Within the framework of ITEA (Information Technology for European Advancement) initiative, Pierre Caubit was managing the security part of the LASCOT (LArge Scale COllaborative decision support Technology) program, a human-centred decision support system for crisis management. He works as a systems architect and expert on some of Europe’s largest IT security projects.
At a time when information systems need to be much more open and flexible, SOAs (Service Oriented Architectures) have become a major avenue for technology development. They are based on a simple principle, even if their implementation can be complex: dividing applications between the various ‘services’ within a business, in other words building up a service application portfolio (for example, issuing a purchase order, passing the order to a supplier, calculating the price…) that can be easily aggregated and combined in different ways according to the actual needs of the business. The advantages of the SOA approach are that it enables the organization to make the most of its application portfolio and simplifies exchanges between heterogeneous environments. This means that elements that have already been defined and implemented can be ‘reused’, in order to reduce integration costs and improve responsiveness in the face of changing business needs, not just within the business but also among partners, suppliers, customers, etc.
The basic technology used for these kinds of services is the Web Services model. So although these changes offer huge potential for the future, they also create new kinds of risks. Hence the new requirements for systems security in terms of availability, integrity, confidentiality and proof.
Bull has been heavily involved in this fundamental evolution since the new concepts first started to emerge, in the early years of this decade. Apart from research and experiments into the security of SOAP (Simple Object Access Protocol) exchanges, based on the early ‘drafts’ of XML (Extensible Mark-up Language) for big banks, Bull’s main focus has been accompanied by the development of an XML security infrastructure as part of the LASCOT project within the European Union’s ITEA program, which has created an open infrastructure that can easily be adapted to any context. Using these technologies, one of Bull’s main aims is to help its customers implement secure SOA middleware infrastructures running under Java, using open and secure technology ‘bricks’.
Web Services open up a whole new, much simpler way of implementing complex processes. They ensure that information systems are more flexible, and are enabling a fundamental conceptual revolution in the definition of ‘applications’. As a result, they will become increasingly virtualized, gradually transformed into numerous distributed Web Services, and at the same time enabling the increased virtualization of entire information systems themselves.
Web services: a flexible approach to systems architecture
Web services enable the implementation of distributed applications that utilize remote, heterogeneous components. The associated technical architecture – still in the process of being standardized – is based on a layered model: transport, service detection, exchanges and communication, description of complex processes, contracts, etc. Specific descriptive languages – based on the XML (eXtensible Mark-up Language) standard – are associated with each layer. A simple and extendable language, XML has emerged as the standard for Web services’ deployment, thanks to the fact that it is much more flexible than the older methods of describing components offered by standards such as DCOM and Corba.
The implementation of Web services is based on the classic ‘publish-find-bind’ model for distributed components. Requests and data interchanges between services are enabled by the SOAP protocol, which is compatible with numerous transport protocols (HTTP, SMTP, POP3, FTP, etc), and carries remote procedural calls expressed in XML: including the sender address, name of the procedures to be run, and expected and returned parameters.
Web services accessible on a particular network are described in WSDL (Web Services Description Language). Based, like SOAP, on XML, WSDL enables the access interface to Web services to be described without the need for any content to be installed (such as Enterprise Java Beans, servlets or DCOM components).
The dynamic localization of Web services is also enabled by the UDDI (Universal Description, Discovery, and Integration) standard, which enables the creation of private directory services whose use is limited to a clearly identified group of businesses who are prepared to exchange particular application services: Internet, intranet, extranet, B2B applications... The directory offers a logical view of the available services, even though they may be spread across multiple supplier sites. UDDI is also based on XML in order to describe the information that enables each service to be published and found.
New security demands
Although they provide an essential level of openness, Web Services also introduce new security risks. This profound evolution gives rise to a fundamental need: to guarantee the suppliers of these services are trustworthy in this type of relationship.
In particular, a real ‘service contract’ needs to be established, to formalize the relationship of trust between the user or customer and the entity supplying the services. This contract will set out precisely the type of service required by the customer, the identification elements (how the customer entity will be identified, the identity of the customer application, the characteristics of that application…) which the customer applications will be capable of providing, so that the supplier can determine the appropriate level of access to their resources. Customers and suppliers will both need to adapt their existing security solutions in order to achieve the necessary service levels.
