Case studies on Authentication,
Authorization and Audit in SOA
Environments
Dr. Srini Kankanahalli
ClearAvenue, LLC
Headquartered in Columbia, Maryland
Focused on Systems Integration, Data Management, Information Security, Storage
networking, Custom Software development
Premier IBM Business Partner
CMMi Maturity Level 3
clearAvenue, LLC is a 8(a) certified minority women owned Small Disadvantaged
Business
Authentication, Authorization, and
Audit– The Challenge
Identity and Access Management is a major challenge for all federal agencies
Multitude of Applications, Legacy as well as state-of the art Systems pose additional
challenges
The complexity of Federal laws as well as federal contracting regulations further adds to the
complexity
Comprehensive End-to-End Audits across multiple systems poses a significant challenge
Layers of Security
Perimeter Defense
Control Layer
Assurance Layer
Perimeter Defense
Keep out unwanted with
• Firewalls
• Anti-Virus
• Intrusion Detection, etc.
Control Layer
• Which users can come in?
• What can users see and do?
• Are user preferences supported?
• Can user privacy be protected?
Assurance Layer
• Can I comply with regulations?
• Can I deliver audit reports?
• Am I at risk?
• Can I respond to security events?
SOA Security Encompass All Solution Layers
ServiceConsumer
Consumer
Service
55
consumers
SCA
Portlet
WSRP
B2B
Other
SOA Security
44
businessprocesses
processes
business
process
choreography
process choreography
• Authentication
33
services (Definitions)
Services
atomic
and composite
atomic
and
composite
Service Provider
Provider
Service
Service
components
Operational
systems
Packaged
SAP
Packaged
Application
Outlook
Application
Platform
Unix
• Authorization & Privacy
• Auditing
22
ISV
• Identity
OS/390
Custom
Application
Custom
Application
OO
Application
Custom Apps
Supporting Middleware
MQ
DB2
11
• Confidentiality, Integrity
and Availability
• Compliance
• Administration and
Policy Management
Identity Management– the basis of
comprehensive security
User Groups
Provisioning
r
e
s
ye
me
es
o
e
l
o
n
t
i
c
e
p c
s
t
s
ce ervi
Em ervi
Cu ervi
Bu gm
S
M
e
S
S
FoH
De-provisioning
User self service
User profile management

BoH

Contractors
Customers
Systems

Identity Management Functions
User Provisioning and De-provisioning
•
User Provisioning across multiple enterprise systems poses significant challenges
•
User De-provisioning is a greater challenge
•
Role-based access and Role Management adds to the complexity
•
Role Engineering encompasses very little “engineering” and lot of “Politics”
Implementing Role-based Access Control
Successfully implemented RBAC with role-based provisioning to legacy as well as state-of
the art systems
A Role is a set of entitlements that has a “Business Context”
Roles are not “cast in stone,” but is derived through a “trial and error” process
Role Re-factoring has to be kept in mind during the design and implementation of any
RBAC system
Role-based Access to Legacy and
Modernized Systems
Legacy systems integration -- Seibel
Federated Identity Management-- Challenge
In many situations, one federal agency has to communicate and access data from
another agency
This problem also may exist between multiple subdivisions of the same agency or
organization
The solution involves building and propagating trust across boundaries using industry
standards
Audits across agencies or subdivisions pose additional challenges
SAML
Organization A
Federated Identity Management
Across Multiple Organizations
Organization B
Federation Entities
SOA Federated Identity Management
SAML
TFIM
SAML
LDAP
Internet
Web Service
Websphere ND
Multi-Factor Authentication
There are multiple federal and commercial mandates for strong and Multi-factor
authentication
Multi-factor based Certificate based Authentication
architecture using IBM Tivoli Federated Identity manager
Conclusions
We have implemented complex security patterns in multiple federal agencies
Security is Multi-faceted and hence has to be carefully architected and implemented
correctly
The availability of multiple point products adds to the integration complexity
Authentication, Authorization, Audit and Identity Management are all intertwined and
has to be planned and implemented correctly to ensure that “Attack Surface” of an
organization is minimized