TAS 3 Architecture. Sampo Kellomäki Symlabs , ServiceWave, Stockholm

Transcription

1 TAS 3 Architecture Sampo Kellomäki (sampo@symlabs.com), Symlabs , ServiceWave, Stockholm The research leading to these results has received funding from the European Community s Seventh Framework Programme (FP7/ ) under grant agreement number (TAS3 - Trusted Architecture for Securely Shared Services

2 TAS3 Project (48 months, ) Goals - Trusted Architecture for Securely Shareable Services - Web Services made secure, privacy friendly, and shareable - Dashboard for user s privacy settings and self audit - Full audiability, leverage digital signatures - Advanced Trust and Privacy Negotiation and Trust Scoring - Business and legal model Practical - Standards based (SAML, ID-WSF, XACML) interoperable wirespecs - API (Java, C#, PHP, Perl, C/C++) - eference implementation (zxid.org) - Pilots - Exploitation: buy TAS3 enabled components from vendors such as Symlabs, isaris, Custodix, and Synergetics Sampo Kellomäki: TAS3 Arch 10 2

3 Sampo Kellomäki: TAS3 Arch 10 3

4 TAS3 Trust Network Domains Audit Organization A Domains... Organization B Domains Audit & Monitor Model Modelling & configuration Management Modelling & configuration Management untime & Enforcement Sampo Kellomäki: TAS3 Arch 10 4

5 Front channel and back channel interaction 1 TAS3 TN Model 2, 4 Front Channel, Web GUI Interaction Authentication 3 Modelling untime FE A1 Back Channel Web Services Layer Modelling DashB e B IdP B 6 5 WS B1 IDMap 7, 9 WS A2 10 WS B2 8 Org A Audit & Monitor Audit & Monitor TAS3 TN Compliance, Audit, and Monitor Org B (Context A) (Context B) Sampo Kellomäki: TAS3 Arch 10 5

6 Audit Channel TAS3 TN Model 1 2, 4 Front Channel, Web GUI Interaction Authentication 3 Modelling untime e4 Audit Event Bus FE A1 e5 Back Channel Web Services Layer Modelling DashB 6 e6 e B IdP B e3 5 e10 10 e7, e9 WS B1 e8 8 IDMap 7, 9 WS A2 WS B2 Org A Audit & Monitor Audit & Monitor LogMon TAS3 TN Compliance, Audit, and Monitor Org B (Context A) (Context B) Sampo Kellomäki: TAS3 Arch 10 6

7 Model driven configuration 1 TAS3 TN Model 2, 4 Front Channel, Web GUI Interaction Authentication 3 Modelling Model untime FE A1 Back Channel Web Services Layer Modelling Model DashB e B IdP B 6 5 WS B1 IDMap 7, 9 WS A2 10 WS B2 8 Org A Audit & Monitor Audit & Monitor TAS3 TN Compliance, Audit, and Monitor Org B (Context A) (Context B) Sampo Kellomäki: TAS3 Arch 10 7

8 Model driven audit TAS3 CoT Model Modelling and Configuration Management Domain untime and Enforcement Domain = = IdP Modelling Tool Discover usage & configuration Frontend Services Dashboard * * = = = Disco Models and configurations Automatically push consistent security configuration Middletier Web Services = Backend WS * * = = Use model to drive visualization of workflow and system Auditing & Compliance Tools Operation Monitoring Audit and Monitoring Domain Connectors = outing & aggregation = PEP * = Sampo Kellomäki: TAS3 Arch 10 8

9 Web Browser Client Application Organization Domain Modelling & Configuration Management Infrastructure Payload untime & Enforcement Identity Provider Front End Services Web Services Authorization Dashboard Business process Engine Delegation Trust eputation Discovery Dashboard IDMapper egistry Server Trust Network Process Manager Linking Trust & Privacy Negociator Audit Event Bus Management Audit & Monitor Audit Compliance Validation Operation Monitoring Sampo Kellomäki: TAS3 Arch 10 9

10 XACML SAML profile with TAS3 Trust extensions SAML IdP Discovery Trust PDP 1 7 SP1: Frontend JSESSION ZXSES Payload Servlet ID-WSF 2.0 Discovery with TAS3 Trust extensions ID-WSF 2.0 w/tas3 ext SP2: Web Service CTX Interceptor Interceptor DB 2 S S O A t t r P E P s e s P E P e t c P E P D I C W S C H T T P H WSPout PEP-rs-out T T P WSPin PEP-rs-in e t c P E P User XACML SAML profile Master PDP1 Master PDP Sampo Kellomäki: TAS3 Arch 10 10

11 Prior Art and eference Architectures TAS 3 Architecture draws from and is compatible with - Nessi s NexofA - Master s concept of audit bus and Awareness Cockpit - Access-eGov Platform Architecture - Liberty Alliance s ID Web Services Framework (ID-WSF) - Hafner & Breu s Security Engineering for Service-Oriented Architectures TAS 3 Architecture is not as abstract as a reference architecture - Goal is to drive real interoperable implementations Sampo Kellomäki: TAS3 Arch 10 11

