A Security Meta-Model for Service-oriented ArchitecturesAuthor: Michael Menzel, Christoph MeinelHasso-Plattner-Institute, Germany Presented by(Group 5) Fatima Yusuf FatemehFallahAdl Joshua Weenig Chinmay Trivedi
Outline • Overview on Service oriented Architecture • Security In Service oriented architecture • Motivation • Challenges • Vulnerabilities Introduced by Web Services • Modeling Security in Business Process • Proposed Model driven Approach for Security • Modeling Security Requirements • Mapping the constraints to Security Policies • Case Study • Related Works • Why a better Solution • Conclusion and Future Work
Overview of Service orientedArchitecture Service oriented architecture (SOA): Service oriented architecture is an architectural approach that provides a new technology in which various independent services develop a system to interact with each other by sending message based on some predetermined agreement mechanism. Each services in a service oriented architecture is - Distributed and Loosely Coupled - Publishes it’s description, that is, defines it’s interface and states it’s constraints and policies to interact with other services • The Web Services technology is an implementation platform for SOA
Overview (Cont) - SOA facilitates the successful integration of IT and business domains - Designing business applications using SOA makes it more responsive to a changing business environment - With the growing competitive business world, where the business requirements and partnerships are frequently changing, the success of an organization mostly depends on the rapid evolution of the business applications. AS a result SOA being a common accepted and widespread concept, A method to devise and construct secure SOA-based applications is needed. Business Process • Presents an abstract view on organizations, workflows, and information • Helps improve business process requirements for rapid adoption of business demands and market changes • Business processes are represented by different visual modeling languages (Ex: BPMN) • The business process model - provides a layer to explain security requirements - evaluate risks
Security in Service Oriented Architecture The growing demand of service consumption across organizational boundaries has increased the necessity of enforcing security in service oriented architectures. To enforce security in SOA various access control models, security concepts have been implemented over the period of time. A standard to secure SOA and enforce confidentiality, integrity, identification, and authentication is to Employ Web Service Security approach Map to Web Service Security Policy
Motivation • The advent of SOA is the emerging phase in the evolution of distributed enterprise application on modern network-centric enterprise and policy-based systems • SOA exposes company’s assets and resources as business services as well as it aids business services to facilitate a faster acceptance of business demands and market changes Security is a mast! • SOA offers a suitable base in order to execute business processes as system of multiple independent services. The security risks raises exponentially with the increased collaboration of services
Challenge • With changes in application architecture over time, advent of distributed and Loosely coupled architecture of the Service Oriented Architecture security became more complex • Current available business process modeling notations does not capture the security intentions, authorization concepts or is adequate to lower the security vulnerabilities • Security goals needs to be defined on collaborative and common abstract level by security as well as the business domain experts • New vulnerabilities are introduced by data exchange via XML within a SOAP envelope
Vulnerabilities Introduced by Web Services • Injection Flaws: Occurs if input is not validated • XML Denial of Service Issues: Exploits XML parser vulnerabilities • Insecure Communications: malicious user can steal/modify unprotected data • Insecure Configuration: Configuration error may be harmful as web services runs on exposed, public servers • Insufficient Authentication: Web Services executing sensitive information must require authentication • Insufficient Logging: Logs are used if a malicious user attempts to intrude • Inadequate Testing: Sensitive information can be revealed by unidentified coding flaws in Web Services
Modeling Security in Business Process • Security Model : • Add security Annotation to domain Specific Model • Next information gathered at domain specific model is translated in to domain independent security model • Verify security configurations with a formal process model related to this security model • To secure a service, expert knowledge is needed since a security goal can have multiple solutions • Each security pattern formalize a specific security goals • Security patterns helps the security model to decide on apposite security protocols and mechanisms • Each security pattern is mapped to a specific security policy • The Goal is to satisfy enforceable security configuration Fig: Model-driven generation of security policies [ Ref.Michael Menzel, Christoph Meinel. A Security Meta-Model for Service-oriented Architectures. 2009 IEEE International Conference on Services Computing ]
Proposed Model Driven Approach - Central Element: Meta-model for security in Service-oriented Architectures - To produce precise security configurations, Information on the modeling layer is assemble and mapped to the proposed model. The Proposed model Explains - basic entities, relations and associated roles for a SOA - Explains Specific security constraints for security goals and endow with an abstract policy model - How mapping to WS-Policy and WSSecurityPolicy is performed The model can be stated as Model for Service Interactions - Security Base Model - Modeling Digital Identities Modeling Security Requirements -Security Policy Structure - Specifying Security Goals Mapping the Constraints to Security Policies - Mapping to WS-Policy - Mapping to WS-Security Policy
Security Based Model The model consists of Object- objects are a set if attributes that participate in interactions. Example: web service/ web service client Objects is bond to a medium and interact with it to exchange information. Interaction is performed on a medium that is related to the objects. • Medium: TCP/IP network • Interactions involve the exchange of information that can be done through SOAP messages.
