SlideShare uma empresa Scribd logo

Layer 7: Fine Grained Authorization for Web Services

CA API Management
CA API Management

This document discusses fine-grained authorization for web services. It begins by explaining the difference between fine-grained and coarse-grained authorization, and the challenges of implementing fine-grained authorization. It then discusses how to leverage existing identity infrastructure and use policy enforcement intermediaries to enforce entitlement policies. The document provides examples of how conditions can be used for fine-grained authorization requests. It also summarizes the Layer 7 SecureSpan solution, which uses a Policy Decision Point and Policy Enforcement Point to intercept requests and make authorization decisions based on policies.

TecnologiaNegócios
1 de 22
Baixar para ler offline
Fine grained authorization for Web Services Jonathan Gershater Solution Architect http://www.layer7tech.com
What you will learn in this session? 1. The difference between fine grained and coarse grained authorization 2. The challenge with implementing fine grained authorization in service based architectures 3. How to leverage existing identity infrastructure for entitlements management 4. How to use policy enforcement intermediaries to enforce entitlement preferences March 2008
Traditional enterprise Independent applications with their own access control, mechanisms and authorization policies. March 2008
Traditional enterprise security Protected by •A gate-keeper firewall primarily offering network level TCP/IP protection. •URL only protection using agent based SSO solutions. March 2008
The New Enterprise:SaaS, Web2.0, Legacy The challenge: •Mixed application and integration environment •Diverse credential requirements •Existing SSP and user directories •No centralized policy control and audit. • Services requiring fine grained authorization. March 2008
SaaS, Web2.0, Integrated enterprise March 2008
SaaS, Web2.0, Integrated enterprise March 2008
WebServices authentication: The Many-To-Many Problem Tokens  Transport (HTTP hdr, Request x509, etc…)  Message (UTP, x509,…) Web Services Authentication  LDAP Directory  Proprietary IAM …  Certificate Servers (OCSP, CRLs, etc)  etc…
Complexity grows! Multi-platform, multi-development environment –.NET, J2EE Frameworks, other •Support Mobile users / disconnected applications •Support conditional expressions for authorization *Use existing authentication sources March 2008
Quick review of AAA •Authentication – who are you? •Authorization – what can you do? •Auditing – who did what? March 2008
What is coarse versus fine grained authorization? What is authorization? The difference between coarse grained authorization (static)  By job role  By IT defined role  By group membership and fine grained authorization (dynamic)  By transaction type  By time of day or day of week March 2008
Sample fine grained AZ request Stock quote can be anonymous Stock purchase during trading hours must be: •Authenticated •over SSL •working hours •not from suspect network (user=Name_of_Stockbroker) AND (SSL=TRUE) AND ((hour > 6am) AND (hour < 1pm)) AND (ip_address_segment != 155.154.133.0) March 2008
Solution Policy Decision Point (PDP) that intercepts and examines XML packets at the application layer: • Identifies service endpoint • Authenticates requester with support for diverse credential types • Integration with diverse SSO, Federation and user directories • Performs fine-grained authorization of of an operation within a service • Credential chaining and translation • SAML issuing for downstream consistency March 2008
Policy Decision Points (PDP) March 2008
Also...SAMLP query to Policy Decision Point (PDP) March 2008
Other solutions – an XCAML query Policy EnforcementPoint (PEP) makes an XACML query to a PolicyDecisionPoint (PDP). •PEP executes XACMLAuthzDecisionQuery •PDP returns XACMLAuthzDecisionStatement March 2008
Policy Enforcement Point makes an XCAML query March 2008
Layer 7 solution for fine grained authorization Policy Decision Point (PDP): •Highly available / clustered. • Integrates with several of Web SingleSignOn and PolicyDecisionPoint sources. •Supports any information store: Databases, or SecureTokenServices. • Generates appropriate SAML assertion to make authorization decisions. March 2008
Appliance, software or virtual machine solution Message level intermediary between services and requesters Internal Application Consumers External Application Services Consumers March 2008
Layer 7 SecureSpan Gateway Runtime Governance - Policy Enforcement Point PEP validates policy compliance and applies security decorations Security requirements defined by an administrator. Policies become effective independently of the actual services. Services March 2008
SecureSpan Solution Advantages, Differentiators Sophisticated policy language enables complex governance requirements Available as hardware appliance with XML accelerator or as software Quick deployment, ease of use Extensible through APIs Instant policy application (no service downtime) Standard based Industry leadership March 2008
Thanks and questions Jonathan Gershater jg@layer7tech.com http://www.layer7tech.com http://layer7blog.blogspot.com/ March 2008

