|By Rickland Hollar||
|June 4, 2004 12:00 AM EDT||
W.C. Fields once said, "The practice of keyhole-listening is usually confined to hotels and boarding houses. It is absolutely indefensible to stoop so low. If the transom is not ajar, remember there are plenty of other rooms in the building." Hackers on the Web can take a similarly cavalier attitude - surfing from site to site until they find one whose "transoms are ajar." The question for you is whether yours are among them.
Information is an increasingly valuable asset in most organizations. Information security is about protecting that asset. Computer security deals with protecting data on corporate systems, network security with protecting data in transit across corporate networks. William Stallings introduced the term internetwork security, combining elements of both computer and network security, to cover tools and techniques for protecting data in today's internetworked world.
Internetwork security is most relevant to Web services because it brings together the mechanisms for protecting clients and servers operating across interconnected networks such as the Internet. Internetwork security involves recognizing and countering attacks that may occur as part of transmitting information between parties across such open networks. The Web services recommendations and standards I cover in this article address three specific types of internetwork attacks:
- Fabrication: Unauthorized parties masquerading their identities or inserting unauthorized messages.
- Interception: Unauthorized parties "listening in" on conversations.
- Modification: Unauthorized parties changing message content.
The National Institute of Standards and Technology (NIST) defines a trust domain as "a group that operates under the supervision of a Domain Policy Management Authority, uses consistent policies, and has similar Certification Practice Statements." Domain members enter into mutual trust relationships, either directly or through third parties, as part of any sensitive information exchange. Security policies governing these relationships may be broad, saying that parties can openly "talk" to anyone, or extremely narrow, saying parties must verify each and every aspect of every conversation. The sensitivity of the information, the number of unknown and untrusted parties in the network, and the price of compromise must all enter into the decision about how much security is enough.
When you make services available on the Internet, your security focus must shift from protecting systems and private networks to protecting individual machines, users, and applications (or services). The lack of a single policy management authority and agreed-upon certification practice statements makes creating trust domains in this environment extremely challenging. The Internet is a collection of cooperating internetworks, each potentially with its own security policies and certification authority, therefore Web services crossing domain boundaries must create "virtual trust domains" that are inclusive (contain all the parties to the transaction: the Web services client and server, potentially the UDDI service, and any third-party brokers) and bridge any policy differences. Web services integrate four basic security services to create such virtual trust domains:
- Authentication: Verifying parties are in fact who they say they are.
- Authorization: Ensuring parties only have permissions, accesses, and authorities they warrant.
- Confidentiality: Ensuring intermediaries cannot see data exchanged between parties.
- Integrity: Verifying intermediaries did not modify data in transit between parties.
Security begins with a set of security policies. Security policies are rules marrying security tokens, which are representations of sets of security information or claims, to messages (the lingua franca for Web services exchanges). In an exchange, the client is responsible for including the right tokens in the message; the Web services server is responsible for using those tokens to enforce the security policy in place. Enforcement involves verifying the client's claims against the policy in determining whether to honor or deny the request. Verification may be in-band, part of the message flow, or out-of-band, based on a pre-set decision.
WS-Policy and WS-SecurityPolicy make policies discoverable by providing grammars for describing policies as sets of conditions on actions (policy assertions) and for identifying specific elements of a security policy such as:
- The security tokens a Web service will accept (user-id/password, Kerberos tickets, X.509 certificates, Security Assertion Markup Language [SAML] assertions, etc.)
- The message digest algorithms a Web service supports
- The encryption algorithms a Web service supports
- The message elements or tags that must remain unencrypted
The policy tells clients "which" security tokens to use; WS-Security tells them "how" to encode those tokens as XML. The standard includes elements for representing user IDs, passwords, Kerberos tickets, and X.509 certificates as part of the SOAP message header, and builds on the XML Encryption and XML Signature standards for providing message confidentiality and integrity. WS-Security also supports SAML because SAML assertions are simply wrappable XML.
