End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE •...
Transcript of End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE •...
![Page 1: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/1.jpg)
End-to-End Security Policy Auditing and
Enforcement in Service Oriented Architecture
!
Progress Report: January 2014 and
Related Research
![Page 2: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/2.jpg)
Agenda
• Motivation
• REST/SOA Monitoring Framework
• Demo
• Future Work
![Page 3: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/3.jpg)
MotivationService 1
Service 2
Service 3
Service 4
Service 5
Trust Domain Service Level Agreements /
Domain Policies
PII
PII
PII
![Page 4: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/4.jpg)
REST/SOA Monitoring• Remote Monitoring
• Passive and Active Monitoring
• Service Composition Topologies
• Trust Management
• Service Interaction Authorization
![Page 5: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/5.jpg)
Solution Architecture
![Page 6: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/6.jpg)
Passive MonitoringService Monitor
Service
Service 1
Service 2
Service 3
Interaction: Service -> Service 1
Interaction: Service -> Service 2
Interaction: Service -> Service 3
Int 1Int 2Int 3
![Page 7: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/7.jpg)
Passive Monitoring
!!!!!!!!!!!!
Service
Operation 1
Operation 2
External Service Call
…
Operation n
Interaction Details !To Monitor
Invoke !Service 1
![Page 8: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/8.jpg)
Passive Monitoring• Service monitor invocation is transparent to
regular service operation
• Service monitor does not return any information to the monitored service
• Service monitor maintains context information of each service
• Useful for a system administrator to monitor the system in production mode
![Page 9: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/9.jpg)
Active MonitoringService Monitor
Service
Service 1
Service 2
Service 3
Interaction: Service -> Service 1
Interaction: Service -> Service 2
Interaction: Service -> Service 3
Int 1Int 2Int 3
OKOKOK
![Page 10: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/10.jpg)
NO
Active MonitoringService Monitor
Service
Service 1
Service 2
Service 3
Interaction: Service -> Service 3
Int 1Int 2Int 3
![Page 11: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/11.jpg)
Active Monitoring
!!!!!!!!!!!!
Service
Operation 1
Operation 2
External Service Call
…
Operation n
Interaction !Authorization !
Request
Invoke !Service 1
OK
![Page 12: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/12.jpg)
Active Monitoring• Service monitor invocation blocks regular service
operation
• Service monitor returns interaction authorization results
• Decision based on various contextual information such as trust levels, service load, clearance level of invoker etc
• Effective in policy enforcement and to guarantee service level agreements
![Page 13: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/13.jpg)
Service Composition Topologies
• Service Proxy
!
• Service Chain
!
• Service Facade
![Page 14: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/14.jpg)
Trust Management• Trust level is a measure of service behavior over time
• Service level agreements are based on service trust levels
• Service Monitor evaluates service behavior and maintains dynamic trust levels for monitored services
• Uses service interactions, service level agreements, whitelisting/blacklisting
• Tracks invocation graphs
• Propagates changes in trust
![Page 15: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/15.jpg)
Service Interaction Authorization
• Active monitoring requires the service monitor to authorize each service interaction
• Authorization is based on service level agreements and system policies
• Service Monitor makes authorization decisions
• Service instrumentation enforces authorization decisions
• Controls external service invocations
• Block, Allow, Redirect etc
![Page 16: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/16.jpg)
Implementationhttps://code.google.com/p/end-to-end-soa
![Page 17: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/17.jpg)
!