SAML, the pivotal security standard for authentication and access controlNew security demands
Just such a logical security model is offered by the SAML (Security Assertion Markup Language) standard developed by OASIS (the Organization for the Advancement of Structured Information Standards).
SAML offers a fundamental and innovative approach, which separates the management of those requesting the service and the actual resources themselves, delegating the management of users and customer applications to the entity to which they belong, and offering a new model for controlling access to applications.
SAML defines security structures presented as proofs or 'assertions', as well as the exchange protocol which enables these assertions to be requested and delivered. What’s more, the latest version of the SAML standard (version 2.0 published in March 2005) incorporates the centralization/decentralization principles and mechanisms recognized by the Liberty Alliance.
SAML’s main objective is to specify the security models expected for Web services. Nevertheless, because SAML is a high-level standard, it is also usable in more traditional HTTP environments. In this case, it enables a user to be authenticated and provides SSO (Single Sign-On) identification.
Apart from SAML, other specifications complement this core standard, such as WS-Security, XACML, XKMS, XML-Signature and others. In particular, proprietary mechanisms can be used to provide access control and decision functions, or they can use the SAML authorization assertion and specific decision mechanisms in the XACML (eXtensible Access Control Markup Language) standard.
- WS-Security, distributing Web services security elements - WS-Security aims to ensure that security elements exchanged by Web services are compatible. The WS-Security structure forms part of the header of SOAP messages.
- XACML, describing the policies for accessing particular resources – The ultimate client authentication involves giving authorized access to resources only on the basis of definite criteria. Following on from individual authorization, then the authorization of groups of users, we are starting to see the emergence of the so-called RBAC (Role-Based Access Control) model. The development, set in motion by SAML, makes the concept of a ‘role’ more widespread and is proving itself to be very effective operationally. It involves using the full range of user characteristics as authorization criteria. Among the raft of new security standards, OASIS is recommending the user of XACML to describe the rules governing access to resources in a standard way, in XML. The standard does not concern itself with interoperability between independent organizations, but does aim to ensure the portability and permanence of access control policies described and used in a particular organization. XACML offers much more powerful ways of describing access control rules than traditional solutions.
- XKMS, simplifying the management of digital certificates – The new security standards apply not only to signatures, but also to the digital coding of the XML structures being exchanged. These operations essentially relate to the use of asymmetric key algorithms and their related X509 certificates. XKMS (XML Key Management Specification) aims to simplify and generalize the management of digital keys traditionally enabled by PKIs (Public Key Infrastructures), in order to speed up the deployment of applications and processes using this type of service. XKMS specifies the trust relationships based on keys, their certification and verification, and so on.
- XML-Signature & Encryption - Signature and digital encryption of XML structures. The digital signature and other elements associated with the encryption of a particular structure are described in standard XML structures. This standardization enables any recipient to verify a digital signature and decrypt information that he or she has been sent. It involves ensuring the interoperability of signature and encryption operations.
The following diagrams show the consistency between these standards, and their functional and technical interdependence. In effect, they form a coherent chain of services: with each level (link in the chain) being dependent on the level beneath it (the link below).
Web services security: new challenges
One of the biggest challenges with these new security standards is to succeed in translating them into homogeneous solutions. The creation of a simple and effective solution definitely requires a high level of technical expertise and capacity for synthesis.
In effect, the security infrastructure should simplify the security of Web applications accessed by users from browsers, as well as enabling overall management of security by systems administrators who may not be specialists in a particular environment (such as Java). A good implementation should effectively hide the technicalities both from the applications that use it and from the security administrators.
- Providing non-invasive security controls – In Bull’s assessment, the main challenge that security infrastructures have to overcome is to ensure that the implementation of the new XML security standards is simple and transparent. In effect, we believe the adoption of these new standards by public and private sector organizations will be just as rapid as their implementation will be smooth, without disturbing applications that are already in place.
- Automating digital certificate management –Web services security depends on the digital signature of the XML structures being exchanged. This signature utilizes symmetrical key encryption techniques and X509 digital certificates. Security depends on the reliability of the techniques used to generate and preserve the keys, and the effectiveness of the management and control of the digital certificates being used. Efficient automation of these activities is essential.