Some security tokens require third-party brokers. WS-Trust provides the request/response model, and syntax for requesting, obtaining, and verifying security tokens from such brokers. WS-SecureConversation extends WS-Trust for establishing security contexts for exchanging multiple messages by defining three types of contexts: those created by a token service, those created by one of the communicating parties, and those created through negotiation. Once parties establish a security context they can exchange multiple messages without having to reestablish claims.
The authentication service validates identities as part of creating trust relationships. In direct trust relationships, the client presents unendorsed claims, such as a user ID and password. The server trusts these claims solely on the basis of the client's knowledge or possession of the necessary token. In brokered trust relationships, the server accepts claims that a trusted third party either endorses or presents on the client's behalf. The third-party is a security token service, such as a Certificate Authority (CA), Kerberos Key Distribution Center (KDC), or SAML service. Most consider third-party tokens more secure than simple user ID/password schemes because of the increased sophistication of the attack necessary to compromise them.
WS-Security does not specify a particular authentication method, so you have several options available for implementing authentication services. One option is to build authentication directly around traditional security tokens such as user ids and passwords, Kerberos tickets, or X.509 certificates. WS-Trust describes how to build trust relationships using these tokens following the model shown in Figure 3. IBM and Microsoft first presented this as a general model in their Security Roadmap subsuming more specific models such as identity-based security, access control lists, and capabilities-based security. In this model, if a component does not have the tokens necessary to substantiate claims, it contacts a Token Service it trusts to obtain those tokens.
SAML offers an option combining one or more external authorities and assertions. It defines three types of assertions: authentication for proving user identity, attribute for specifying details about the user, and authorization for describing what the user can do. Figure 4 illustrates the SAML model. In this model, the subject (client) sends its credentials to up to three different authorities to obtain assertion references it can include in the message it sends to the Policy Enforcement Point (PEP) (Web services server) that controls the resources. The PEP uses the references to request the actual assertions (authentication decision) from the issuing authority or Policy Decision Point (PDP).
Regardless of which authentication method you use, or how parties establish context, the parties must agree for it to succeed. From the authentication service's standpoint, it's all about who you trust. A brokered token from an untrusted broker is no better than a direct token from an untrusted client.
The authorization, or access control, service maps the user's identity against their permissions for the resources being used or requested. It assumes authentication. Permissions are actions the user can perform. Primitive permissions include atomic activities such as create, read, update, and delete; advanced permissions include more abstract activities such as debit, credit, buy, and sell. In Web services applications, permissions often map to Web services transactions.
The two most prevalent approaches to access control on the Web are:
- User-based access control (UBAC): User's identity determines their accesses.
- Role-based access control (RBAC): Roles bring together collections of users and permissions.
SAML and XACML are complementary standards sharing basic concepts and definitions, hence I foresee them becoming the predominant mechanisms once implementing products are widely available.
The confidentiality service generally uses an encryption function to ensure privacy. Encryption changes the data being protected from plain text into a cipher text that only the sender and receiver can understand. Encryption programs apply an algorithm in combination with an encryption key in order to make that transformation. The key may be a shared secret (a symmetric key that both parties share) or different halves of a public, private key pair (asymmetric algorithms use one of the keys to encrypt the data, the other to decrypt it). The strength of the encryption, how difficult it is to break, is a function of the algorithm and the key length. Encryption ensures confidentiality because while someone may still be able to steal the traffic, they are stealing meaningless bits unless they also know the algorithm and a key.
WS-Security leverages XML Encryption for confidentiality. XML Encryption provides for encrypting individual elements (including the tags), only their content, and complete documents. This flexibility enables end-to-end encryption in a Web services environment while supporting some processing by intermediaries - an advantage over point-to-point solutions such as SSL.