Features• Instrumented service interaction modules
• REST services
• Pluggable service topologies
• Pluggable Trust Management Algorithms
• Pluggable Authorization Algorithms
• Service Monitor Management Console
![Page 18: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/18.jpg)
Instrumented “request”• instr_request: Non-blocking instrumentation
• Sends all invocation metadata to service monitor before and after invocation [asynchronous]
• instr_request_block: Blocking implementation
• Waits for authorization form service monitor before allowing interaction
• When interaction allowed carries out interaction and sends interaction metadata after the interaction [asynchronous]
![Page 19: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/19.jpg)
REST Services• Services implemented as node.js/express
applications
• Registered with the Service Monitor
• Exposes a REST API to be consumed by other services
• Message format: JSON
• Allowed operations: GET, PUT, POST, DELETE
![Page 20: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/20.jpg)
Topology Implementation• instr_request or instr_request_block used with the
typical request syntax when interacting with external services
• Scenario definition added into passive or active directory in monitor/scenarios/
• Graphical representation of the scenario
• Management Console:
• Ability to update trust levels
• Scenario invocation
![Page 21: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/21.jpg)
Pluggable Trust Algorithms• Each algorithm is a self-contained module
module.exports = {name:’My First Algo', alg:my_algo};
• Loaded by service monitor on bootstrap
• Ability to enable/disable a trust management algorithm
• Simple Average
• Moving Average
• Lower Trusted Service Access Denied
![Page 22: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/22.jpg)
Pluggable Authorization Algorithms
• Each algorithm is a self-contained module
module.exports = {name:’Authz Algo', authorize : simple_auth};
• Authorization decision is carried out by the authorize(from, to) function of the module
• Ability to enable multiple authorization algorithms
![Page 23: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/23.jpg)
Active Interaction Authorization Algorithms
• Simple trust level based authorization
• XACML based interaction authorization
• Resource: Target service
• User: Service invoking the target service
• Action: READ/WRITE
• Environment
• Conditions on which access is allowed or denied
• Based on WSO2 Balana XACML Implementation
![Page 24: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/24.jpg)
XACML Environment• Trust levels of the service and target
• Eg: Prevent access of services with trust level < 5
• Certain times of day the access is not allowed
• Eg: Prevent access of a service from 1100 to 1200
• Certain load levels at which access is not allowed
• Eg: Load threshold = 50%
![Page 25: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/25.jpg)
DEMO
![Page 26: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/26.jpg)
![Page 27: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/27.jpg)
Future Work
![Page 28: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/28.jpg)
SOAP Service Monitoring• Services will be implemented in Apache Axis2 Server
• A module to intercept the SOAP messages using an Axis2 handler
• The interceptor will send a request to Service Monitor to validate it based on system policies.
• Active and Passive Monitoring Modes
• Aspect Oriented Programming (AOP) based instrumentation
• Set of common service composition scenarios
![Page 29: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/29.jpg)
!!!
Service Container
SOAP Service Monitoring
Permit/DenyRequest
Invoking
Service Monitor
SOAP Service 1Interceptor
!!!
Service Container
SOAP Service 2
![Page 30: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/30.jpg)
Active Bundles in SOA• Active Bundle (AB) is a data protection mechanism
• AB exposes an API to services
• getSLA()
• authenticateChallenge()
• authenticateResponse(token, signedToken, serviceCert)
• getValue(sessionKey, dataKey)
• AB API implemented using Apache Thrift
• AB is included in the SOAP header
![Page 31: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/31.jpg)
AB-Service InteractionTrust Domain
Service B AB Interceptor
AB
![Page 32: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/32.jpg)
AB-Service InteractionTrust Domain
Service B AB Interceptor
AB Process
AB
Msg + ab_session_id
![Page 33: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/33.jpg)
AB-Service InteractionTrust Domain
Service B AB Interceptor
AB Process
AB
Msg + ab_session_id
auth_challenge()!auth_response()!
![Page 34: End-to-End Security Policy Auditing and Enforcement in ... · • Action: READ/WRITE • Environment • Conditions on which access is allowed or denied • Based on WSO2 Balana XACML](https://reader033.fdocuments.net/reader033/viewer/2022043003/5f83d8468ce2ec6684266247/html5/thumbnails/34.jpg)
AB-SOA Implementation• Services are deployed on Apache Axis2
• AB Interceptor
• Implemented as an Apache Axis2 module
• Extracts AB from the message
• Authenticates and verifies integrity of the AB
• Executes AB as an independent process
• Adds AB process information into the message context