- Simplifying security administration – The availability of a unified and intuitive administrative approach and control functions is absolutely indispensable. The successful implementation of new security services will essentially depend on the simplicity and effectiveness of these tools.
Bull: an advanced XML security architecture
Bull has carried out a number of R&D projects designed to respond to these issues. Other work has also been carried out on the design and integration of various solutions, now available with the ‘Secure Access Manager - J2EE Edition’ module from the company’s specialist subsidiary Evidian, as well as via a modular framework adaptable to all kinds of customer environments. This framework is used by Bull Services on specific systems integration projects.
These solutions respond in particular to the three challenges noted above:
- Providing non-invasive security controls – The security mechanisms implemented by Bull, based on Java J2EE and XML standards, enable access to applications to be controlled without interfering with the application itself. They use non-invasive mechanisms that security controls can also use. As a result, there is no need to develop specific security functions for each application or even to call particular security functions. They can be ‘stationed’ on the application infrastructure, without needing to address the actual security issues.
- Automating digital certificate management – To achieve this, Bull has designed software modules that incorporate and extend the possibilities offered by XKMS servers: on the one hand, simplified mechanisms for generating, revoking, renewing and verify certificates in such a way as to ensure service continuity from both security components and applications, and on the other hand, mechanisms for generating key-pairs and safeguarding private keys in protected environments (which may be specialist hardware resources)
- Simplifying security administration – Finally, Bull can put in place a configuration server that enables the characteristics of each component to be administered using a central security database. This mechanism enables extremely simplified management of all infrastructure components. As a result, only a minimum of information is required when installing a new security component for the first time: identity, access code, access point to a configuration server… Detailed configuration information is received direct from the configuration server.
The objective of security infrastructures designed in this way is to ensure interoperability between the equivalent functional security layers and integration between the various security layers, as well as to implement a security administration approach that offers a consistent and easily managed view of security
The diagram below shows Bull’s general XML security architecture and its main components.
Bull has successfully implemented these emerging security standards on many projects. In addition to the research work carried out as part of the ITEA program (on the LASCOT project). Various consultancy projects on information systems and Web services security have been carried out for major government departments and the French national central Information Systems Security Division (the DCSSI) over the past three years. In particular, advanced implementations have been delivered to enable the migration of the French Equipment Ministry’s ‘Cerbère’ security solution to SAML and WS-Security. Since 2002, Bull has also been working in partnership with Deutsche Post (the German Post Office) to gradually introduce these new principles into its Web services-oriented security infrastructure – one of the most ambitious in Europe – based on Evidian’s J2EE Secure Access Manager.
These security technologies have also been put at the heart of BSOA, Bull’s integrated Java middleware application platform, based on Open Source components including the JOnAS application server and additional components. This is a particularly open platform designed to enable the design, development, implementation and administration of service-oriented architectures (SOAs). Its aim is to implement tomorrow’s new technologies today, in a highly flexible and pragmatic way, using open and adaptable solutions.
When it comes to R&D, and following on from the LASCOT project and its work as part of the ITEA initiative, Bull has also been looking at ways of evaluating the benefits of semantics techniques (the Semantic Web and ontology) in facilitating the implementation of these new technologies.
This will be a major challenge for the next few years. In effect, new e-government projects will involve increasing numbers of exchanges with independent partners (other public sector bodies and various other organizations) and under these conditions will need to rely on recognized mechanisms capable of supporting this level of openness. With this kind of approach, it is most likely that they will require Web services and other mechanisms capable of ensuring that they are secure to be used. The answer to this requirement should put the emphasis on the functional effectiveness and flexibility of the propose solution. Also the security component may be essential, it should not impose significant extra costs either in the implementation or the administration of the solution. The technological opportunities offered by the Internet infrastructures, XML, Web services and semantic analyses should encourage the increased automation and reliability of technical processes.
|Security Assertion Markup Language
Simple Object Access Protocol
Security Socket Layer
Transport Layer Security
Universal Description, Discovery, and Integration
Extensible Access Control Markup Language
XML Key Management Specification
Extensible Markup Language