Transcription
SB20: SOA Security andthe Impacts to BCPKen Huang, CISSPMark Spreitzer, CBCPCGI Enterprise Security PracticeDirector, Security EngineeringOffice: 703.227.4921ken.huang@cgifederal.comwww.cgi.comCGI Enterprise Security PracticeDirector, Business Continuity/CIPOffice: om
Agenda Defining Service Oriented Architecture (SOA) How to roadmap SOA SOA and Service Level Agreements SOA Security Stack SOA and the RTO & RPO SOA and the BIA Questionnaire Tips for applying SOA to BCP Summary & Questions
What is SOA? Business-centric approach to IT architecture– supports integrating your business as linked, repeatablebusiness tasks, or services. SOA enables business to define and implementloosely-coupled and coarse-grained services– services are made available to other participants in thenetwork in a standardized way– to increase ROI and reusability
Roadmap Example Approach– Workflow the value chain information provided and consumed– Identify opportunities to standardize the informationinterface– Develop solution with those services– Increase ROI & reusability Æ profit! Points to remember– Business and IT are working on the same tool– Path to execution: all services are defined
Workflow the Business ProcessFinanceBilling and FinancialTrackingProgram ProvidersProgram DevelopmentRegional andInternational OfficesFinance ApplicationMailOperationsProgram ChangesProgram OperationsCustomer ServiceSpecial RequestsProgram EditsFinance ApplicationMarketingCatalog & BrochureDesignFinanceCurrency conversionand Fee associationPublisherCatalog Printingand Mailing VendorsMail OperationsBrochure DistributionConsumer QuestionsProgram Changes/CancellationsCall CenterRegistration/PaymentsConsumersReceive Catalogs/Bills
Identify external vs. internal servicesFinanceBilling and FinancialTrackingProgram ProvidersProgram DevelopmentRegional andInternational OfficesFinance ApplicationMailOperationsProgram ChangesProgram OperationsCustomer ServiceSpecial RequestsProgram EditsFinance ApplicationMarketingCatalog & BrochureDesignFinanceCurrency conversionand Fee associationPublisherCatalog Printingand Mailing VendorsMail OperationsBrochure DistributionConsumer QuestionsProgram Changes/CancellationsCall CenterRegistration/PaymentsConsumersReceive Catalogs/Bills
Identify the Information InterfaceFinanceBilling and FinancialTrackingVPNProgram ProvidersVPNProgram DevelopmentRegional andInternational OfficesFinance ApplicationMailOperationsVPNVPNCustomer ServiceSpecial RequestsIAMProgram ChangesProgram OperationsCall CenterRegistration/PaymentsVPNIAMProgram EditsVPNFinance ApplicationFinanceCurrency conversionand Fee associationConsumer QuestionsProgram Changes/CancellationsConsumersReceive Catalogs/BillsIAMMarketingCatalog & BrochureDesignPublisherCatalog Printingand Mailing VendorsVPNMail OperationsBrochure DistributionIAM Identity &Access Management
Before SOA Disconnect between BusinessStrategies and IT Solutions– Operation support– Individual project based decision– Ad hoc and technology drivenimplementation Proprietary middleware &presentation technologies Non-Scalable Point to pointintegration Lack of Agility Limited Reusability
SOA Identity ManagementFinanceBilling and FinancialTrackingtrustProgram ProviderstrustProgram DevelopmentRegional andInternational OfficesFinance ApplicationMailOperationstrusttrustCustomer ServicetrustProgram ChangesProgram OperationsSpecial RequestsCall CenterRegistration/PaymentstrusttrustProgram EditstrustFinance ApplicationFinanceCurrency conversionand Fee associationConsumer QuestionsProgram Changes/CancellationstrustMarketingCatalog & BrochureDesignPublisherCatalog Printingand Mailing VendorstrustMail OperationsBrochure DistributionConsumersReceive Catalogs/Bills
What SOA Provides Focus on Business Processes– Internal and external view of businessservices– How data flow between services components– Analyze the trust among services partners– Provide an abstraction layer for services andworkflow associated– Involved into business strategies anddecisions– Have long-term blueprint and big pictures asguidance Enforcement of reusability– Promote agility– Promote standardization Gartner sees the use of SOA for missioncritical applications ramping from 50percent in 2007 to 80 percent by 2010
BCP and SOA: What is in common? Focus on core and critical business processes and valuesInsider and outsider view of BusinessBusiness Centric approach instead of IT CentricWhat changes?– SOA Architect and Governance body
SOA and Service Level Agreements (SLA) Before SOA (hard-wired deployments)– SLAs relatively easy to implement using conventional tools With SOA–––––Environment becomes dynamicloosely-coupled enterprise SLA becomes difficultService end points may be added or changedNew services might be offered or existing SLAs redefinedSLAs may even exist between different enterprises entirely Solution: map and exercise plans to the value chain
SOA Security Stack Areas influenced by SOASecurity standards– Policy Standards Trust Confidentiality– Identity Management Business partner entitlements Service partner entitlements– Messaging integrity andconfidentiality Lower layer security Key management Encryption managementThree categories of standards Identity Management Standards– SAML– Liberty ID-FF– SPML- XACML- DSML- WS-Federation, etc. Web Services Standards–––––WS-SecurityWS Security aging Digital Security Standards(Mostly in the lower layers of IP Stack)–––––XKMS- XML-SIGXML-ENC- TLS IPSecPKI- SSLS/MIME- LDAPKerberos etc.
