Creating a Security-Rich Environment For Your SOA

Service oriented architecture solutions To support your IT objectives Creating a security-rich environment for your SOA. In today’s marketplace, competing effectively makes innovation a business necessity. Many organizations are adopting service oriented architecture (SOA) as a critical part of their business-innovation strategy. SOA provides companies with a standardsbased integration and development architecture that effectively overcomes differences in platforms, software architecture, languages, messaging formats and protocols. By loosely coupling certain elements of an IT environment, SOA enables IT components, such as an application interface, to be separated from an application implementation to increase flexibility and reduce disruptions caused by change. As a result, you can incorporate new, innovative ways to use your technology assets to serve everyone along your organization’s value chain — enabling you to focus on the business by delivering unparalleled IT flexibility to support the business flexibility you need to thrive in a fiercely competitive marketplace. Meeting today’s business challenges Although the current business climate demands this kind of flexibility, your business can be only as flexible as the IT systems that support it. With this new adaptability comes a new level of demand on your IT operations team, its processes and its ability to manage these services — and extending to the security of these services. SOA-based services involve composite applications with service-to-service dependencies. As a result, traditional resource-centric security, while still necessary, is no longer adequate for dynamic SOA environments. SOA security requires a user-based security focus. The identifying information and credentials that users provide to authenticate can run across services in an SOA. You must ensure that the security controls in place are robust enough to prevent a breach as the information moves across various systems. And in an era when compliance-reporting mandates are a fact of life for most businesses, you must ensure that all of this information remains auditable. Identity and access control across services Today’s global marketplace means that for many organizations, applications that have been moved to an SOA environment must be extended to offer a service interface to new sets of users that were neither envisioned originally nor included in previous instances. Extending resources in this way requires that you reassess your security risk. To minimize any risk, you need the right level of security checks for user authentication and authorization. Redeploying existing applications as services also requires you to assess identity, access management and threat management. And your IT staff needs to be able to determine when confidentiality and access controls must be applied to these services when they use common application assets. As IT infrastructures have grown in complexity, what the term identification means has been redefined and broadened. Now identification must be checked all along the way — not just upon entering a site, but upon each transaction made within the site. Logging in, accessing data, making transactions — credentials are verified in the beginning, then passed along each time after that.  For this reason, federated-identity management is key in an SOA environment. A federated identity is a unique user identity — a kind of “digital passport” — that is recognized and honored among trusted parties. But with SOA, identifying a user is about more than a single act of authentication, but instead about the presence of an ID in the life cycle of a service. Federatedidentity management enables your organization to share or access services from other organizations, without the often difficult and expensive task of managing users outside your business. As your business grows, you will add more services and organizations to your SOA environment. As a result, the number of user identities that must be authenticated, authorized and managed can grow exponentially. But with the right federated-identity management solution, each identity can be managed from a common administrative service. As a leader in the SOA marketplace, IBM offers robust, security-rich solutions to protect identities and information as it moves across and beyond your enterprise. These solutions include: • IBM Tivoli® Federated Identity Manager • IBM Tivoli Federated Identity Manager for z/OS® • IBM Tivoli Access Manager for e-business • IBM WebSphere DataPower XML ® ® access to mainframe applications. As part of this support, the federated audit solutions delivered by Tivoli Federated Identity Manager for z/OS support the auditing of identity-mapping function used to create the bridge between RACF and distributed identity management. Tivoli Access Manager for e-business offers a centralized, policy-based access-control solution for enterprise applications, featuring a Web-based single sign-on and distributed, Webbased administration. Tivoli Federated Identity Manager integrates with Tivoli Access Manager for e-business to authenticate, authorize and audit user access in an SOA environment. WebSphere DataPower XML Security Gateway XS40 is a powerful security and policy-enforcement point for controlling access to XML Web services, enabling the XS40 to seamlessly integrate with all types of access-control architectures, such as Tivoli Access Manager or Tivoli Federated Identity Manager. Security Gateway XS40 Tivoli Federated Identity Manager offers an efficient and effective way to manage and validate user identities across the SOA environment and provide a robust identity-assurance and trust -management solution. Tivoli Federated Identity Manager is based on IBM WebSphere technology, enabling it to enforce a consistent identity propagation and token mediation across diverse, heterogeneous enforcement points, such as XML firewalls, application servers and enterprise service bus. Tivoli Federated Identity Manager for z/OS provides a strong security bridge for distributed applications and mainframe applications by integrating with IBM RACF software to enable end® to-end identity propagation and secure  Assure service security with message and user-based protection One of the first areas where security is introduced is within messaging middleware. Previously, a point-to-point security approach for network security protocols such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS) was deemed sufficient. In today’s SOA environments, end-to-end security techniques — including messagelevel security — are required, based on services spanning corporate and organizational boundaries. Securing