Recomendados

BSA
BSABSA
BSA
Bladelogic Server Automation Training
 
Federated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloud
rsnarayanan
 
Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2
David Linthicum
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & Gatekeeper
Roger Chien
 
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical DesignsvBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
Larus Hjartarson
 
So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.
Microsoft TechNet - Belgium and Luxembourg
 
Enterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEEnterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISE
Fast Lane Consulting and Education, Inc.
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012
gaborvodics
 

Recomendados

BSA
BSABSA
BSA
Bladelogic Server Automation Training
 
Federated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloud
rsnarayanan
 
Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2Getting Cloud Architecture Right the First Time Ver 2
Getting Cloud Architecture Right the First Time Ver 2
David Linthicum
 
Cloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & GatekeeperCloud design patterns - Federated Identity & Gatekeeper
Cloud design patterns - Federated Identity & Gatekeeper
Roger Chien
 
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical DesignsvBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
vBrownbag EMEA VCAP6-DCV Design Objcetive 2.7 on Security in Logical Designs
Larus Hjartarson
 
So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.
Microsoft TechNet - Belgium and Luxembourg
 
Enterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEEnterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISE
Fast Lane Consulting and Education, Inc.
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012
gaborvodics
 
Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity Provisioning
Mike Reams
 
Services @ vfm
Services @ vfmServices @ vfm
Services @ vfm
vfmindia
 
Sem cis ise
Sem cis iseSem cis ise
Sem cis ise
Lino Quivén
 
G6 independent certification for CSP v3
G6 independent certification for CSP v3G6 independent certification for CSP v3
G6 independent certification for CSP v3
Ummey Humayra
 
S102 cics the future is closer abridged
S102 cics the future is closer abridgedS102 cics the future is closer abridged
S102 cics the future is closer abridged
nick_garrod
 
1251 service visibility and management with wsrr
1251 service visibility and management with wsrr1251 service visibility and management with wsrr
1251 service visibility and management with wsrr
Nick Butler
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESB
WSO2
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikala
floridawusergroup
 
Service Delivery Network
Service Delivery NetworkService Delivery Network
Service Delivery Network
Francesco Chicchiriccò
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld
 
1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - final1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - final
smithson.martin
 
Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM Datapower
Sigortam.net
 
Building Event Driven Systems
Building Event Driven SystemsBuilding Event Driven Systems
Building Event Driven Systems
WSO2
 
Compliance
ComplianceCompliance
Compliance
NetBR
 
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
goodfriday
 
Service Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresService Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen Infrastructures
F5 Networks
 
CISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuideCISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration Guide
PCCW GLOBAL
 
Gigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX DeploymentsGigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX Deployments
Angel Villar Garea
 
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview Short
Eduardo Castro
 
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview Short
Eduardo Castro
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_final
Mauricio Godoy
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2
Anne Starr
 

Mais conteúdo relacionado

Mais procurados

Services @ vfm
Services @ vfmServices @ vfm
Services @ vfm
vfmindia
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESB
WSO2
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikala
floridawusergroup
 
Compliance
ComplianceCompliance
Compliance
NetBR
 
Service Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresService Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen Infrastructures
F5 Networks
 

Mais procurados (18)

Design Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity ProvisioningDesign Pattern for Oracle Identity Provisioning
Design Pattern for Oracle Identity Provisioning
 
