Accenture Slides - Soa Workshop Starter Kit Web Se

ServiceOrientedArchitectureSOAWorkshopStarterKitWebServicesSecurityLastUpdated:July,2006SOAWorkshop–V2.02Copyright©2006AccentureAllRightsReserved.SOAWorkshopStarterKit–WebServicesSecuritySOAWorkshopStarterKitSponsor:DavidL.NicholsLastUpdated:July,2006Version:2.0IntentofSection:ThisdocumentlaysdescribeskeyconceptsandconsiderationsforimplementationofawebservicessecurityarchitectureIntendedAudience:Forinternalandexternaluse(Unlessotherwisedocumented)MasterDocument:7-SOA_Workshop_WS-Securityv0.2.ppt10/05/05=71808&listid=ContributionsSOAforSeniorITExecutivesWorkshop–SecuringServiceOrientedArchitectures–AnthonyRobinson,London,February,2006(nolinkprovided)ToFindAdditionalSOAcontent:–V2.03Copyright©2006AccentureAllRightsReserved.Contents•SecurityandWebServices•IndustryStandards•WS*InDetail•PlatformSupport•RecommendationsSOAWorkshop–V2.04Copyright©2006AccentureAllRightsReserved.BusinessOpportunities•Newbusinessmodels•ServiceprovidersthatprovideIdentityrelatedservices•Serviceprovidersthatprovide“traditional”value-addedservices(e.g.,HRorpayroll)whichcanbemoreeasilyintegratedintoacustomer’senterprise•Driverevenuegrowth•Improveandstreamlinetheprocessforidentifyingandacquiringnewcustomers•Streamlineabilityforcollaborationwithbusinesspartners•Costsavings•Reduceuseradministrationcoststhroughautomation•Reduceapplicationdevelopment/integrationcoststhroughreusability•Improveuserexperience•Haveasingleidentitythatcanbeusedglobally•ImprovetheoverallsecuritythroughthereductionofdatasourcesandduplicatedataSignificantopportunitiesexistfororganizationstodriverevenuegrowth,createnewbusinessmodels,realizecostsavings,andimprovetheuserexperienceleveragingSecurityconceptsSOAWorkshop–V2.05Copyright©2006AccentureAllRightsReserved.SecurityConcernsLimitsUse(Source:“WebServicesSecurity”,MarkO’Neil,2003)(Source:SCMagazine,January2004)(Source:“MakingSenseofWebServicesSecurityStandards”,GartnerAug‘03)SecurityconcernshavehistoricallybeenoneofthekeyreasonsthatbusinesseshavenottakenadvantageofthebenefitsthatWebServicesandServiceOrientedArchitectureshavetooffer:“…theprospectofsoftwarefromdifferentcompaniescommunicatingtogether,whilepowerful,isfraughtwithsecurityconcerns.”“...unlesssecurityandmanagementissuesareaddressedeffectivelytheywillholdWebServicesbackfrombecomingatrulymainstreamtechnologywithinenterpriseapplicationintegrationprojects.”“ConflictingstandardsmakeWebServicessecuritydecisionscomplexanddifficult.(Companiesshould)beginwithsimpleWebServicesdeploymentsthatsupportonlyyourcurrentbusinessneeds.”Thisisnotjustatechnologyissue.SOAWorkshop–V2.06Copyright©2006AccentureAllRightsReserved.BusinessChallenges•Mitigatingriskandensuringqualitybetweenpartiesinthecircleoftrustcanbeperformedthrough:•Definitionofbusinessstandards•Definitionofminimumrequirements•EnforcementthroughcertificationandauditsMutualConfidence(Trust)•Pooledknowledge:sharingofcustomer/identityinformation(e.g.#ofcustomers,customernames,etc...)betweenorwithinenterprises–dataprivacy•Revocationprocedures:increasedrelianceonthirdpartiesforauthentication•Fraudprotection:broadenedpotentialforfraudifanidentityisevercompromised•Securityincidentprocedures:coordinatedeffortforanalysisandcorrelationofauditlogsamongpartiesinvolvedRisk•Whoisatfaultifacriticaltransactionfailedduetofailure?Towhatextent?•Definitionofliability•DefinitionofdisputeresolutionprocessLiability•Privacylegislation:ensureprivacytermsarenotviolatedwhenfederatinganidentitybetweenenterprises•Whoinitiatedeachtransaction–audittrailbacktoinitiatinguser.ComplianceKeyfactorsforwidespreadadoptionofwebservicesincludetheidentificationofsoundbusinessmodelsandmoreexperiencewiththecontractualframeworksthatdefinetrustrelationships.MostcurrentimplementationsareinternalthoughthisischangingSOAWorkshop–V2.07Copyright©2006AccentureAllRightsReserved.WhatareYOURSecurityRequirements?Non-RepudiationConfidentialityIntegrityIdentificationAuthenticationAdministrationAuthorizationAccountabilityThereareseveralnewbusinesschallengesthatmustbeaddressedbeforeWebServicescanbesecurelydeployedCanIensureprivacyofthetransactions(sensitivebusiness/clientdataregulatorycompliance,etc..)?CanIguaranteethattransactionsarenottamperedwith?CanIensurethatonlyauthorizedtransactionsarebeingperformedonthesystem?CanIensurethattherewillbeadequatecontrols/recordstoguaranteetheresultsofaprocessedtransaction?CanIquicklydeploynewserviceswithoutcompromisingmyinternalbusinessprocesses?CanIensurethattransactionsareonlybeingperformedbytrustedparties(sendorreceive)?SOAWorkshop–V2.08Copyright©2006AccentureAllRightsReserved.OvercomingtheSecurityBarriersAccenturehasproventhatnewstandardsandnewproductsarenowabletoprovidecustomizedsolutionstoovercomethesecuritychallengesWebServicesAccessControlEncryptionWebServicesDevelopmentPlatformsElectronicSignatureAuditingXMLFirewallsFederatedIdentityNon-RepudiationConfidentialityIntegrityIdentificationAuthenticationAdministrationAut