Click here to close now.

Welcome!

MICROSERVICES Authors: Elizabeth White, Michael Kanasoot, XebiaLabs Blog, Carmen Gonzalez, Pat Romanski

Related Topics: MICROSERVICES

MICROSERVICES: Article

Who's Master of Your Domain?

Web services security in an unfriendly world

W.C. Fields once said, "The practice of keyhole-listening is usually confined to hotels and boarding houses. It is absolutely indefensible to stoop so low. If the transom is not ajar, remember there are plenty of other rooms in the building." Hackers on the Web can take a similarly cavalier attitude - surfing from site to site until they find one whose "transoms are ajar." The question for you is whether yours are among them.

Information is an increasingly valuable asset in most organizations. Information security is about protecting that asset. Computer security deals with protecting data on corporate systems, network security with protecting data in transit across corporate networks. William Stallings introduced the term internetwork security, combining elements of both computer and network security, to cover tools and techniques for protecting data in today's internetworked world.

Internetwork security is most relevant to Web services because it brings together the mechanisms for protecting clients and servers operating across interconnected networks such as the Internet. Internetwork security involves recognizing and countering attacks that may occur as part of transmitting information between parties across such open networks. The Web services recommendations and standards I cover in this article address three specific types of internetwork attacks:

  • Fabrication: Unauthorized parties masquerading their identities or inserting unauthorized messages.
  • Interception: Unauthorized parties "listening in" on conversations.
  • Modification: Unauthorized parties changing message content.
Web services counter these attacks by weaving together security services specifically designed to detect, prevent, or counter elements of the attacks to create "virtual trust domains" like that shown in Figure 1.

The National Institute of Standards and Technology (NIST) defines a trust domain as "a group that operates under the supervision of a Domain Policy Management Authority, uses consistent policies, and has similar Certification Practice Statements." Domain members enter into mutual trust relationships, either directly or through third parties, as part of any sensitive information exchange. Security policies governing these relationships may be broad, saying that parties can openly "talk" to anyone, or extremely narrow, saying parties must verify each and every aspect of every conversation. The sensitivity of the information, the number of unknown and untrusted parties in the network, and the price of compromise must all enter into the decision about how much security is enough.

When you make services available on the Internet, your security focus must shift from protecting systems and private networks to protecting individual machines, users, and applications (or services). The lack of a single policy management authority and agreed-upon certification practice statements makes creating trust domains in this environment extremely challenging. The Internet is a collection of cooperating internetworks, each potentially with its own security policies and certification authority, therefore Web services crossing domain boundaries must create "virtual trust domains" that are inclusive (contain all the parties to the transaction: the Web services client and server, potentially the UDDI service, and any third-party brokers) and bridge any policy differences. Web services integrate four basic security services to create such virtual trust domains:

  • Authentication: Verifying parties are in fact who they say they are.
  • Authorization: Ensuring parties only have permissions, accesses, and authorities they warrant.
  • Confidentiality: Ensuring intermediaries cannot see data exchanged between parties.
  • Integrity: Verifying intermediaries did not modify data in transit between parties.
Figure 2 shows how three key Web services standards (WS-Policy, WS-Security, and WS-Trust), in conjunction with a number of existing and derivative standards, provide the underlying framework for integrating these security services together. While I'll primarily talk about using security services to create relationships between Web services clients and servers, you can use the same techniques for establishing trust relationships among any of the actors.

WS-Policy
Security begins with a set of security policies. Security policies are rules marrying security tokens, which are representations of sets of security information or claims, to messages (the lingua franca for Web services exchanges). In an exchange, the client is responsible for including the right tokens in the message; the Web services server is responsible for using those tokens to enforce the security policy in place. Enforcement involves verifying the client's claims against the policy in determining whether to honor or deny the request. Verification may be in-band, part of the message flow, or out-of-band, based on a pre-set decision.

