How Intel IT provides information security to SOA

Service Oriented Architecture aka SOA, Cloud Computing, and Virtualization are commonly described in the IT industry as a new paradigm shift from legacy mainframe and client/server based architectures. From an information security perspective, there shouldn’t be much difference in the process for protecting information in these environments.

The basic premise should always be to have a process defined for security development for any solution. A business process like this allows for the creation of comprehensive and reasonable security requirements based on the type of information being handled by any system. These security requirements commonly result in functional requirements defining the need and strength of authentication, authorization, and encryption, and providing the necessary focus on the CIA triad.

With regard to SOA, there are great benefits to providing a service oriented approach to an architecture that include loosely coupled, event-driven business services across platforms with greater capability to evolve the application while supporting previous versions. But especially for applications that have been converted to a service oriented architecture with web service protocols, there should be updates to the risk profile in order to comprehend a new environment that may not have been considered in the initial threat model.

Any modification to an application’s architecture should provoke a new risk assessment to revise the initial security requirements. This approach could reduce the risk by addressing threats that may exist in the new protocols and communication channels being introduced through web services due to the possibility that the attack surface will increase.

SOA Expressway is an Intel provided software-appliance designed and used by Intel specifically for the purpose of proxying web service calls as an XML Gateway before they are passed on to the web service. Intel SOA Expressway provides a workflow like structure referred to as Business Process Execution Language BPEL allowing the capability to control the instantiation of many actions and even other web services in one transaction. The benefits include the ability to separate security from the web services code to simplify the development and allow a centralized policy for security and auditing. Intel SOA Expressway can help establish standards by supporting many disparate authentication, authorization, and encryption protocols for web services. More information about this technology can be found at http://www.dynamicperimeter.com/

Authentication can be a big challenge for any SOA because platforms used to expose web services may have different authenticating protocols and may not interoperate well together. This is one reason why xml based security standards such as ws-security have been established (democratically) and published by the Organization for the Advancement of Structured Information Standards OASIS.

Furthermore, an identity in one web service may not be the same identity in another. There are different approaches to combining identity stores which is commonly referred to as a federated identity. An identity is usually presented to a web service from a consumer (calling application) and once a principle (user) is verified, authorization can be granted. SOA Expressway can communicate with different authenticating protocols based on what is expected from the web service allowing for greater standardization in authentication and authorization.

With regard to attack surface, Intel SOA Expressway can also be configured to protect against some common denial-of-service threats found in web service calls. A Content Attack Prevention (CAP) policy can be created within a workflow so that any violation to a CAP policy can provoke an action defined by the system based on policy characteristics. The CAP policy can inspect any XML message entering into the workflow in the following ways:

• XML schema validation: If schema validation fails, then the CAP policy drops the message before it reaches an endpoint.

• SQL injections, XPath injections, and DTDs: If found, then the CAP policy drops the message before it reaches an endpoint.

• Enforces XML limits: CAP policy scans the XML document’s size. If any XML limits are violated, then the CAP policy drops the message before it reaches an endpoint.

• Forbidden words and text patterns: If found, then the CAP policy drops the message before it reaches an endpoint.

• Required text patterns: If not found, then the CAP policy drops the message before it reaches an endpoint.

In addition to the ability to accelerate and secure XML messages throughout the network, Intel’s SOA Expressway is a software product providing the benefit of upgradeability that is not found in a proprietary hardware appliance. Intel SOA Expressway as a solution can be right-sized for the proper fit of performance according to the usage models which could significantly lower costs and reduce risk.