XML Encryption defines elements for carrying cipher text and information about underlying encryption algorithms and encryption keys. XML Encryption supports: Data Encryption Standard (DES) and Advanced Encryption Standard (AES) for block encryption and key wrapping, Rivest-Shamir-Adelman (RSA) for key transport, Diffie-Hellman for key agreement, and Secure Hash Algorithm (SHA) and RIPEMD for message digest. While XML Encryption does not include stream encryption algorithms, it is extensible given that parties agree on the algorithm and its usage. XML Encryption also supports super encryption, i.e., encrypting data multiple times to strengthen the encryption.
The integrity service generally uses a digital signature capability to ensure nonrepudiation. WS-Security leverages XML Signature in this area. XML Signature provides for signing both individual elements and entire documents. The standard defines elements for describing: what is signed, the signature itself, the canonicalization method used to deal with different data streams within elements, any transformations applied prior to generating the message digest, and the digest method used to generate the signature.
Digital signature algorithms create signatures in a four-step process. The first step converts the document (or element) into a standard form through the application of a canonicalization, or standard serialization, algorithm. The Exclusive XML Canonicalization recommendation specifies Canonical XML (XML-C14N) as the standard serialization technique for Web services. The second step is to apply one or more transformations to the canonicalized content. The document (or element) in standard form becomes the input to the first transformation. The output of each transformation becomes the input to the subsequent transformation procedure. The output from the final transformation procedure becomes the input to the digest function. Transformation operations include canonicalization, encoding/decoding, compression/inflation, XSLT, XPath, XML Schema validation, and XInclude. The third step is to process the content through a secure hash function to create a message digest (message digest algorithms, such as Message Digest 5 [MD5] and SHA, use a hash function to create a unique code that becomes a digital fingerprint for the document). The final step encrypts the message digest, using the client's private encryption key, to create a digital signature. The digital signature is then appended to the document. The recipient recalculates the message digest and compares it to the sender's to ensure the document was not changed. The recipient uses the sender's public encryption key to verify the digital signature.
Communicating the order of the encryption and signing operations is an important consideration. WS-Security modifies XML Signature to add a decryption transformation. This allows the sender to include decryption order as part of the transformation information for the message. The recipient simply reverses the order to decrypt the correct message parts before recomputing the message digest.
Virtual Trust Domains
Figures 6 and 7 illustrate how these concepts come together in J2EE and .NET environments. In both cases, a client requests services from a Web services server hosted within a trust domain formed by one or more systems in physical trust relationships. The Web services server establishes a dynamic trust relationship with the client thereby creating a virtual trust domain. The client and Web services server then exchange whatever number of messages is relevant to the transaction including the necessary security tokens and signing and encrypting message parts, as appropriate. The security policies in place, in combination with the strength of the security tokens, encryption, and digest algorithms in use, establish the strength of the trust relationship.
The Web services and XML standards I've discussed provide the framework necessary to create security strategies in these environments. In creating your security strategy, you must also consider computer and network security of your systems and the vulnerabilities others' clients may introduce. You may want to leverage additional mechanisms, such as SSL and IPSec, where appropriate to bolster the techniques I've discussed. One size does not fit all. The important thing is that you take a comprehensive approach to ensure you are doing everything necessary in your Web services to protect sensitive information and resources they control. Remember, your services are only as secure as their weakest link. Are you master of your domain, or are your transoms ajar? Don't wait until after an attack to find out.
In his session at 17th Cloud Expo, Ernest Mueller, Product Manager at Idera, will explain the best practices and lessons learned for tracking and optimizing costs while delivering a cloud-hosted service. He will describe a DevOps approach where the applications and systems work together to track usage, model costs in a granular fashion, and make smart decisions at runtime to minimize costs. The trickier parts covered include triggering off the right metrics; balancing resilience and redundancy ...
Sep. 1, 2015 03:30 PM EDT Reads: 243
SYS-CON Events announced today that G2G3 will exhibit at SYS-CON's @DevOpsSummit Silicon Valley, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Based on a collective appreciation for user experience, design, and technology, G2G3 is uniquely qualified and motivated to redefine how organizations and people engage in an increasingly digital world.