WS-Policy and WS-SecurityPolicy make policies discoverable by providing grammars for describing policies as sets of conditions on actions (policy assertions) and for identifying specific elements of a security policy such as:

  • The security tokens a Web service will accept (user-id/password, Kerberos tickets, X.509 certificates, Security Assertion Markup Language [SAML] assertions, etc.)
  • The message digest algorithms a Web service supports
  • The encryption algorithms a Web service supports
  • The message elements or tags that must remain unencrypted
Using these grammars, servers can unambiguously publish their security policies and clients can discover them at runtime, if necessary. A server can publish its policies through either its UDDI entries or some other mechanism known and accessible to its clients.

WS-Security
The policy tells clients "which" security tokens to use; WS-Security tells them "how" to encode those tokens as XML. The standard includes elements for representing user IDs, passwords, Kerberos tickets, and X.509 certificates as part of the SOAP message header, and builds on the XML Encryption and XML Signature standards for providing message confidentiality and integrity. WS-Security also supports SAML because SAML assertions are simply wrappable XML.

WS-Trust
Some security tokens require third-party brokers. WS-Trust provides the request/response model, and syntax for requesting, obtaining, and verifying security tokens from such brokers. WS-SecureConversation extends WS-Trust for establishing security contexts for exchanging multiple messages by defining three types of contexts: those created by a token service, those created by one of the communicating parties, and those created through negotiation. Once parties establish a security context they can exchange multiple messages without having to reestablish claims.

Authentication
The authentication service validates identities as part of creating trust relationships. In direct trust relationships, the client presents unendorsed claims, such as a user ID and password. The server trusts these claims solely on the basis of the client's knowledge or possession of the necessary token. In brokered trust relationships, the server accepts claims that a trusted third party either endorses or presents on the client's behalf. The third-party is a security token service, such as a Certificate Authority (CA), Kerberos Key Distribution Center (KDC), or SAML service. Most consider third-party tokens more secure than simple user ID/password schemes because of the increased sophistication of the attack necessary to compromise them.

WS-Security does not specify a particular authentication method, so you have several options available for implementing authentication services. One option is to build authentication directly around traditional security tokens such as user ids and passwords, Kerberos tickets, or X.509 certificates. WS-Trust describes how to build trust relationships using these tokens following the model shown in Figure 3. IBM and Microsoft first presented this as a general model in their Security Roadmap subsuming more specific models such as identity-based security, access control lists, and capabilities-based security. In this model, if a component does not have the tokens necessary to substantiate claims, it contacts a Token Service it trusts to obtain those tokens.

SAML offers an option combining one or more external authorities and assertions. It defines three types of assertions: authentication for proving user identity, attribute for specifying details about the user, and authorization for describing what the user can do. Figure 4 illustrates the SAML model. In this model, the subject (client) sends its credentials to up to three different authorities to obtain assertion references it can include in the message it sends to the Policy Enforcement Point (PEP) (Web services server) that controls the resources. The PEP uses the references to request the actual assertions (authentication decision) from the issuing authority or Policy Decision Point (PDP).

Regardless of which authentication method you use, or how parties establish context, the parties must agree for it to succeed. From the authentication service's standpoint, it's all about who you trust. A brokered token from an untrusted broker is no better than a direct token from an untrusted client.

Authorization
The authorization, or access control, service maps the user's identity against their permissions for the resources being used or requested. It assumes authentication. Permissions are actions the user can perform. Primitive permissions include atomic activities such as create, read, update, and delete; advanced permissions include more abstract activities such as debit, credit, buy, and sell. In Web services applications, permissions often map to Web services transactions.

The two most prevalent approaches to access control on the Web are:

  • User-based access control (UBAC): User's identity determines their accesses.
  • Role-based access control (RBAC): Roles bring together collections of users and permissions.
The Extensible Access Control Markup Language (XACML) is the rapidly emerging authorization standard. XACML provides a grammar for expressing access control policies as access matrices of authorization rules stated as subjects, actions, objects, and conditions. It includes elements for expressing access control information within XML documents and a request/response language for determining specific access permissions. Figure 5 illustrates the XACML model where the subject (client) wants to take an action (request) on a resource belonging to a PEP (a Web services server). The PEP uses XACML to request the access authorization decision from a PDP that makes a determination based on XACML access policies and returns the decision to the PEP.

