A Trust Model for Web Services Ph.D Dissertation Progess Report

1
A Trust Model for Web ServicesPh.D
Dissertation Progess Report Candidate Nelly A.
Delessy, Advisor Dr E.B. FernandezDepartment
of Computer Science and EngineeringFlorida
Atlantic University, Boca Raton FL
2
Introduction

• Dissertations goal to develop a unified trust
  model for web services
• Will indicate how it can be interfaced to
  existing access control model for web services
• Will include trust management through trust
  policies, and dynamic aspects such as trust
  negotiation
• Using UML and/or some mathematical formalism

3
Agenda

• Existing Web services Access Control Models
• Patterns for XACML
• Future work
• Patterns for the WS- Family
• Comparison

4
Web services Access Control Models Patterns for
XACML

• The eXtensible Access Control Markup Language
  (XACML) has been defined by OASIS
• includes a policy and an access decision
  language.
• They define ways to express authorization rules
  and to enforce these rules
• The XACML profile for web services, also known as
  WSPL (Web Services Policy Language), is a
  language to declare authorization rules for
  protecting web services endpoints.
• We describe three patterns
• XACML Policy Language
• XACML Access Control Evaluation
• WSPL

5
XACML Policy Language

• XACML enables an organization to represent
  authorization rules in a standard manner.
• Context
• A complex environment such as a large enterprise
  with many partners, contractors
• Problem
• Resources are usually from various types and the
  enforcement mechanisms come in various forms
• policies are implemented in many locations, using
  different syntaxes
• Security policies in an organization are
  typically issued by different actors and and the
  policies they write may concern a wide and
  overlapping set of resources
• ? Defining these policies may be complex, and
  thus error prone.

6
XACML Policy Language

• Problem
• How do we unify the definition of access policies
  throughout the organization, making the whole
  system simpler and less error-prone?
• Forces
• Policies may be expressed in different forms
• Policies are constantly changing and they need to
  be constantly updated
• An active entity accessing a resource can be
  represented in a variety of ways
• Some policies can require a set of actions (or
  obligations) to be performed in conjunction with
  policy enforcement (auditing, notification)
• The environment in which the access is requested
  can also affect an access decision. For instance,
  an access may only be permitted at some hours of
  the day

7
XACML Policy Language

• Solution
• Write all policies in a common language using a
  standard format.
• This format is generic enough to implement some
  common high level policies or models (open/closed
  systems, extended access matrix, RBAC,
  multilevel).
• In addition, define a way to compose policies so
  that when several policies apply to one access,
  it is possible to render one unique decision. The
  policies are defined with an embedded combining
  algorithm.

8
XACML Policy Language
9
XACML Policy Language

• Dynamics Create a new policy

10
XACML Policy Language

• Implementation
• Define semantics for the subject, the resource
  and the environments attributes.
• Translate existing rules in the XACML format.
• Define new rules and implement them as XACML
  rules and policies.
• Add/Remove policies when needed.

11
XACML Policy Language

• Consequences
• The organizations policies to control access are
  easily defined using he constructs of the
  language. This makes the whole system less
  complex, and thus more secure.
• A variety of policy types can be described, as
  the policy language includes the resource, the
  subject and the environment attributes.
  Moreover, these attributes can be from existing
  standards (LDAP attributes, SAML, ), and are
  extensible.
• Similarly, a variety of subject types can be
  described.
• Policies and rules can be easily combined.
• A policy writer can specify complex conditions.
• This pattern enables logging or other actions
  through the obligation concept

12
XACML Policy Language

• Known Uses
• This pattern is used in several commercial
  products
• Xtradyne's WS-DBC (an XML Firewall),
• DataPower's XS40 XML Security Gateway
• Parthenon Computing has produced a suite of
  Policy products based on XACML (Policy Tester,
  Policy Engine, Policy Server)
• Sun provides an open source implementation
  written in Java

13
XACML Policy Language

• Related Patterns
• The policies are structured according the
  Composite Pattern Gam95.
• The Role-Based Access Control pattern, a
  specialization of the authorization pattern, is
  applicable if the policies subjects attributes
  are defined in terms of roles Fer01.