Sep. 1, 2015 03:00 PM EDT Reads: 508
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
Sep. 1, 2015 12:30 PM EDT Reads: 909
Whether you like it or not, DevOps is on track for a remarkable alliance with security. The SEC didn’t approve the merger. And your boss hasn’t heard anything about it. Yet, this unruly triumvirate will soon dominate and deliver DevSecOps faster, cheaper, better, and on an unprecedented scale. In his session at DevOps Summit, Frank Bunger, VP of Customer Success at ScriptRock, will discuss how this cathartic moment will propel the DevOps movement from such stuff as dreams are made on to a prac...
Sep. 1, 2015 12:00 PM EDT Reads: 237
SYS-CON Events announced today that Pythian, a global IT services company specializing in helping companies leverage disruptive technologies to optimize revenue-generating systems, has been named “Bronze Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Founded in 1997, Pythian is a global IT services company that helps companies compete by adopting disruptive technologies such as cloud, Big Data, advance...
Sep. 1, 2015 11:45 AM EDT Reads: 321
The pricing of tools or licenses for log aggregation can have a significant effect on organizational culture and the collaboration between Dev and Ops teams. Modern tools for log aggregation (of which Logentries is one example) can be hugely enabling for DevOps approaches to building and operating business-critical software systems. However, the pricing of an aggregated logging solution can affect the adoption of modern logging techniques, as well as organizational capabilities and cross-team ...
Sep. 1, 2015 11:30 AM EDT Reads: 408
Culture is the most important ingredient of DevOps. The challenge for most organizations is defining and communicating a vision of beneficial DevOps culture for their organizations, and then facilitating the changes needed to achieve that. Often this comes down to an ability to provide true leadership. As a CIO, are your direct reports IT managers or are they IT leaders? The hard truth is that many IT managers have risen through the ranks based on their technical skills, not their leadership ab...
Sep. 1, 2015 11:15 AM EDT Reads: 370
In today's digital world, change is the one constant. Disruptive innovations like cloud, mobility, social media, and the Internet of Things have reshaped the market and set new standards in customer expectations. To remain competitive, businesses must tap the potential of emerging technologies and markets through the rapid release of new products and services. However, the rigid and siloed structures of traditional IT platforms and processes are slowing them down – resulting in lengthy delivery ...
Sep. 1, 2015 10:45 AM EDT Reads: 605
Several years ago, I was a developer in a travel reservation aggregator. Our mission was to pull flight and hotel data from a bunch of cryptic reservation platforms, and provide it to other companies via an API library - for a fee. That was before companies like Expedia standardized such things. We started with simple methods like getFlightLeg() or addPassengerName(), each performing a small, well-understood function. But our customers wanted bigger, more encompassing services that would "do ...
Sep. 1, 2015 10:30 AM EDT Reads: 276
Docker containerization is increasingly being used in production environments. How can these environments best be monitored? Monitoring Docker containers as if they are lightweight virtual machines (i.e., monitoring the host from within the container), with all the common metrics that can be captured from an operating system, is an insufficient approach. Docker containers can’t be treated as lightweight virtual machines; they must be treated as what they are: isolated processes running on hosts....
Sep. 1, 2015 08:30 AM EDT Reads: 162
Introducing Containers & Microservices Bootcamp at @CloudExpo Silicon Valley | #Containers #Microservices
SYS-CON Events announced today the Containers & Microservices Bootcamp, being held November 3-4, 2015, in conjunction with 17th Cloud Expo, @ThingsExpo, and @DevOpsSummit at the Santa Clara Convention Center in Santa Clara, CA. This is your chance to get started with the latest technology in the industry. Combined with real-world scenarios and use cases, the Containers and Microservices Bootcamp, led by Janakiram MSV, a Microsoft Regional Director, will include presentations as well as hands-on...