SAML and XACML are complementary standards sharing basic concepts and definitions, hence I foresee them becoming the predominant mechanisms once implementing products are widely available.

Confidentiality
The confidentiality service generally uses an encryption function to ensure privacy. Encryption changes the data being protected from plain text into a cipher text that only the sender and receiver can understand. Encryption programs apply an algorithm in combination with an encryption key in order to make that transformation. The key may be a shared secret (a symmetric key that both parties share) or different halves of a public, private key pair (asymmetric algorithms use one of the keys to encrypt the data, the other to decrypt it). The strength of the encryption, how difficult it is to break, is a function of the algorithm and the key length. Encryption ensures confidentiality because while someone may still be able to steal the traffic, they are stealing meaningless bits unless they also know the algorithm and a key.

WS-Security leverages XML Encryption for confidentiality. XML Encryption provides for encrypting individual elements (including the tags), only their content, and complete documents. This flexibility enables end-to-end encryption in a Web services environment while supporting some processing by intermediaries - an advantage over point-to-point solutions such as SSL.

XML Encryption defines elements for carrying cipher text and information about underlying encryption algorithms and encryption keys. XML Encryption supports: Data Encryption Standard (DES) and Advanced Encryption Standard (AES) for block encryption and key wrapping, Rivest-Shamir-Adelman (RSA) for key transport, Diffie-Hellman for key agreement, and Secure Hash Algorithm (SHA) and RIPEMD for message digest. While XML Encryption does not include stream encryption algorithms, it is extensible given that parties agree on the algorithm and its usage. XML Encryption also supports super encryption, i.e., encrypting data multiple times to strengthen the encryption.

Integrity
The integrity service generally uses a digital signature capability to ensure nonrepudiation. WS-Security leverages XML Signature in this area. XML Signature provides for signing both individual elements and entire documents. The standard defines elements for describing: what is signed, the signature itself, the canonicalization method used to deal with different data streams within elements, any transformations applied prior to generating the message digest, and the digest method used to generate the signature.

Digital signature algorithms create signatures in a four-step process. The first step converts the document (or element) into a standard form through the application of a canonicalization, or standard serialization, algorithm. The Exclusive XML Canonicalization recommendation specifies Canonical XML (XML-C14N) as the standard serialization technique for Web services. The second step is to apply one or more transformations to the canonicalized content. The document (or element) in standard form becomes the input to the first transformation. The output of each transformation becomes the input to the subsequent transformation procedure. The output from the final transformation procedure becomes the input to the digest function. Transformation operations include canonicalization, encoding/decoding, compression/inflation, XSLT, XPath, XML Schema validation, and XInclude. The third step is to process the content through a secure hash function to create a message digest (message digest algorithms, such as Message Digest 5 [MD5] and SHA, use a hash function to create a unique code that becomes a digital fingerprint for the document). The final step encrypts the message digest, using the client's private encryption key, to create a digital signature. The digital signature is then appended to the document. The recipient recalculates the message digest and compares it to the sender's to ensure the document was not changed. The recipient uses the sender's public encryption key to verify the digital signature.

Communicating the order of the encryption and signing operations is an important consideration. WS-Security modifies XML Signature to add a decryption transformation. This allows the sender to include decryption order as part of the transformation information for the message. The recipient simply reverses the order to decrypt the correct message parts before recomputing the message digest.

Virtual Trust Domains
Figures 6 and 7 illustrate how these concepts come together in J2EE and .NET environments. In both cases, a client requests services from a Web services server hosted within a trust domain formed by one or more systems in physical trust relationships. The Web services server establishes a dynamic trust relationship with the client thereby creating a virtual trust domain. The client and Web services server then exchange whatever number of messages is relevant to the transaction including the necessary security tokens and signing and encrypting message parts, as appropriate. The security policies in place, in combination with the strength of the security tokens, encryption, and digest algorithms in use, establish the strength of the trust relationship.

