit data involves assessing the implementation of the security elements of the SOA solution against the solution design. You might also attempt to identify inconsistencies between the configuration of multiple instances of a solution component that should share an identical security configuration. A third aspect is the verification of the configuration of the security services themselves. Periodic auditing of the components and overall SOA solution are recommended.

Trust Management

Trust Management

addresses trusted relationships between entities like organizations, enterprises, identities, security domains, and systems. These relationships can be system-to-system, business-to-business, and so on.

Trust Management deals with two aspects, namely business and technology. The

business aspect

deals with two entities agreeing upon a set of rules to conduct business. These rules include relationship management, liability management, and other legal aspects.

The

technology aspect

deals with managing the infrastructure that supports the capability for establishing trust by cryptographic methods. These include key management (strength, key validation, and so on) protocols, attributes, and other technical considerations for establishing trust.

There are multiple ways of establishing trust relationships. In Figure 2-13, the trust may be explicit and simple, where consumer and provider are within a single trust domain, and thus have the same trust source.

Figure 2-13 Tightly coupled trust relationship T ru st S e rvic e S e rv ic e C o n s u m e r S e rv ic e P ro v id e r R e q u e st F lo w C o n s u m e r P o licy P ro vid e r P o lic y C o n s u m e r T o k e n P ro vid e r T o k e n S a m e tru s t s o u rc e

T ig h tly c o u p le d tru s t re la tio n sh ip W o rk fo r in tra -o rg a n iz a tio n s

In Figure 2-14, we illustrate another approach where a consumer and target service may have separate trust zones and trusted relationship, or a trusted third-party trust service.

Figure 2-14 Loosely coupled trust relationship

Identity and access

This deals with the technologies that are needed to manage identities both within an enterprise as well as across enterprises. It also includes management of access policies to resources based on identity information and resource information.

Identity life cycle management is the main task. Identities need to be created, modified over time, and eventually deleted. Some important aspects are:

򐂰

HR identity feed

: Often the authoritative source of identity information for internal users is the HR (human resources) system. An identity feed from the HR system can indicate, to the identity management system, that changes to the user population have occurred, and provisioning workflows need to be initiated.

򐂰

Approvals

: Before accounts on end systems are created or modified, approvals from the appropriate management may be required. This can be automated. T ru s t S e rv ic e S e rv ic e C o n s u m e r S e rv ic e P ro v id e r R e q u e s t F lo w C o n s u m e r P o lic y P ro v id e r P o lic y C o n s u m e r T o k e n P ro v id e r T o k e n S e p a ra te tru s t s o u rc e L o o s e ly c o u p le d tru s t re la tio n s h ip O fflin e , in d ire c tly c o n fig u re d o r

O p tio n a l 3rd _{p a rty tru s t p ro v id e r}

W o rk fo r in te r-o rg a n iz a tio n s

T ru s t S e rv ic e

򐂰

Re-validation

: Access to systems may need to be approved at regular intervals. The system should collect the appropriate re-validation approvals.

򐂰

User self-care

: Users of the system should be able to perform certain tasks without input from an administrator. For example, they may want to self-enrol to the system, reset or change their password(s), and so on.

򐂰

Delegated administration

: For approving requests for accounts, and other administrative functions, delegating the action to another user or users is an important function.

Data protection and disclosure control

Data protection management deals with protecting business information and provides the capabilities for content and data protection in transit and at rest. It includes policies for which data is to be protected and to what extent it can be specified and implemented. Externalizing data handling rules from applications and IT systems can help to simplify the management of data protection.

In the context of information and business information privacy, the disclosure control capability helps reduce privacy compliance costs by automating manual procedures. The system builds trust by:

򐂰 Publishing a privacy policy for users to view

򐂰 Managing user consent to privacy policies

򐂰 Capturing user preferences (such as opt-in to release of PII for certain purposes).

򐂰 Getting detailed reports on access to sensitive information

Secure systems and networks

This is a category of technologies and embedded systems that help protect infrastructure servers, systems, and networking resources from security threats. The desire is to protect the systems from external and internal threats, such as hackers and viruses.

Firewalls are used whenever there is a need to control the traffic between two networks. For example, a firewall is used at the connection of an organization and the Internet, and may provide simple protocol and port filtering, or more complex protocol inspection. Newer types of firewalls inspect XML and SOAP traffic and provide protection against higher-level protocol specific attacks.

Operating system security involves

hardening

of commercial operating systems so that they provide greater security controls. For example, one issue with UNIX operating systems is that the administrative user (root) has full control, including deleting all security audit logs. In this case, operating system security software can control and securely log the access of root to applications and data, providing separation of duties.

Intrusion detection (host and network) is concerned with detecting anomalies in the use of the operating systems or the network. This might be used, for example, to detect external or internal intrusions to these systems. Virus detection is used to detect and delete any viruses. This might be implemented at the border of the organization and the Internet, and also on individual host operating systems.

Patch management involves applying service patches to operating systems, application middleware, and databases and applications within the environment. These patches might contain security fixes that remove vulnerabilities in

software.

Business Process and Policy Management

Business Process and Policy Management applies to all the Business Security Services and deals with coordination and integration of business processes to optimize and adapt their processes for maximum efficiency.

Some examples of these processes and policies are:

򐂰 Governance, risk, and compliance

Business processes and policies are needed for defining organizational roles and responsibilities for process and authority. Risk management processes and policies are needed to evaluate strategies for managing risk versus cost. Compliance may include assessment processes and reporting policies, for example, what type of assessment is used, how often it is executed, and who should be informed.

򐂰 Trust management

Business process and policies are required for establishing trusted

relationships. These processes may include who to include in a circle of trust, what legal process to follow, and what process is used for evaluating liability. This may also include the policies for what type of access to resources.

򐂰 Identity and access

Processes for identity can include on-boarding and off-boarding identities, and self-care / self-registration for optimal user interaction. It can also include processes and policies for approval of access to IT resources and business

resources. In addition, policies for password management and identity management are also applicable.

򐂰 Data protection and disclosure control

Business policies are needed to define content and data for use in transit and at rest. Processes are needed in the event of misuse and handling

inappropriate use of data. Business policies are also needed to define sensitivity of data and apply the appropriate message protection and privacy policies.

򐂰 Secure systems and networks

Policies are required for intrusion detection and event management for ensuring secure systems and networks. Processes must be in place for handling alerts, for engaging the Computer Emergency Response Team, and for normal housekeeping of scheduled maintenance, patch management, and servicing.

In document Understanding SOA Security (Page 59-65)