12 Novelty of the Architecture Itself (1/2) TAS 3 Architecture is novel as a blueprint that brings together - Identity management - Attribute based access control - Business process modelling - Dynamic trust - Distributed auditing - Legal & Policy - Support for multiple policies in different languages - Annex A in combination with D2.2, acts as an interoperability profile for standards based protocols covering these areas User transparency features - Dashboard - User accessible audit trail - Automated compliance validation Sampo Kellomäki: TAS3 Arch 10 12

13 Novelty of the Architecture Itself (2/2) Privacy protection using sticky policies Marriage of Trust and Privacy Negotiation with discovery and trust scoring Secure dynamic business processes Built-in first class support for delegation Architecture needs to be instantiated in context of a business model and legal / contractual framework - Leave many decisions to be decided in that context - Many business models are possible (the one currently in annex will become a document of its own) Sampo Kellomäki: TAS3 Arch 10 13

14 Wire interoperability, many software implementations possible Any implementation that speaks wire protocols and flows correctly is valid, irrespective of the software architecture Software architecture of the entities specified by the TAS 3 Architecture is up to implementers of those entities (some of the implementer s are TAS 3 work packages) The architecture includes a legacy integration strategy to illustrate some feasible ways to TAS 3 enable existing applications (but which way is chosen, or if a totally different software architecture is used, is an implementer s choice) Sampo Kellomäki: TAS3 Arch 10 14

15 Trustworthy and Secure (1/2) Operational, legal, and business model to ensure trustworthiness - esponsible entity, Trust Guarantor, ensures "buck stops here" - Legal framework developed hand-in-hand with architecture - Certification of software and deployments - Automated Compliance Validation keeps SPs in line - Manual audits complement automated approaches - Modeling network and its members provide consistent security configuration Legal concerns are built-in from the ground up Threat analysis to understand what we are defending against Sampo Kellomäki: TAS3 Arch 10 15

16 Trustworthy and Secure (2/2) Technical - Fully encrypted, fully digitally signed - Fully pseudonymous design ensures maximum privacy - Fully cross organizational federation model - Explicit tokens based audit trail at all layers - Explicit authorization at all layers - Advanced trust and reputation management - Model and ontology driven to ensure accurate implementation Sampo Kellomäki: TAS3 Arch 10 16

17 Deploying TAS 3 Architecture Set up Trust Network - Draft legal - un some services, like audit bus and compliance validation - Outsource or run other services like discovery and IdP Join a Trust Network - Much of the infrastructure shared or already provided - Application integration - Buy and deploy TAS 3 proxy or connector product, or - Adapt your application using TAS 3 Standard API. - Outsource or buy/run some infrastructure services like IdP or PDP Sampo Kellomäki: TAS3 Arch 10 17

18 Thank You, Questions? Sampo Kellomäki Official dissemination website - eference implementation of TAS 3 Core Security Architecture - ZXID specific TAS 3 news - TAS 3 Architecture Document - evised TAS 3 API and protocol profiles Sampo Kellomäki: TAS3 Arch 10 18

19 Architecture Drilldown TAS3 Trust Network Domains Audit Organization A Domains... Organization B Domains Audit & Monitor Model Modelling & configuration Management Modelling & configuration Management untime & Enforcement Sampo Kellomäki: TAS3 Arch 10 19

20 Web Browser Client Application Organization Domain Modelling & Configuration Management Infrastructure Payload untime & Enforcement Identity Provider Front End Services Web Services Authorization Dashboard Business process Engine Delegation Trust eputation Discovery Dashboard IDMapper egistry Server Trust Network Process Manager Linking Trust & Privacy Negociator Audit Event Bus Management Audit & Monitor Audit Compliance Validation Operation Monitoring Sampo Kellomäki: TAS3 Arch 10 20

21 Web Service Authorization Legend Infrastructure Authorization Front End Service Web Application Web Service Service Application PEP Out PEP In PEP Out PEP In Web GUI (optional) Stack Service equester Stack Service esponder Service equester Sampo Kellomäki: TAS3 Arch 10 21

22 Multi-tier Web Service Call Front End Service Web Service Web Service Web Application Service Application Data Service Web GUI Service equester Service esponder Service equester Service esponder Data storage Sampo Kellomäki: TAS3 Arch 10 22

23 Details of Authorization Dashboard Payload Discovery Infrastructure Authorization Policy Enforcement Point Credential validation service Master Policy Decision Point Policy Information Point Infrastructure Trust Network PDP Organization PDP Policy Decision Point Stack User PDP Trust PDP Policy Store Policy Store Policy Store Trust Store Sampo Kellomäki: TAS3 Arch 10 23

24 Legacy Integration Web Service (e.g. Attribute Authority) Data Service User F E TAS3 SOAP Service esponder Stack AIPEP AIPEP-In (accept req) AIPEP-Out (filter) Application Dependent PEP WP8 SOA Gateway WP8 database WP8 SOA GW Legacy Data Source A B WP8 database Data C XACML (in SOAP envelope) Master PDP Figure 1: Application Integration using ADPEP and (A) WP8 SOA Gateway, (B) WP8 as frontend to WP8 SOA GW, (C) WP8 database Sampo Kellomäki: TAS3 Arch 10 24