SAML (Security Assertion Markup Language) XML standard for exchanging authentication andauthorization data between security domains. SAML Building Blocks– Extensible Markup Language (XML)– XML Schema– XML Signature For authentication and message integrity.– XML Encryption For Identity encryption– SOAP
Liberty Alliance Project Global alliance on IdentityFederation– Organization of over 150members comprised ofbusiness, non-profit andgovernment agencies– Developing an open standardfor federated network identity(Liberty ID-FF) Liberty ID-FF (Identity FederationFramework)– Now part of OASIS standard OASIS (Organization for theAdvancement of StructuredInformation Standards) Is the basis for SAML 2.0
WS-Federation Competing standard to SAML–Developed by BEA Systems, BMC Software, CA,Inc., IBM, , Microsoft, Novell, and VeriSign Part of the larger WS-* Security framework Microsoft has its own standard–Interoperates with WS-Federation–Based on Active Directory–Bundled in Windows Server 2003 R2–Microsoft ADFS (Active Directory FederationService)
XACML (eXtensible Access Control Markup Language) Declarative access control policy language Implemented in XML Processing model– describing how to interpret the access policies Defines who can access what resource Passed from PEP (Policy Enforcement Point) to PDP(Policy Decision Point)– PDP uses the information inside XACML to determine who hasaccess to which resource
WSS (WS-Security) Application layer protocol Enables end-to-end security using security tokens Describes how to attach security tokens tomessages– SOAP signature and HTTP encryption headers– including binary security tokens such as X.509certificates and Kerberos tickets Contains specifications on how integrity andconfidentiality can be enforced on Web servicesmessaging– Includes details on the use of SAML and Kerberos, andcertificate formats such as X.509
Other WS-* Standards Provides for Confidentiality and Integrity Extension of WS-Security–WS-SecureConversation Provide the message authentication–WS-SecurityPolicy Define how and when the security tokens should beused in Web Service conversation.–WS-Trust Provides framework for validation of security tokens.
WS-ReliableMessaging Provides for System Availability Protocol that allows SOAP messages to be deliveredreliably between distributed applications Queues messages/requests in the presence of softwarecomponent, system, or network failures– Developed by BEA Systems, Microsoft, IBM, and Tibco (March 2003)– Approved as an OASIS Standard on June 14th, plicationDestination
SOA Security tips Network and Transport Layer security:–firewall, IPSec, SSL, VPN, HTTPS–Most non-invasive Use XML-Enc and XML-Sig Apply WS-* Security Identity and Access Management is musthave.
What SOA means to Data Information is protected as it moves– from structured to unstructured– in and out of applications– across each business process Information view as self describing and defending Policies work consistently through the defensive layers andtechnologies Policies and controls account for business context A Partners
SOA and the RTO & RPORecovery Time Objective (RTO) Before SOA– RTO tied to individual mission critical applications and business processes With SOA– RTO expectation is changed– RTO is tied to overall SOA infrastructure– SOA enables deep integration, and fast response timeRecovery Point Objective (RPO) Before SOA– Recovery of IT infrastructure Hardware, software, and network components With SOA– SOA security is key to define the RPO– Redefine where the data resides– More redundancy of systems and data
SOA and the BIA QuestionnaireBusiness Recovery Before SOA––––Functional business mappingMap systems and networks to identify interviewsOverlay technology (applications, networks, etc.)Overlay organization chart to understand the components affected by an incident/outage With SOA– Overlay Line of Business SOA configuration over the Organization charts– Map SOA infrastructure to the business functions to produce questionnaireIT Recovery Before SOA––––Inventory of systemsInterview with applications owners, network and system administratorsFocused on systemsResults based on internal view With SOA– Focused on value chain– Results based on interfaces– SOA Governance body or committee in addition to the above
Tips for applying SOA to BCP Establish senior management support Cross train BCP/SOA– First understand correlations then map partner links Review BCP plan with SOA Team––––New Threat LandscapeAreas of ResponsibilitiesEmergency Contact informationRecovery Team composition Establish Review and Revision interval Review backup of SOA applications and data Exercise plans based on value chain
Summary SOA impacts recovery processes– Changes business flow Æ changes RTO– Changes data flow Æ changes RPO– Changes value chain Æ changes BIA Enables further understanding of business SOA may simplify the value chain– Enables service foundations such as eTom and ITIL– Enables Virtualization (Data and Application)– Simplifies Insourcing/Outsourcing– Enables Mergers, Acquisitions and Divestment
ken.huang@cgifederal.com www.cgi.com . Agenda Defining Service Oriented Architecture (SOA) How to roadmap SOA SOA and Service Level Agreements SOA Security Stack SOA and the RTO & RPO SOA and the BIA Questionnaire Tips for applying SOA to BCP Summary & Questions.