Modeling Message Exchange The modification of dada transfer object to the security base model • Data Type • specifies the data transfer object, • define its structure by using schema like XML, • is connected to information. • Interaction Type • describe and specifies the interaction, • contains the set of data types and message exchange pattern.
Modeling Massage Exchange(Cont.) Data Transfer Object • A data transfer object ‘ • is responsible for serializing itself into some format that will go over the wire, • Contains issuer and target and it can be send over several objects and act as intermediaries, • apply to enable a detailed description of transferred information, • describe more than fields and the getters and setters for them, • it allows us to move several pieces of information and message over a network in a single call.’ • A data transfer object represents serialized information and is an information itself and also it can contain information.
Mapping The Model To SOAP • A SOAP envelope is a data transfer object contains different message parts that are data transfer object itself. • A SOAP header is a data transfer object. • Having the recursive modeling message exchange structure and using data transfer object can facilities the description of SOAP message and its message part. • For instance in case of web service technology, WS-addressing would be used to represent the issuer and target in a SOAP-messaging.
Modeling Digital Identities • Objects operate on behalf of organization or person in a technical system, that we can refer to as Subject. • In the digital world, a subject is described by a set of subject attributes that are stored in an account managed by an identity provider. • subjects have multiple digital identities registered with different Identity providers, for instance email provider or shopping sites in the internet. • In order to use services, authenticating and authorizing a subject is required. • This information is represented by a credential that contains a set of claims about the subject and an authentication information. • A credential is created and asserted by an issuer, whose identity can be verified by the authentication information in the credential.
Modeling Digital Identities (Cont.) Roles in SOA • Objects act in the digital world on behalf of subjects. • Subjects and objects can act in different roles. • Services are objects that offer capabilities in support of service providers. • Service consumer can interact with these services impersonating a user. • An Identity provider is a subject that manages a digital identity of other subjects and is impersonated by a security token service, which is specialization of a service.
Modeling Security Requirements • Relate the general structure of a security policy and its relation to other entities • Security Policies in loosely coupled systems • Security Policy Models • Security Constraints • Mapping the constraints to Security Policy Models
Security Constraints • The Security Policy defines a general structure to group and describe the following security constraints • Identification • Authentication • Confidentiality • Integrity
Identification Authentication Constraint Claim Types
Mapping the Constraints to Security Policies • This section will discuss how to generate security configurations in the authors model-driven approach using • Mapping to WS-Policy • WS-SecurityPolicy
Mapping to WS-Policy • Policy Assertions • WS-Policy • WS-Policy Expressions • Provides an algorithm to convert a WS-Policy expressions into their disjunctive normal forms that enable a direct mapping to the authors models
Mapping to WS-SecurityPolicy • WS-SecurityPolicy defines a set of assertions for usage in WS-Policy to express requirements • WS-Security • WS-Trust • WS-SecureConversation
WS-Security Policy Security Bindings based on Security Patterns • Transport Binding • Requires a secure channel at the transport layer • Symmetric Binding • Encryption and signature with the same token for incoming and outgoing messages • Asymmetric Binding • Encryption and signature with different tokens for incoming and outgoing messages
Case Study • Online bookstore – The example demonstrates a simple service composition for online ordering of a book.
Case Study (Cont) • Online Book Store – uses payment service provided by other service provider. • Payment Service Provider requirements: Credit Card Data asserted by the user’s bank. • Assumption: • User is registered to a bank • Bank acts as Identity provider and confirms the user’s bank information when required. Security Requirements: - Authentication of the user by Payment Service. authentication of the third party is done by the payment service. - Confidentiality of the information exchanged.