Conclusion
The Web services and XML standards I've discussed provide the framework necessary to create security strategies in these environments. In creating your security strategy, you must also consider computer and network security of your systems and the vulnerabilities others' clients may introduce. You may want to leverage additional mechanisms, such as SSL and IPSec, where appropriate to bolster the techniques I've discussed. One size does not fit all. The important thing is that you take a comprehensive approach to ensure you are doing everything necessary in your Web services to protect sensitive information and resources they control. Remember, your services are only as secure as their weakest link. Are you master of your domain, or are your transoms ajar? Don't wait until after an attack to find out.

More Stories By Rickland Hollar

Rickland Hollar is a senior applications architect with the Central Intelligence Agency with over 30 years of experience in the industry. The views expressed in this article are his own and not necessarily those of the Agency. Prior to joining the CIA, he was president of a Virginia-based software development firm.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
SYS-CON Events announced today that MangoApps will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY., and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. MangoApps provides private all-in-one social intranets allowing workers to securely collaborate from anywhere in the world and from any device. Social, mobile, and eas...
SYS-CON Events announced today that Solgenia will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY, and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Solgenia is the global market leader in Cloud Collaboration and Cloud Infrastructure software solutions. Designed to “Bridge the Gap” between Personal and Professional S...
When it comes to microservices there are myths and uncertainty about the journey ahead. Deploying a “Hello World” app on Docker is a long way from making microservices work in real enterprises with large applications, complex environments and existing organizational structures. February 19, 2015 10:00am PT / 1:00pm ET → 45 Minutes Join our four experts: Special host Gene Kim, Gary Gruver, Randy Shoup and XebiaLabs’ Andrew Phillips as they explore the realities of microservices in today’s IT worl...
OmniTI has expanded its services to help customers automate their processes to deliver high quality applications to market faster. Consistent with its focus on IT agility and quality, OmniTI operates under DevOps principles, exploring the flow of value through the IT delivery process, identifying opportunities to eliminate waste, realign misaligned incentives, and open bottlenecks. OmniTI takes a unique, value-centric approach by plotting each opportunity in an effort-payoff quadrant, then work...
Cloud computing is changing the way we look at IT costs, according to industry experts on a recent Cloud Luminary Fireside Chat panel discussion. Enterprise IT, traditionally viewed as a cost center, now plays a central role in the delivery of software-driven goods and services. Therefore, companies need to understand their cloud utilization and resulting costs in order to ensure profitability on their business offerings. Led by Bernard Golden, this fireside chat offers valuable insights on ho...
Hosted PaaS providers have given independent developers and startups huge advantages in efficiency and reduced time-to-market over their more process-bound counterparts in enterprises. Software frameworks are now available that allow enterprise IT departments to provide these same advantages for developers in their own organization. In his workshop session at DevOps Summit, Troy Topnik, ActiveState’s Technical Product Manager, will show how on-prem or cloud-hosted Private PaaS can enable organ...
The world's leading Cloud event, Cloud Expo has launched Microservices Journal on the SYS-CON.com portal, featuring over 19,000 original articles, news stories, features, and blog entries. DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing. Microservices Journal offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. Follow new article posts on T...
Modern Systems announced completion of a successful project with its new Rapid Program Modernization (eavRPMa"c) software. The eavRPMa"c technology architecturally transforms legacy applications, enabling faster feature development and reducing time-to-market for critical software updates. Working with Modern Systems, the University of California at Santa Barbara (UCSB) leveraged eavRPMa"c to transform its Student Information System from Software AG's Natural syntax to a modern application lev...
For those of us that have been practicing SOA for over a decade, it's surprising that there's so much interest in microservices. In fairness microservices don't look like the vendor play that was early SOA in the early noughties. But experienced SOA practitioners everywhere will be wondering if microservices is actually a good thing. You see microservices is basically an SOA pattern that inherits all the well-known SOA principles and adds characteristics that address the use of SOA for distribut...