Services @ vfm
Services @ vfmServices @ vfm
Services @ vfm
 
Sem cis ise
Sem cis iseSem cis ise
Sem cis ise
 
G6 independent certification for CSP v3
G6 independent certification for CSP v3G6 independent certification for CSP v3
G6 independent certification for CSP v3
 
S102 cics the future is closer abridged
S102 cics the future is closer abridgedS102 cics the future is closer abridged
S102 cics the future is closer abridged
 
1251 service visibility and management with wsrr
1251 service visibility and management with wsrr1251 service visibility and management with wsrr
1251 service visibility and management with wsrr
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESB
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikala
 
Service Delivery Network
Service Delivery NetworkService Delivery Network
Service Delivery Network
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
 
1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - final1200 wsrr & iib - advanced integration - final
1200 wsrr & iib - advanced integration - final
 
Web Api services using IBM Datapower
Web Api services using IBM DatapowerWeb Api services using IBM Datapower
Web Api services using IBM Datapower
 
Building Event Driven Systems
Building Event Driven SystemsBuilding Event Driven Systems
Building Event Driven Systems
 
Compliance
ComplianceCompliance
Compliance
 
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
Building Web-Based Line-of-Business Applications on the Microsoft Dynamics Li...
 
Service Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresService Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen Infrastructures
 
CISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuideCISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration Guide
 
Gigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX DeploymentsGigamon Pervasive Visibility into SDDC/NSX Deployments
Gigamon Pervasive Visibility into SDDC/NSX Deployments
 

Semelhante a Layer 7: Fine Grained Authorization for Web Services

Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_final
Mauricio Godoy
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2
Anne Starr
 
Iam suite introduction
Iam suite introductionIam suite introduction
Iam suite introduction
wardell henley
 
PayPal Decision Management Architecture
PayPal Decision Management ArchitecturePayPal Decision Management Architecture
PayPal Decision Management Architecture
Pradeep Ballal
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Standards Customer Council
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
Cloud Standards Customer Council
 
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and MobileGovernance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
CA API Management
 
Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)
Sectricity
 
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Zeeve
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?
mbmobile
 

Semelhante a Layer 7: Fine Grained Authorization for Web Services (20)

Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview Short
 
Windows Server 2008 Security Overview Short
Windows Server 2008 Security Overview ShortWindows Server 2008 Security Overview Short
Windows Server 2008 Security Overview Short
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_final
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2
 
ClearPass Policy Model - An Introduction
ClearPass Policy Model - An IntroductionClearPass Policy Model - An Introduction
ClearPass Policy Model - An Introduction
 
Iam suite introduction
Iam suite introductionIam suite introduction
Iam suite introduction
 
Blockchain solution architecture deliverable
Blockchain solution architecture deliverableBlockchain solution architecture deliverable
Blockchain solution architecture deliverable
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE
 
PayPal Decision Management Architecture
PayPal Decision Management ArchitecturePayPal Decision Management Architecture
PayPal Decision Management Architecture
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and MobileGovernance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
Governance 2.0: A New Look at SOA Governance in The Age of Cloud and Mobile
 
652.ppt
652.ppt652.ppt
652.ppt
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
 
Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)
 
OCS LIA
OCS LIAOCS LIA
OCS LIA
 
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
 
Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018Hyperledger Austin meetup July 10, 2018
Hyperledger Austin meetup July 10, 2018
 
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
Oracle - Hyperledger Silicon Valley meetup, June 20, 2018
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?
 