the messages in SOA — as well as helping to ensure consistent application of message security policy — is of paramount concern. XML Web services can easily expose back-end systems to entities outside the firewall, but traditional security devices do not secure XML or SOAP messages. For example, a SOAP request transmitted through HTTP tunneling bypasses the firewall, by design. XML Web services can also pose a high security risk because of the very fact that they occur in large volumes in many different places across the SOA environment, making them hard to track and monitor Message-level security helps ensure that the body of a message — where the data and request information is located — is protected throughout transit of the message, regardless of its routing, including through untrusted points such as routers or switches. An additional layer of security is required that can parse, validate schema, encrypt and decrypt messages, and provide digital signatures for XML Web service transactions. This level of security is often provided with a dedicated SOA appliance inside the firewall, ideally one capable of providing the wirespeed performance necessary in today’s business environments. The WebSphere DataPower XML Security Gateway XS40 provides an XML threat-reduction and securityenforcement point for XML messages and Web service transactions, including encryption, filtering, digital signatures, schema validation, WS-Security, XML access control, XPath and detailed logging. The WebSphere DataPower XML Security Gateway XS40 also includes an easy-to-use XML firewall, service-level management, and accesscontrol enforcement. You can use WebSphere DataPower XML Security Gateway XS40 to simplify, help secure and accelerate your SOA infrastructure. Its standards-based integration fits into enterprise IT infrastructures and is designed for simplified management of applications and services, as well as the underlying infrastructure. Monitor and enforce policies for audit and compliance Today, most companies are subject to data-privacy regulations. As a result, companies need to define consistent security policies and then monitor compliance with these policies along with government regulations. This monitoring must be accompanied by complete audit trails to provide proof of policy enforcement. SOA can complicate this process. To address this challenge, companies need the ability to reconcile user audits between applications and processes. Tivoli Federated Identity Manager provides these reconciliations and is integrated with IBM Tivoli Compliance Insight Manager, which is designed to support security compliance and audit management with a powerful solution for monitoring, correlating and reporting on user activity across the enterprise. Specifically, Tivoli Compliance Insight Manager consolidates the following critical functions: • It captures relevant security-audit data from a broad set of systems, including applications, databases, operating systems, mainframes, security devices and network devices.  A log-continuity mechanism helps ensure that internal controls over log collection are properly carried out. • It correlates collected data for comprehension of audit risks, which is facilitated through transforming events and alerts into a normalization format for analysis. • It communicates through effective reporting on the status of user activity within IT systems. This capability enables executives to see the ongoing status of security operations, including attempts to gain unauthorized access, how those attempts were stopped and recommendations about how to prevent similar attacks. In addition, WebSphere DataPower XML Security Gateway XS40 provides centralized control and view of services within an SOA to meet compliance requirements. Its policy enforcement blocks XML Web service threats, helps ensure secured access and helps enforce service levels. This SOA appliance can easily manage and secure multiple Web services and helps ensure full policy compliance within your IT infrastructure. Services to help you achieve your securitymanagement goals IBM provides professional services expertise to help you develop a security-management solution that best suits your business needs. IBM SOA Application Security Assessment provides a comprehensive review of your organization’s applicationsecurity requirements and potential vulnerabilities, along with providing recommendations about how to eliminate or reduce security exposures. IBM SOA Security Requirements services offer a comprehensive review of both SOA and enterprise security requirements to help ensure a safe environment for an SOA deployment. This offering also provides a securityrich foundation that is user-centric and complementary to the layered security functions required by loosely coupled distributed services. IBM SOA Security Architecture services help you develop an architecture that addresses security requirements, including security best practices that can support confidentiality, integrity and auditing solutions. And IBM SOA Security Implementation services enable you to deploy an SOA security architecture that allows for the implementation of security best practices and help satisfy security requirements. The right security solutions for your SOA Business transformation requires security transformation. An SOA approach can help you increase the flexibility of your business processes by making the most of your underlying technology infrastructure through the reuse of existing and new IT assets. These unique capabilities help reduce development and maintenance costs while enabling you to bring innovative products and services to market ahead of the competition. An SOA can dramatically affect business responsiveness, but it can also increase the complexity of securing business systems and applications. IBM security-management solutions enable you to integrate security management into your SOA. Such integration can help ensure that you can protect the sharing of information and processes within and between organizations, while also increasing the operational efficiencies of SOA deployments. For more information To learn more about IBM securitymanagement solutions, contact your IBM representative or IBM Business Partner, or visit: ibm.com/software/solutions/soa/ mgmtsec/  © Copyright IBM Corporation 2007 IBM Corporation Software Group Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America 07-07 All Rights Reserved DataPower, IBM, the IBM logo, RACF, Tivoli, WebSphere, and z/OS are trademarks of International Business Machines Corporation in the United States, other countries or both. Other company, product and service names may be trademarks or service marks of others. BFB11347-USEN-00