14
XACML Access Control Evaluation

• XACML defines a standard request/response syntax
  for access control decisions.
• Context
• A complex environment such as a large enterprise
  with many partners, contractors
• These various actors are accessing the
  organizations resources
• These accesses are controlled at several
  enforcement points, according to security
  policies.
• Problem
• Resources are usually from various types and the
  enforcement mechanisms come in various forms ?
  the organization has to write and maintain
  numerous authorization systems for its networks
• How do we enforce the rules defined in the
  institution policies?

15
XACML Access Control Evaluation

• Forces
• Enforcement points could be implemented in a
  variety of technologies (part of a Web Server,
  WAN, ).
• Any type of security policy should be enforced.
• Solution
• Protect each resource by a PolicyEnforcementPoint.
  
• All access requests are submitted to a unique
  PolicyDecisionPoint in a common format.
• This PolicyDecisionPoint returns the access
  decision, based on the ApplicablePolicy
  corresponding to the accesss context.

16
XACML Access Control Evaluation
17
XACML Access Control Evaluation

• Dynamics Controlling an access request for a
  resource

18
(No Transcript)
19
XACML Access Control Evaluation

• Implementation
• Implement a ContextHandler for applications that
  already have a PolicyEnforcementPoint that use
  another access decision language
• Implement an XACML PolicyEnforcementPoint for
  those applications that do not implement access
  control
• Add the translated existing authorization rules
  to the PolicyAdministrationPoint
• Add the new authorization rules to the
  PolicyAdministrationPoint

20
XACML Access Control Evaluation

• Consequences
• Advantages
• Since the access decisions are requested in a
  standard format, an access decision becomes
  independent from its enforcement. A broad variety
  of enforcement mechanisms could be supported and
  can evolve separately from the PolicyDecisionPoint
  .
• This pattern can support the access matrix, RBAC,
  multilevel models.
• (possible) liabilities
• It is intrusive for existing applications that
  already have security, since they require the
  implementation of a ContextHandler.
• It could affect the performance of the protected
  system as XML is a verbose language.

21
XACML Access Control Evaluation

• Related Patterns
• The Authorization pattern Fer01 defines the
  security model for this pattern.
• It can also implement the Metadata-based Access
  control Model Pri04.
• The Application Firewall pattern Del04 could be
  implemented according to the XACML patterns.
• The PolicyEnforcementPoint is a special case of a
  Reference Monitor Fer01.

22
XACML Access Control Evaluation

• Related Patterns

23
WSPL

• WSPL enables an organization to represent access
  control policies to its web services in a
  standard manner and a web services consumer to
  express its requirements in a standard manner.
• Context
• Web services endpoints invoking each other.
• Providers have security policies to control
  access to their web services,
• consumers have requirements for a web service
  invocation

24
WSPL

• Problem
• Web services are self-describing through WSDL and
  can be automatically discovered using UDDI ?
  using various syntaxes for their policy
  description would reduce these two properties of
  a web service.
• security policies are typically issued by
  different actors from its departments and the
  policies they write may concern a wide and
  overlapping set of web services.
• How do we describe policies to control web
  services invocations?

25
WSPL

• Solution
• Write web services policies in the XACML
  language Bind each WSDL web service component to
  an XACML component. Besides, define combination
  rules for such policies.

26
WSPL
27
WSPL

• Consequences
• Advantage
• Consumers and Providers s policies can be
  combined to decide how a service invocation
  should occur.
• (possible) liabilities
• It is intrusive for existing web services that
  already implement security, since their require
  the implementation of a ContextHandler.
• It could affect the performance of the protected
  system as XML is a verbose language.

28
WSPL

• Known Uses
• OpenWSPL is an open source implementation of the
  Web-Service Policy language, written in Java
• Related Patterns
• This pattern is a specialization of the XACML
  Policy Language pattern. It can implement the
  Metadata-based Access control Model Pri04.
• The XML firewall Del04 could be implemented
  using this pattern.

29
Future work Patterns for the WS- Family