advertisement

Layer 7: Enterprise Security Patterns for RESTful Web Services

50 %
50 %
advertisement
Information about Layer 7: Enterprise Security Patterns for RESTful Web Services
Science-Technology

Published on November 18, 2010

Author: Layer7

Source: authorstream.com

advertisement

Enterprise Security Patterns for RESTful Web Services : Enterprise Security Patterns for RESTful Web Services Francois Lascelles Technical Director, Europe Agenda : Agenda What are RESTful web services? Why REST matters to the Enterprise? Enterprise security requirements for RESTful web services REST security patterns Moving beyond point-to-point Web services in the Enterprise : Web services in the Enterprise 3 WS-* RESTful Enterprise integration (EI) background SOAP, WSDL, UDDI Sophisticated infrastructure available today Web background Web API, SAAS,Cloud Lightweight service orientation enablers (both styles matter) Today’s Enterprise SOA landscape : Today’s Enterprise SOA landscape 4 enterprise boundary SAAS Cloud deployed services SAAS enterprise SOA Sensitive data, apps Mission critical ID authority Legacy partner REST fits the new extended Enterprise SOA : REST fits the new extended Enterprise SOA 5 Today’s enterprise SOA extends beyond the enterprise boundary Services on-premise/off-premise External service providers, partners, public APIs Multiple identity domains and authorities This distributed SOA is increasingly aligning with the web RESTful Web services as an architectural style fits this trend The enterprise consumes external RESTful web services The enterprise needs to expose its own RESTful web services Enterprise requirement: Threat protection : Enterprise requirement: Threat protection Some RESTful web services are ‘public’ and require no authentication/authorization mechanisms Regardless, all RESTful services are subject to threats Service orientation => multiplication of threats 6 Web Threats WS Threats RESTful web service threats parser attacks SQL/CODE/LDAP injections DOS, MITM, malware, buffer overflow, replay, … Enterprise requirement: Access Control : Enterprise requirement: Access Control Authentication Authorization Integration with enterprise identity infrastructure IAM, STS, LDAP Trust management Brokered authentication, federated identity Brokered authorization 7 RESTful Security : RESTful Security Security applied to RESTful web services must align with REST principles Statelessness (no server sessions, no cookies) URI uniquely identifies resources Cachable Use existing HTTP concepts like Authorization header, appropriate HTTP status codes, etc Security aware of REST concepts Access control which considers HTTP verbs, URI patterns, cache duration 8 Ex. A basic REST authorization pattern : Ex. A basic REST authorization pattern 9 Simple authorization rule based on URI pattern (resource) and HTTP Verb (action) Ex. Identity based response pattern : Ex. Identity based response pattern 10 GET /account Authorization: [joe’spasswd] <account name="joe” …> GET /account Authorization: [bob’s passwd] <account name=”bob” …> Message level integrity (?) : Message level integrity (?) WS-* transport transport headers message soap headers soap body (payload) transport transport headers resource (payload) REST Self contained message independent from transport layer Action and resource identifier in transport ? 2-party authentication/authorization : 2-party authentication/authorization 12 Requester provides its own credentials The RESTful web service controls access to resources Resource GET/PUT/POST/DELETE with credentials Requester RESTful web service SSL : SSL The ‘obvious’ fit SSL is de-facto security for the web RESTful Addresses many security requirements Confidentiality, integrity Endpoint authentication Client authentication (with ssl mutual or http basic/digest) Limitations Point-to-point PKI Burden (?) Does not provide non-repudiation 13 Proprietary schemes : Proprietary schemes Grassroots enterprise REST initiatives often rely on proprietary/point-to-point authentication schemes Browser-friendly account id in query parameters Web-style login forms and sessions Many PAAS and Web API management solutions also define their own authentication schemes Often related to their subscription model (account ids, account keys) 14 Ex. Azure storage REST API : Ex. Azure storage REST API PUT /somewhere/someresource … Authorization: SharedKey accntname:fr0t5AzM6qT3S40pBPmfrTLJwMuZurA8= … 15 HMAC signatures in Authorization header using a key associated with account Signature covers URI, certain headers and payload’s md5 Potential end-to-end integrity (although proprietary) EX. Amazon S3 REST API : EX. Amazon S3 REST API 16 PUT /somewhere/someresource … Authorization: AWS keyid:fr0t5AzM6qT3S40pBPmfrTLJwMuZurA8= … Almost the same thing (yet incompatible) Different scheme name Different string to sign order and contents 3-party access control : 3-party access control An application accesses a resource with the authorization of its owner 17 Resource provider Application Resource owner Do something with my resource Yes, I authorize it Retrieve resource with owner authorization (REST exchange) OAuth : OAuth A standard solution to a common scenario Standard protocol and authorization token User grant access to its resource, not its credentials Already implemented by numerous platforms and services: google, twitter, salesforce, … OAuth 1.0 (rfc5849) ->OAuth WRAP ->OAuth 2.0 18 GET /somewhere/someresource … Authorization: OAUTH fr0t5AzM6qT3S40pBPmfrTLJwMuZurA8= … OAuth Enterprise pattern : OAuth Enterprise pattern SaaS/PaaS composition pattern Enterprise subscribes to multiple SaaS and needs them to integrate Addresses critical challenge related to enterprise cloud adoption 19 SaaS B SaaS A Enterprise user subscribing to SaaS A and B Do something with my resource at SaaS B Yes, I authorize it SaaS A and B integrate on behalf of enterprise user through OAuth + REST OAuth Enterprise pattern : OAuth Enterprise pattern Authorize access to enterprise resource OAuth-enabled SaaS/PaaS can also retrieve resources hosted by enterprise 20 Enterprise boundary SaaS PaaS Yes, I authorize it Call back enterprise retrieves resource, through OAuth + REST Protected resource Do something with my resource at http://myenterprise Enterprise OAuth authorization server Federated authentication : Federated authentication 21 RESTful service Requester Identity Authority Authenticate, get token back Consume service with token from trusted issuer Trust relationship Requester does not have credentials recognized by service but accessed by authenticating with an identity authority trusted by the service provider Essential pattern for B2B interactions Federated authentication : Federated authentication Also a crucial pattern to avoid identity silos related to enterprise cloud usage Visibility and control for enterprise access of external services 22 Enterprise boundary SaaS Authenticate locally SaaS instance configured to trust enterprise issuing authority (STS) Enterprise IAM Enterprise STS Access SaaS with token issued by enterprise Federated authentication and REST : Federated authentication and REST OpenID Web focused Browser driven (interactive steps, redirects) SAML Enterprise focused Has browser profile binding very similar to OpenID flow Has other bindings (such as ws-security) and is extensible RESTful/API friendly federated authentication No redirects No interactive steps Don’t expect a browser 23 Example SAML binding for RESTful web service : Example SAML binding for RESTful web service 24 GET /token/joe Authorization: … 200 OK <saml:Assertion … /> GET /someresource Authorization: SAML PmfrTLJwMuZurA8= 200 OK … (not standardized) trust Decoupling security from service : Decoupling security from service Service orientation is about agility More security decoupling = more agility 25 Perimeter security implementation : Perimeter security implementation 26 RESTful service zone Requesters Delegate security responsibilities to specialized perimeter infrastructure Perimeter security benefits : Perimeter security benefits Avoid duplication of responsibilities across all service endpoints Threat protection Additional abstraction layer camouflages service implementation Safe detection of parser attacks, injections Safe input sanitization (XML Schemas, JSON Schemas) Uniform centralized trust management acting on behalf of services Uniform identity authority acting on behalf of services Efficient use of resources (performance) Reconcile caching and security 27 Apply Enterprise REST security patterns : Apply Enterprise REST security patterns Enable REST developers by providing REST-capable security infrastructure and process Demand and favor standard and interoperable security mechanisms from your providers Avoid identity silos REST-enable your perimeter identity infrastructure Decouple security from application logic Centralize access control, validation and threat protection 28