Microservice architectures are the new hotness, even though they aren't really all that different (in principle) from the paradigm described by SOA (which is dead, or not dead, depending on whom you ask). One of the things this decompositional approach to application architecture does is encourage developers and operations (some might even say DevOps) to re-evaluate scaling strategies. In particular, the notion is forwarded that an application should be built to scale and then infrastructure sho...
SYS-CON Events announced today the IoT Bootcamp – Jumpstart Your IoT Strategy, being held June 9–10, 2015, in conjunction with 16th Cloud Expo and Internet of @ThingsExpo at the Javits Center in New York City. This is your chance to jumpstart your IoT strategy. Combined with real-world scenarios and use cases, the IoT Bootcamp is not just based on presentations but includes hands-on demos and walkthroughs. We will introduce you to a variety of Do-It-Yourself IoT platforms including Arduino, Ras...
Our guest on the podcast this week is Jason Bloomberg, President at Intellyx. When we build services we want them to be lightweight, stateless and scalable while doing one thing really well. In today's cloud world, we're revisiting what to takes to make a good service in the first place. Listen in to learn why following "the book" doesn't necessarily mean that you're solving key business problems.
Microservices are the result of decomposing applications. That may sound a lot like SOA, but SOA was based on an object-oriented (noun) premise; that is, services were built around an object - like a customer - with all the necessary operations (functions) that go along with it. SOA was also founded on a variety of standards (most of them coming out of OASIS) like SOAP, WSDL, XML and UDDI. Microservices have no standards (at least none deriving from a standards body or organization) and can be b...
Right off the bat, Newman advises that we should "think of microservices as a specific approach for SOA in the same way that XP or Scrum are specific approaches for Agile Software development". These analogies are very interesting because my expectation was that microservices is a pattern. So I might infer that microservices is a set of process techniques as opposed to an architectural approach. Yet in the book, Newman clearly includes some elements of concept model and architecture as well as p...
SYS-CON Events announced today the DevOps Foundation Certification Course, being held June ?, 2015, in conjunction with DevOps Summit and 16th Cloud Expo at the Javits Center in New York City, NY. This sixteen (16) hour course provides an introduction to DevOps – the cultural and professional movement that stresses communication, collaboration, integration and automation in order to improve the flow of work between software developers and IT operations professionals. Improved workflows will res...
Microservices, for the uninitiated, are essentially the decomposition of applications into multiple services. This decomposition is often based on functional lines, with related functions being grouped together into a service. While this may sound a like SOA, it really isn't, especially given that SOA was an object-centered methodology that focused on creating services around "nouns" like customer and product. Microservices, while certainly capable of being noun-based, are just as likely to be v...
An explosive combination of technology trends will be where ‘microservices’ and the IoT Internet of Things intersect, a concept we can describe by comparing it with a previous theme, the ‘X Internet.' The idea of using small self-contained application components has been popular since XML Web services began and a distributed computing future of smart fridges and kettles was imagined long back in the early Internet years.
Even though it’s now Microservices Journal, long-time fans of SOA World Magazine can take comfort in the fact that the URL – soa.sys-con.com – remains unchanged. And that’s no mistake, as microservices are really nothing more than a new and improved take on the Service-Oriented Architecture (SOA) best practices we struggled to hammer out over the last decade. Skeptics, however, might say that this change is nothing more than an exercise in buzzword-hopping. SOA is passé, and now that people are ...
SOA Software has changed its name to Akana. With roots in Web Services and SOA Governance, Akana has established itself as a leader in API Management and is expanding into cloud integration as an alternative to the traditional heavyweight enterprise service bus (ESB). The company recently announced that it achieved more than 90% year-over-year growth. As Akana, the company now addresses the evolution and diversification of SOA, unifying security, management, and DevOps across SOA, APIs, microser...
Exelon Corporation employs technology and process improvements to optimize their IT operations, manage a merger and acquisition transition, and to bring outsourced IT operations back in-house. To learn more about how this leading energy provider in the US, with a family of companies having $23.5 billion in annual revenue, accomplishes these goals we're joined by Jason Thomas, Manager of Service, Asset and Release Management at Exelon. The discussion is moderated by me, Dana Gardner, Principal A...