25 Web Service (e.g. Attribute Authority) Data Service Service esponder User F E TAS3 SOAP Stack AIPEP AIPEP-In (accept req) AIPEP-Out (filter) ADPEP Application XACML (in SOAP envelope) Master PDP Figure 2: Application Integration: ADPEP implemented in application itself Sampo Kellomäki: TAS3 Arch 10 25

26 Web Service (e.g. Attribute Authority) Data Service Service esponder User F E TAS3 SOAP Stack Application with PEP built in PEP-In (accept req) PEP-Out (filter) XACML (in SOAP envelope) Master PDP Figure 3: Application Integration: PEP implemented directly in application Sampo Kellomäki: TAS3 Arch 10 26

27 Steps of a Web Service Call Sampo Kellomäki: TAS3 Arch 10 27

28 Core Security Architecture Flows A Authentication 123A SSO IDP_1 PDP Web GUI PEP Web Application PID E(123)A Service equestor Front End service A Sampo Kellomäki: TAS3 Arch 10 28

29 1 2 3 A Authentication 123A SSO IM E(789)IM use only: A 8 times IDP_1 PDP Web GUI PEP PID E(123)A PID E(789)IM 7 Web Application Service equestor Front End service A IM E(789)IM use only: A 8 times 4 PDP PEP Service esponder B 6 E(456)B IM E(789)IM use only: B 8 times B E(456)B 5 IM E(789)IM use only: B 8 times PEP Service esponder Identity Mapper IM 789 -> E(456)B Service Provider B PII Sampo Kellomäki: TAS3 Arch 10 29

30 1 2 3 A Authentication 123A SSO IM E(789)IM use only: A 8 times IDP_1 PDP PEP PDP Web GUI PEP PID E(123)A PID E(789)IM PII Service esponder 6 11 Web Application Service equestor IM E(789)IM use only: A 8 times 4 PEP C E(fgh)C IM E(789)IM use only: C 2 times 10 9 Service equestor PII Service B PEP B E(456)B IM E(789)IM use only: B 8 times Front End service A IM E(789)IM use only: B 8 times B E(456)B IM E(789)IM use only: B 8 times Service esponder Identity Mapper IM C E(fgh)C IM E(789)IM use only: C 2 times 789 -> E(456)B 789 -> E(fgh)C fgh -> TAS3 Service esponder ole Authority C Sampo Kellomäki: TAS3 Arch 10 30

31 Acronym Expansion TG Trust Guarantor, the organization that operates TN ("Summit") TN Trust Network IdP Identity Provider (SAML role, aka authentication authority) SP Service Provider: a member organization of TN that operates Frontend and/or Web Services Disco Service discovery, sometimes specifically identity enabled service discovery such as Liberty ID-WSF Discovery Service. DB Dashboard, a web GUI for viewing audit records, work flow status, and/or viewing and editing privacy settings and permissions. FE Frontend, here means web site, i.e. SP WS Web Service, SOAP based machine to machine communication. Sometimes specifically Identity enabled web service, e.g. Liberty ID-WSF based WS Sampo Kellomäki: TAS3 Arch 10 31

32 Summit TAS3 CoT Model SSO sub CoT B SSO sub CoT A Modelling Modelling Core IdP FE FE DB IdP WS layer Disco Model WS... Model WS Disco Audit & Monitor Audit & Monitor Org A TAS3 CoT Audit Org B (Context A) (Context B) Sampo Kellomäki: TAS3 Arch 10 32

33 Trust Network level model untime and Enforcement Domain = = IdP Modelling and Configuration Management Domain Frontend Services Dashboard * * = = WS1 WS2 Disco Modelling Tool Master PDP * PDP Trust Models and configurations Policy Store = Call PIP = Trust Store = Audit and Monitoring Domain Backend WS Connectors * = outing & aggregation = = PEP Sampo Kellomäki: TAS3 Arch 10 33

34 Trust Network level model untime and Enforcement Domain = = IdP Modelling and Configuration Management Domain Discover actual usage Frontend Services Dashboard * * = = WS2 WS1 Disco Modelling Tool PDP Master PDP * Trust Feedback for behavioral trust Models and configurations Policy Store = Call PIP = Trust Store = Audit and Monitoring Domain Backend WS Connectors * = outing & aggregation = = PEP Sampo Kellomäki: TAS3 Arch 10 34

35 Client App Built-in rules of the application Built-in rules of the service Service ules of the operator ules of the operator Alice Org C PDP Org D PDP Bob PEP q Out PEP q In Master PDP Alice PDP TN PDP ules of the TN Trust PDP Bob PDP Master PDP 3 PEP s Out PEP s In Personal rules Personal rules Corp C Firewall or Packet Filter Corp D Firewall or Packet Filter Sampo Kellomäki: TAS3 Arch 10 35