Upload
ameshlal
View
215
Download
0
Embed Size (px)
Citation preview
7/31/2019 Security Technology the Latest1888
1/12
Security technology, the latest &
greatest(?)
March 23, 2004
Alan Harbitter, Ph.D.CTO, PEC Solutions, [email protected]
Security issues in a service-oriented architecture GJXDM 3.0 security metadata Underlying need for PKI
7/31/2019 Security Technology the Latest1888
2/12
7/31/2019 Security Technology the Latest1888
3/12
3
Service Oriented Architecture
Whut tha?
Internet or Intranet
Sheriffsdatabase
Courtdatabase
SOAP/XML over HTTP
Registry ofServices
1. ---
2. ---
I haveinfo
you mightbe interested
in!
So do I!
UDDI
WSDL
UDDI
WSDL
7/31/2019 Security Technology the Latest1888
4/12
4
Security Demands for the SOA
Confidentiality: Protect specific fields anddocuments in XML
Integrity: Information is valid and undisturbed
Availability: Critical services remain up and running
Authentication: Know who youre talking to on aenterprise-wide basis
7/31/2019 Security Technology the Latest1888
5/12
5
Whats Available and Why Its
Lacking SSL
Indiscriminately covers an entire session and on a user toserver basis
Digital Signature Good but relies on interoperable PKIs
Dumb Firewalls Only looks at the network level and misses the threat
UserID/Password Still the most common way to get access No enterprise wide standardization No accommodation for role based access control Lightweight security
7/31/2019 Security Technology the Latest1888
6/12
6
What We Need
Fine grained encryption in web services
Enterprise standards for digital
credentialsa law enforcement standardfor digital credentials
Application aware firewalls
Cooperation among PKI owner-operators Mature standards and tools for developers
Peace on Earth
7/31/2019 Security Technology the Latest1888
7/12
7
Standards-based approaches: SAML
OASIS standard based onXML
Includes assertions for Authentication (e.g., I
authenticated thru RISSor ARJIS, ) Attributes (e.g. Im a
member of ATIX) Authorization
Extensible Incorporates XML digital
signature standards Its pretty new (version 1.1
is under consideration)Source: Assertions and Protocol for the OASIS Security AssertionMarkup Language (SAML), OASIS Standard, 5 November 2002
7/31/2019 Security Technology the Latest1888
8/12
8
Security in GJXDM 3.0SecurityMetadata SecurityMetadataType
extends SuperTypeDescribes security information and classification on information.
SecurityClassificationInitial ClassificationType
extends SuperType
Details about the original classification of information.
SecurityClassificationCurrent ClassificationType
extends SuperType
Details about the current classification of information.
SecurityDeclassification ClassificationType
extends SuperType
Details about the declassification of information.
SecurityClassificationDowngrade ClassificationType
extends SuperType
Details about downgrading the level of classification of information.
SecurityClassificationUpgrade ClassificationTypeextends SuperType Details about upgrading the level of classification of information.
SecurityControlText TextType A SCI control system or systems that may be applicable to a document,
e.g., SI, TK, NONE.
SecurityFGIText TextType Foreign government distribution information or country codes included
in a United States controlled document, e.g., "FGI, AUS, DEU", "FGI,
DEU, GBR, NATO", "FGI".
SecurityFGICode j-iso_3166:CountryAlpha3Code A code that identifies foreign government distribution information
included in a United States controlled document.
SecurityDisseminationText TextType Dissemination control markings as designated by CAPCO
Classification Markings Register, e.g., NOFORN, ORCON, FOUO,
SETTEE.
SecurityForeignReleasabilityText TextType The foreign releasability of information.
SecurityLevelText TextType A level of security of information, e.g., personal, supplier proprietary.
SecurityLevelCode j-dod:SecurityLevelCodeType A code identifying a level of security of information, e.g., personal,
supplier proprietary.
SecurityNonICMarkingsText TextType Non-Intelligence Community markings authorized for use by entities
outside of the Intelligence Community as designated by CAPCO
Classification Markings Register., e.g., SPECAT, SIOP-ESI,
SENSITIVE INFORMATION, LIMDIS.
7/31/2019 Security Technology the Latest1888
9/12
7/31/2019 Security Technology the Latest1888
10/12
10
PKI: A Complex mixtures of people,
process, and computers
CertificationAuthority
RegistrationAuthority
EndUser
CertificationAuthority Facility
Directory
7/31/2019 Security Technology the Latest1888
11/12
11
Youre all going to need PKI
SAMLAssertions
WSSecurityXMLmessage
[s01] [s02]
[s03]
[s04] [s05]
[s06] [s07]
[s08] [s09] [s10]j6lwx3rvEPO0vKtMup4NbeVu8nk= [s11]
[s12] [s13]
MC0CFFrVLtRlk=... [s14]
[s15a] [s15b] [s15c]
...
......... [s15d][s15e] [s16] [s17]
Trustable signatures
needed here and here
7/31/2019 Security Technology the Latest1888
12/12
12
Summary and Closing Remarks
If theres one thing thats secure, its my job Increased emphasis on sharing complicates security
Assurance level is still not measurable
Security tools and standards are emerging, butstruggling to keep up Fear not, there are ways to implement good security
solutions
PKI: Now, more than ever References:
http://www.ijis.org/library/reports/infosec4ijis3-19-02.pdf