SOA Management

SOA Security Management
The security environment is still disjointedly hardwired into organizational silos segmented into network security, perimeter security, desktop security, server security and application security. Point solutions solve a partial need but they don't work in unison. Hence, they can't appreciably lower system risk, improve platform integrity, or mitigate the risk of broadening access. The lack of integrated security management becomes a significant inhibitor for SOA adoption.

The transformation to Service Oriented Architecture (SOA) is driven by the need for companies to become an On Demand business. Driven by characteristics of reusability, componentization and simplified process integration SOA delivers agility and adaptability to companies. By definition SOA integrates applications, processes and technologies across companies and across security and trust domains. Web Services has become de-facto integration technology for realizing SOA.

One of the critical challenges facing organizations deploying SOA is security. SOA adoption introduces new and unforeseen challenges with security integration, identity and security management.

• Multiple Application Platforms (WebSphere, Microsoft or SAP)
• Multiple Security Domains (internal, external, business unit silos, extranet)
• Multiple Security Credentials (Kerberos, SAML, WS-Security, RACF)
• Multiple Protocols (SOAP, HTTP/S, JMS, MQ)
• Lack of "thread of identity" across the services context

Composite Applications must deal with the challenges of independent security and identity silos. The security solution needs to secure end user interactions as well service interactions (application to application). Security management needs to provide unified customer views for the composite application. The "thread" of user identity needs to be preserved end to end for auditing and compliance purposes.

The challenges of security integration across application platforms, business services and infrastructure require that new forms of security and identity services be enable SOA applications to leverage "security as services". The "Security Services layer" needs to be an integral part of Service Management. The IBM Tivoli security products that in unison deliver the security services view for SOA applications include:

• IBM Tivoli Access Manager for e-business (TAM eb)
• IBM Tivoli Access Manager for Business Integration (TAM BI)
• IBM Tivoli Federated Identity Manager (TFIM)

Authentication services
Authentication Services deliver identity and authentication services for both passive clients (browser-based) as well as active or rich clients such as Desktops, Portals and Business Integration components. IBM Tivoli Access Manager for e-business and IBM Tivoli Federated Identity Manager combine to offer core authentication services for HTTP, SOAP, MQ and message-based clients. Supporting open standards such as WS-Security, XML Digital Signatures, XML Encryption and SAML the authentication services support both security-based authentication (SSL) and message-based security (WS-Security).

Secure access to web services resources has been largely based on transport level security (to provide confidentiality) using transport security methods such as Secure Sockets Layer/Transport Layer Security (SSL/TLS). IBM Tivoli Access Manager for e-Business (TAM-eB) extends the functionality available using transport level security by allowing for authentication and authorization of requests based on transport security methods through its reverse proxy/web plug-in components (for example, using mutually authenticated SSL to both build a confidential transport layer and to authenticate the requestor).

IBM Tivoli Access Manager for Business Integration is a product specifically designed to deliver end-to-end policy-driven security management for WebSphere MQ (MQSeries) transactions. TAM for Business Integration supports authentication, access control and non-repudiation for MQ enabled SOA environments security queue messages both in storage and in-transit between SOA elements.

IBM Tivoli Federated Identity Manager (TFIM) builds on TAM-eB to deliver integrated security management for SOAP Web Services. TFIM delivers a "Policy Enforcement Point" and "Policy Decision Point" for SOA. As a Policy Decision Point, TFIM integrates authentication services across diverse application platforms and protocols using WS-Trust. This allows for a single, consistent security policy regardless of the underlying transport protocol, allowing for an implementation independent web services security policy to be implemented across an Enterprise.

IBM Tivoli Federated Identity Manager supports message-based security for SOA using WS-Security profiles.

Identity federation services
Federated identity is a technology for brokering identities between companies or business units. The concept is nothing new as we have real world models for federated identities of individuals - a passport is a global identity credential that vouches for one's identity in a country; a bank card is a credential that vouches for one's bank account; a driver's license vouches for one's ability to operate a motor vehicle and is also frequently used as a proof of identity in many business transactions.

Federated identity management is the set of business agreements, technical agreements and policy agreements that enable companies to partner to lower their overall identity management costs and improve user experience. It leverages the concept of a portable identity - the idea that your identity is not bound to a specific credential - to simplify the administration of users in a federated business relationship. Federation simplifies integration because there is a common way to share identities between companies and manage user sessions.

Identity Federation services within an SOA ensure that users have simplified access and single sign on to the composite application environment. IBM Tivoli Federated Identity Management implements identity federation services using standards from the Liberty Alliance and WS-Federation. Identity Federation services provide simplified user account management enabling the end-user to link their individual sign-on accounts across business and applications, preserves the privacy of user identity in third-party transactions and delivers a mechanism to acquire explicit user consent (OPT-IN) model for federation business models. Identity Federation services simplify SOA security management by enabling organizations to securely link their identity infrastructure with their partners without having to replicate user accounts. The IBM Tivoli Federated Identity Manager implements Liberty, SAML and WS-Federation standard which simplifies the administration and the lifecycle management of user identities and provides a simple, loosely-coupled model for managing identity and access to resources that span companies or security domains.

Session management services
As SOA transactions originate across various channels and protocols it is important to have a common session management service that enables various SOA components to have a "common view" of the current user session. Such data can be used for single sign on, single sign off, auditing and reporting and to enable the services to implement policies such as inactivity timeouts, three-strikes-and-out etc consistently across various access channels. IBM Tivoli Access Manager for e-business implements a centralized session management service.

Authorization services
Authorization Services ensure that SOA components can apply consistent authorization policies for Web/HTTP/Java resources, Web Services, SOAP (WSDL resources), MQ (Queues and Queue Managers) and even core infrastructure platforms such as UNIX and Linux Servers. Authorization Services in an SOA is ensures that a common authorization abstraction model enables application platforms such as WebSphere, MS .NET, BEA and SAP to apply fine-grained authorization for these resource types. IBM Tivoli Access Manager for e-business implements a centralized policy service for SOA elements enabling business owners to delegate authorization decisions to a Policy server deployed in the SOA environment. Authorization Services also help application developers use standard development tools such as Eclipse or Rational by providing a standards-based API interfaces.

Auditing services
The notion of common auditing services ensures that security and change management activity across the infrastructure and SOA platform can be instrumented, collected, archived and reported for compliance against policies and various regulatory frameworks. Tivoli Access Manager for e-business (next version shipping in 4Q 2005) includes a common auditing and reporting services based on CEI.

Security token services
SOA applications transcend application platforms that may use different types of security tokens for expressing security claims. These tokens could be binary tokens or XML tokens and they vary between platforms. A Security Token Service does the claims translation between various SOA components such as XML Firewalls, Enterprise Service, Web Services platforms (WebSphere, Microsoft .NET, SAP NetWeaver) and WebSphere Business Integrator.

Policy services
IBM TAM-eB provides a centralized security policy service for centrally defining and managing security policies across HTTP, SOAP (WSDL), MQ and custom resources. web services security policies and enforcing them in a regular and consistent manner. This facilitates the secure deployment of web services, allowing you to deploy your web services-based applications more quickly and securely. . For companies deploying Service Oriented Architecture (SOA), TFIM provides policy-based integrated security management for federated web services.

The security services approach implemented in Tivoli security products enables SOA organizations to securely integrate their disparate security, identity and credential infrastructure using policies. While the initial adoption of Web Services was slowed because of the lack of a comprehensive security infrastructure, it is now possible to deploy Web Services securely using Tivoli Security software implementing two key security-domain standards for authentication, access control and federated identity.