Microservices Expo Authors: Liz McMillan, Zakia Bouachraoui, Elizabeth White, Pat Romanski, Yeshim Deniz

Related Topics: Microservices Expo, Cloud Security

Microservices Expo: Article

Unifying Security Policy Across the Web, Web Services, and Web 2.0

Eliminate security policy silos before they are created for eased administration and improved control

Bringing Together XML Gateways and Identity-Centric Web Security Systems
Securing web services has a lot in common with security for websites, in that threats need to be mitigated, requesters need to be authenticated, access needs to be authorized, and sessions need to be maintained. This is why there is an emerging trend toward combining the services of XML Gateways with systems very much modeled on web access management systems; what we will refer to as identity-centric web security systems or shorthand as a Web security system.

When an XML Gateway or a specialized web service agent is used in combination with the centralized policy server of a web security system, it enables security policies to be configured and managed centrally, but enforced in a highly distributed fashion. In this approach the XML Gateway/web service agent/policy server operates in the same best practice PEP/PDP (Policy Enforcement Point/ Policy Decision Point) architecture that security administrators are so familiar with from their Web Access Management (WAM) products.

In Figure 1, we see an XML Gateway being used in the DMZ to manage XML traffic coming in from the Internet. In addition, agents are being used at a Portal Server and at back-end Web services to enforce security policy within those containers. Security policies are being centrally managed with a centralized policy server. In this model the XML Gateway and the various agents fulfill the role of a PEP using policies from the centralized policy server that acts as the PDP. However, from the point of view of the XML traffic, this is only part of what the XML Gateway can do. As well as acting as a PEP, the XML Gateway also:

  • Performs XML traffic management, including rate throttling
  • Transforms XML on-the-fly on the network
  • "Enriches" XML by populating it with information sourced from databases, directories, and other XML documents
  • Performs protocol mediation, for example, by receiving a message over HTTP then putting it onto an IBM WebSphere MQ queue
  • Blocks threatening XML content
  • Keeps a log of all Web services usage
  • Provides "Swim Lanes" to prioritize traffic for preferred web service clients or customers.

A Centralized Policy Server is a central store of security policies that govern the usage of web and web service resources. These policies secure not only HTTP-related traffic but other forms such as SOAP, JMS and MQ using the familiar PEP/PDP security architecture.

In Figure 2, we see both website (browser to website) and web services (application to application with XML/SOAP) traffic being secured with the same web security system. Users who access the web server may indirectly access the web services also, if they are using a web application that makes use of the back-end web services. Notice that when the Policy Server is used for both Web Access Management and XML Security, it effectively becomes a Centralized Policy Server, controlling access for an enterprise's entire set of web sites and web services.

The Agent at the web services container provides last mile security by enforcing security policies on traffic that arrives directly at the web service.

Tying the User to the Service
You may notice in Figure 2 that a user may authenticate to a website that subsequently connects to a web service. In this case, it is often important to bind the user's identity to the web service call. This allows the security system at the web service to enforce access based on the user's identity.

In this case identity information is passed to the back-end web service by means of a session token. In this way, the policy enforcement points can make a decision based on the identity of the person authenticated at the website, even though that person is "one step away" from the back-end web service. It can use the Policy Server to determine if the user has a valid session and also to look up attributes of the user that are used for authorization or personalization. In this way the user does not have to be authenticated twice, once at the website and once at the back-end web service. Instead, the WAM session token is used for single sign-on to the back-end web service.

The steps in this typical scenario are shown in Figure 3.

Enter Web 2.0
Anyone using the web in the last couple of years would be familiar with Web 2.0 sites, even if they are not familiar with the term. Web 2.0 allows significantly more interaction to occur within a website. For example, Google Maps allows the user to drag a map around right inside the browser page. Flickr allows photos to be edited within a web page. In this way Web 2.0 sites feel more like desktop applications than like traditional static websites.

Web services are the technology used on the server side to power Web 2.0 sites. As the user navigates the web page, code is executing in the browser, which connects back to web services at the host site to fetch more information for the user, usually using technologies such as REST and the XMLHttpRequest (XHR) object. This all happens without the user being required to navigate to a new page. For example, Google Maps uses code running in the browser to connect back to web services to fetch more map "panes," even when the user is not dragging the map, so that when they do drag the map, the extra map area is "magically" present. MySpace allows users to change their profile right within a browser page, without the requirement to submit a web form or wait for a new page to load. This also uses code in the browser that connects to web services to perform its actions.

Enterprise users now familiar with consumer sites such as MySpace and Google Maps are demanding more interactive functionality than what has been provided by the static sites of the past. This increased functionality, while beneficial for users needing better access to data and services, represents a real and growing security challenge for enterprises. Users of online banking systems, web-based ordering and tracking systems, and sales force automation systems now expect Web 2.0 functionality. For example, it is attractive to allow online banking users to query and sort their transactions directly in the browser, pulling the data in real-time from web services at the server side, without the requirement to reload the page each time. The use of these web services to fetch such sensitive information rightly starts to ring alarm bells for the enterprise's security professionals.

More Stories By Mark O'Neill

Mark O'Neill is VP Innovation at Axway - API and Identity. Previously he was CTO and co-founder at Vordel, which was acquired by Axway. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.

More Stories By Matthew Gardiner

Matthew Gardiner is a senior principal of Product Marketing at CA and is a recognized industry leader in the security management & IAM markets worldwide. He is published and interviewed regularly in leading industry media on a wide range of IAM and security-related topics and is a member of the Liberty Alliance’s board of directors. Matthew has a BSEE from the University of Pennsylvania and an SM in Management from MIT's Sloan School of Management.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Microservices Articles
The now mainstream platform changes stemming from the first Internet boom brought many changes but didn’t really change the basic relationship between servers and the applications running on them. In fact, that was sort of the point. In his session at 18th Cloud Expo, Gordon Haff, senior cloud strategy marketing and evangelism manager at Red Hat, will discuss how today’s workloads require a new model and a new platform for development and execution. The platform must handle a wide range of rec...
When building large, cloud-based applications that operate at a high scale, it’s important to maintain a high availability and resilience to failures. In order to do that, you must be tolerant of failures, even in light of failures in other areas of your application. “Fly two mistakes high” is an old adage in the radio control airplane hobby. It means, fly high enough so that if you make a mistake, you can continue flying with room to still make mistakes. In his session at 18th Cloud Expo, Lee A...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Lori MacVittie is a subject matter expert on emerging technology responsible for outbound evangelism across F5's entire product suite. MacVittie has extensive development and technical architecture experience in both high-tech and enterprise organizations, in addition to network and systems administration expertise. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine where she evaluated and tested application-focused technologies including app secu...
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple cloud provider environments. Yet, despite this portability promise, developers may include configuration and application definitions that constrain or even eliminate application portability. In this session we'll describe best practices for "configuration as code" in a Kubernetes environment. We will demonstrate how a properly constructed containerized app can be deployed to both Amazon and Azure ...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
Using new techniques of information modeling, indexing, and processing, new cloud-based systems can support cloud-based workloads previously not possible for high-throughput insurance, banking, and case-based applications. In his session at 18th Cloud Expo, John Newton, CTO, Founder and Chairman of Alfresco, described how to scale cloud-based content management repositories to store, manage, and retrieve billions of documents and related information with fast and linear scalability. He addresse...
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible. In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make true ...
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...