Add a comment

Related presentations

Related pages

ENTERPRISE SECURITY PATTERNS FOR RESTFUL WEB SERVICES

ENTERPRISE SECURITY PATTERNS FOR RESTFUL WEB SERVICES PDF: ENTERPRISE SECURITY PATTERNS FOR RESTFUL WEB SERVICES Francois Lascelles Layer 7 Technologies ...
Read more

API Security and Threat Protection - CA Technologies ...

Enterprise Service Bus (ESB) ... While conventional Web security proved unable to address ... Identification of suspect activity to monitor patterns and ...
Read more

Chapter 9: Service Layer Guidelines

Consider the following guidelines when designing the service layer: Design services to ... "Enterprise Solution Patterns Using ... "Web Service Security ...
Read more

Web Service Security Patterns - Community Technical Preview

Web Service Security Scenarios, Patterns, ... Implementing Message Layer Security with a Security Token Service ... Integration Patterns. Enterprise ...
Read more

Layer 7 Director of Solutions Engineering François ...

Session Focuses on Enterprise Access Control Patterns for ... applicable to Web APIs and RESTful Web services. ... Layer 7 gives enterprises the ...
Read more

Enabling RESTful Web Services in the Enterprise ...

Enabling RESTful Web Services in ... such deployment patterns and address security ... for Layer 7 Technologies, an Enterprise SOA and Cloud ...
Read more

Representational state transfer - Wikipedia, the free ...

They may also enforce security ... Web service APIs that adhere to the REST ... for RESTful web APIs. This is because REST is an ...
Read more

Two Layer 7 Technologies Executives to be Featured ...

... Identity Federation for Web APIs and RESTful Web Services ... Layer 7 will host an API security for mobile ... Enterprises. When: Monday ...
Read more