SOA Security
Post date: Mar 31, 2013 2:30:45 PM
Security challenges & requirements in SOA environment
The loose coupling of services and applications and their operation across organizational boundaries make security more critical and challenging for SOA environment. Applications in SOA are composed of many services available at various locations under control of different owners and it makes whole system more vulnerable with respect to security. We can broadly categorize challenges in two parts:
Challenges due to distributed systems
These challenges are similar to security challenges for any web application environment which are applicable to webservices too. Web services are deployed on commonly available open ports and some firewalls are unable to examine security threats because they only examine packet’s header. Some firewalls examine content, such as XML message bodies, and can use application-specific knowledge to avoid some attacks.
Challenges due to transmissions of messages
Services often exchange messages (data and document). These messages are exchanged among various participants in a multi hop transaction. These messages are often inspected by different intermediate parties. These parties operate in different security zones. This data, document may contain very sensitive data and is subject to security threats which can not be controlled by a single organization.
SOA security requirements
Real-time seamless integration with other organizations is a requirement which enforces multiparty transaction. These transactions should be secured.
Identity should be decoupled from the services. Identities like users, services etc should be identified so that appropriate security controls can be applied.
To ensure that, for composite applications, proper security controls are put in place for each service.
Requirement to protect business data in transit and at rest
Compliance with standards (these are corporate, industry, and regulatory standards which are growing with time)
In SOA services are implemented with new and old technology mix. Managing identify and security across these diverse systems and services is one of the most important requirement.
Examples of threats in a SOA distributed environment
Disclosure
Service level- WSDL may be published in a shared registry without security. WSDL contains information about operations, datatypes , values etc which is available to a service requester. An attacker may use this information to attack the service or system as a whole.
Message level- If SOAP messages are passed in clear it can be intercepted and there is a threat of information leakage. This interception may be inadvertent likeaudit logs. An enterprise service bus, may disclose the content of XML documents, because the message may be cached in the clear. The ESB administrator may have access to cached documents. This disclosure may lead to replay attacks and identity spoofing. Another target for disclosure threats is XML schema.
Deception
Service level- Spoofing as requester or provider of a service by an attacker. Attacker may use SOAP XML request message and post it to the service provider. In this case the service provider will assume that the response (to the request) is sent to a valid service requester and will compromise sensitive information in the hand of attacker. Similarly an attacker may spoof the identity of the service provider. In this case a service requester will post messages to the spoofed service provider and will compromise sensitive information.
Message level- By default messages may be passed without integrity check. These messages can be tampered. An attacker may use this opportunity to execute code and he may gain privileges and information on service requesters and providers. As a result injection attacks using XML messages may happen.
Disruption
Service level- An attacker may execute denial of service at network level against a web service. Since there are so many protocols supported by an SOA eco-system, there may be a variety of denial-of-service vulnerabilities.
Message level- SOA eco-system is a combination of a variety of technologies (e.g., SOAP, HTTP, and XML), it is vulnerable to combination of attacks. An attacker may create attacks based on loopholes in different technologies. The attacker may send an XML message to the parser that forces the XML parser into an infinite recursion and consumes all available computing resources causing XML denial of service attack.
Elevation of Privileges
Service level- An attacker may use the service registry to redirect service requests, change policy, and perform other privileged operations. Lots of information is available in registry like service policy, addressing and location, quality of service, and interface information.
Message level- Viruses can be propagated through SOAP XML messages. They may contain malicious code to steal data. These viruses can usurp command through shells or otherwise. SQL Injection, LDAP Injection, XPath Injection, and XQuery Injection may be used to usurp privileges, edit user privileges, and alter schema information.
Approach to SOA security
Security access policy
Policy for protecting access for services at any SOA layer.
Policy for entitlement management and authorization.
Message level security
Message encryption, digital signature, authentication, identity propagation.
WS* standards for webservices security.
Security as a service
Security logic should not be implemented in applications. There should be centralized security policy management. Security should be available as a reusable service.
Security tools and technology
Security architecture should provide for integration with SSO, existing infrastructure and legacy applications, identity & access management tools.
There are tools developed by various vendors for SOA security which provide solutions for Entitlement and Management (centralized policy management, policy enforcement in a distributed environment.
SOA Governance
SOA governance plays key role in creating security road-map, policy definition and standardization.
Functions of a security system
* Identity management
* Authentication and authorization
* Message protection cryptography (encryption and signatures) and data privacy
* Security policies enforcement and decision
* Compliance with security policies
* Auditing