Mais de CA API Management

Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
CA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
CA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
CA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
CA API Management
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
CA API Management
 

Mais de CA API Management (20)

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Último (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 

Layer 7: Fine Grained Authorization for Web Services

  • 1. Fine grained authorization for Web Services Jonathan Gershater Solution Architect http://www.layer7tech.com
  • 2. What you will learn in this session? 1. The difference between fine grained and coarse grained authorization 2. The challenge with implementing fine grained authorization in service based architectures 3. How to leverage existing identity infrastructure for entitlements management 4. How to use policy enforcement intermediaries to enforce entitlement preferences March 2008
  • 3. Traditional enterprise Independent applications with their own access control, mechanisms and authorization policies. March 2008
  • 4. Traditional enterprise security Protected by •A gate-keeper firewall primarily offering network level TCP/IP protection. •URL only protection using agent based SSO solutions. March 2008
  • 5. The New Enterprise:SaaS, Web2.0, Legacy The challenge: •Mixed application and integration environment •Diverse credential requirements •Existing SSP and user directories •No centralized policy control and audit. • Services requiring fine grained authorization. March 2008
  • 6. SaaS, Web2.0, Integrated enterprise March 2008
  • 7. SaaS, Web2.0, Integrated enterprise March 2008
  • 8. WebServices authentication: The Many-To-Many Problem Tokens  Transport (HTTP hdr, Request x509, etc…)  Message (UTP, x509,…) Web Services Authentication  LDAP Directory  Proprietary IAM …  Certificate Servers (OCSP, CRLs, etc)  etc…
  • 9. Complexity grows! Multi-platform, multi-development environment –.NET, J2EE Frameworks, other •Support Mobile users / disconnected applications •Support conditional expressions for authorization *Use existing authentication sources March 2008
  • 10. Quick review of AAA •Authentication – who are you? •Authorization – what can you do? •Auditing – who did what? March 2008
  • 11. What is coarse versus fine grained authorization? What is authorization? The difference between coarse grained authorization (static)  By job role  By IT defined role  By group membership and fine grained authorization (dynamic)  By transaction type  By time of day or day of week March 2008
  • 12. Sample fine grained AZ request Stock quote can be anonymous Stock purchase during trading hours must be: •Authenticated •over SSL •working hours •not from suspect network (user=Name_of_Stockbroker) AND (SSL=TRUE) AND ((hour > 6am) AND (hour < 1pm)) AND (ip_address_segment != 155.154.133.0) March 2008
  • 13. Solution Policy Decision Point (PDP) that intercepts and examines XML packets at the application layer: • Identifies service endpoint • Authenticates requester with support for diverse credential types • Integration with diverse SSO, Federation and user directories • Performs fine-grained authorization of of an operation within a service • Credential chaining and translation • SAML issuing for downstream consistency March 2008
  • 14. Policy Decision Points (PDP) March 2008
  • 15. Also...SAMLP query to Policy Decision Point (PDP) March 2008
  • 16. Other solutions – an XCAML query Policy EnforcementPoint (PEP) makes an XACML query to a PolicyDecisionPoint (PDP). •PEP executes XACMLAuthzDecisionQuery •PDP returns XACMLAuthzDecisionStatement March 2008
  • 17. Policy Enforcement Point makes an XCAML query March 2008
  • 18. Layer 7 solution for fine grained authorization Policy Decision Point (PDP): •Highly available / clustered. • Integrates with several of Web SingleSignOn and PolicyDecisionPoint sources. •Supports any information store: Databases, or SecureTokenServices. • Generates appropriate SAML assertion to make authorization decisions. March 2008
  • 19. Appliance, software or virtual machine solution Message level intermediary between services and requesters Internal Application Consumers External Application Services Consumers March 2008
  • 20. Layer 7 SecureSpan Gateway Runtime Governance - Policy Enforcement Point PEP validates policy compliance and applies security decorations Security requirements defined by an administrator. Policies become effective independently of the actual services. Services March 2008
  • 21. SecureSpan Solution Advantages, Differentiators Sophisticated policy language enables complex governance requirements Available as hardware appliance with XML accelerator or as software Quick deployment, ease of use Extensible through APIs Instant policy application (no service downtime) Standard based Industry leadership March 2008
  • 22. Thanks and questions Jonathan Gershater jg@layer7tech.com http://www.layer7tech.com http://layer7blog.blogspot.com/ March 2008