Sep. 1, 2015 08:15 AM EDT Reads: 359
DevOps has traditionally played important roles in development and IT operations, but the practice is quickly becoming core to other business functions such as customer success, business intelligence, and marketing analytics. Modern marketers today are driven by data and rely on many different analytics tools. They need DevOps engineers in general and server log data specifically to do their jobs well. Here’s why: Server log files contain the only data that is completely full and accurate in th...
Sep. 1, 2015 07:45 AM EDT Reads: 406
Skeuomorphism usually means retaining existing design cues in something new that doesn’t actually need them. However, the concept of skeuomorphism can be thought of as relating more broadly to applying existing patterns to new technologies that, in fact, cry out for new approaches. In his session at DevOps Summit, Gordon Haff, Senior Cloud Strategy Marketing and Evangelism Manager at Red Hat, discussed why containers should be paired with new architectural practices such as microservices rathe...
Sep. 1, 2015 01:00 AM EDT Reads: 411
Any Ops team trying to support a company in today’s cloud-connected world knows that a new way of thinking is required – one just as dramatic than the shift from Ops to DevOps. The diversity of modern operations requires teams to focus their impact on breadth vs. depth. In his session at DevOps Summit, Adam Serediuk, Director of Operations at xMatters, Inc., will discuss the strategic requirements of evolving from Ops to DevOps, and why modern Operations has begun leveraging the “NoOps” approa...
Aug. 31, 2015 10:30 PM EDT Reads: 406
Puppet Labs has announced the next major update to its flagship product: Puppet Enterprise 2015.2. This release includes new features providing DevOps teams with clarity, simplicity and additional management capabilities, including an all-new user interface, an interactive graph for visualizing infrastructure code, a new unified agent and broader infrastructure support.
Aug. 31, 2015 06:30 PM EDT Reads: 524
Early in my DevOps Journey, I was introduced to a book of great significance circulating within the Web Operations industry titled The Phoenix Project. (You can read our review of Gene’s book, if interested.) Written as a novel and loosely based on many of the same principles explored in The Goal, this book has been read and referenced by many who have adopted DevOps into their continuous improvement and software delivery processes around the world. As I began planning my travel schedule last...
Aug. 31, 2015 06:00 PM EDT Reads: 544
SYS-CON Events announced today that DataClear Inc. will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. The DataClear ‘BlackBox’ is the only solution that moves your PC, browsing and data out of the United States and away from prying (and spying) eyes. Its solution automatically builds you a clean, on-demand, virus free, new virtual cloud based PC outside of the United States, and wipes it clean...
Aug. 31, 2015 01:45 PM EDT Reads: 428
It’s been proven time and time again that in tech, diversity drives greater innovation, better team productivity and greater profits and market share. So what can we do in our DevOps teams to embrace diversity and help transform the culture of development and operations into a true “DevOps” team? In her session at DevOps Summit, Stefana Muller, Director, Product Management – Continuous Delivery at CA Technologies, answered that question citing examples, showing how to create opportunities for ...
Aug. 31, 2015 03:00 AM EDT Reads: 493
What does “big enough” mean? It’s sometimes useful to argue by reductio ad absurdum. Hello, world doesn’t need to be broken down into smaller services. At the other extreme, building a monolithic enterprise resource planning (ERP) system is just asking for trouble: it’s too big, and it needs to be decomposed.
Aug. 29, 2015 10:00 AM EDT Reads: 363
The Microservices architectural pattern promises increased DevOps agility and can help enable continuous delivery of software. This session is for developers who are transforming existing applications to cloud-native applications, or creating new microservices style applications. In his session at DevOps Summit, Jim Bugwadia, CEO of Nirmata, will introduce best practices, patterns, challenges, and solutions for the development and operations of microservices style applications. He will discuss ...
Aug. 27, 2015 02:15 PM EDT Reads: 522