Mapping the Scenario to the Model The entities of this example can be mapped directly to the proposed base model • Four objects participate in three interactions with other objects. • Interaction is done through DTO – SOAP Messages as Web Service Technology is used. • Four objects correspond to four subjects as mentioned before in Roles of SOA: • Service consumer: Customer/Client • Service providers: Online Book store, Payment Service • Identity provider: Bank/ Issuer Handles the service consumer’s digital identity • Customer – authenticate at Identity provider – get credential to access service.
Expressing SOA security constraints Security Goals Are Specified by security constraints • As mentioned before, following security constraints should be met in the scenario: • Authentication • Identification • Confidentiality Required by Payment Services Required by Data Transfer Object
Expressing SOA security constraints (Cont) Authentication Constraint For this example, • Money Transfer Service – requires Authentication – provided by SAML token. • SAML Token – provided by Identity provider (Bank) to the Service User. • DTO will contain the request and will also contain the SAML token.
Expressing SOA security constraints (Cont) Confidentiality Constraints For this example: • Online Book Store – requires confidentiality – provided by WS-Security and Asymmetric key cryptography. • Now Asymmetric key cryptography – requires public key of the Online Book store. • Public key of Online book store - Credential required by the confidentiality constraint • Data Type – SOAP Body • DTO – will contain the Order Message
Related Works • OASIS Consortium – “Reference Architecture for SOA” • Provides a set of models and views to describe entities and roles in an SOA. • Focused on high level concepts - social structures and real world effects resulting from service invocations. • No consideration of dependencies to security related aspects on a technical layer. • A methodology for security engineering in service-oriented Architectures - Ruth Breu and Michael Haffner. • Security requirements modelled in domain-specific language converted to domain-independent language generate security policies. • Generic framework to express security goals in domain specific language. • Transformation to Authorisation constraint. • No mapping to WS-SecurityPolicy. • No consideration of Web-Service characteristics like claim based identities.
Related Works (cont) • SecureUML and UMLSec • SecureUML Access control and confidentiality for Server based applications. • UMLSec communication based security goals like confidentiality. • No link to business process and related security requirements in SOA. • Work done by Nagaratnam – Business processes • Gives an approach to express, monitor and manage security requirements on different enterprise and architectural levels. • No detailed analysis of security goals – their models and their relationship with business process related entities. • The above issue solved by Rodrguez • Links security requirements with business process. • Provides graphical elements to richly depict process model with related security requirements. • Does not provide security model to support a model-driven generation of security policies.
Why a Better Solution • The proposed model exposes dependencies to security related features on a technical layer. • The model comprise specific Web Service characteristics such as claim-based identities and specifies a mapping to WS-Security Policy • In a Service-oriented Architecture the model Specifies the links to business processes and related security requirements • provides a complete security model for supporting a model-driven generation of security policies
Conclusion and Future Work To enforce security configurations, Security requirements and parameter are interpreted to a security model, which are mapped to various policy specifications • The proposed model specifies the following for a SOA: • The entities, relations and associated roles • provides platform to model interactions and information exchange • Identity information – participants and claim based digital identities • A policy model is pioneered to group and add security requirements – effects on objects, DTO and interaction outlined • specific security constraints for security goals to state specific security requirements • Applicability of the model is tested by mapping it to WS Policy and WS-Security Policy • In Future to enable an automated reasoning, the proposed model may be used to identify the requirements of the security patterns.
Reference • Michael Menzel, ChristophMeinel. A Security Meta-Model for Service-oriented Architectures. 2009 IEEE International Conference on Services Computing. • M. Menzel, I. Thomas, and C. Meinel. Security requirements specification in service-oriented business process management. In ARES, 2009. • C. Ouyang, W. M. van der Aalst, D. Marlon, terHofstede, and A. H.M. Translating BPMN to BPEL. In BPM Center Report BPM-06-02, 2006. • J. A. Estefan, K. Laskey, F. G. McCabe, and D. Thornton. Reference architecture for service oriented architecture version1.0. Public Review Draft, April 2008. • D. Basin, J. Doser, and T. Lodderstedt. Model Driven Security for Process-Oriented Systems. In SACMAT ’03: Proceedings of the 8th ACM symposium on Access control models and technologies, 2003. • J. Juerjens. UMLsec: Extending UML for Secure Systems Development. In UML ’02: Proceedings of the 5th International Conference on The Unified Modeling Language, pages 412–425, 2002.
Thank You Any Questions?