Securing the Service Oriented Enterprise Training

Course #:WA1565

Securing the Service Oriented Enterprise Training

This 1-day course will prepare you to identify, define, diagnose, and implement a comprehensive security strategy for a Service Oriented Architecture (SOA) initiative. SOA opens up a whole realm of security issues due to its ubiquity, decentralization, distributed, and even federated nature. Students will be exposed to a broad range of enterprise SOA security subjects, providing a solid foundational understanding of valid and in-valid approaches to designing and implementing SOA security.

Concepts in this course are re-enforced through a combination of group discussion, live demos and daily reviews.

Topics
 
  • Securing the Service Oriented Enterprise
  • Security Patterns within SOA
  • Service Layers
  • SOA Security Layering
  • Applying Traditional Security to SOA
  • SOA Security Standards
  • SOAP Primer
  • Digging into WS-Security
  • Advanced SOA Security
  • SOA Security Threats and Countermeasures
  • Governing SOA Security
  • SOA Security Tools
Audience
 

Security architects, analysts, and managers as well as system architects and application developers.

Prerequisites
 

Familiarity with SOA core concepts and elements required. Also a working knowledge of basic enterprise security principles and terminology highly recommended.

Duration
  One day

Outline of Securing the Service Oriented Enterprise Training

1. SOA Security Overview

 
  • Objectives
  • Traditional systems
  • Loosely-coupled systems
  • Risks of loosely-coupled services
  • SOA Security Concerns
  • Security Stack: Web services
  • Security Stack: Other services
  • Discussion Question
  • Summary
 

2. Security Patterns

 
  • Objectives
  • Service bus security
  • Service bus security layers
  • Application-managed security
  • Security as a service
  • Reverse Proxy
  • ESB Gateway
  • Discussion Question
  • Summary
 

3. Security Layering

 
  • Objectives
  • SOA Layers
  • Security Layering
  • Policy-driven Security
  • PEP/PDP in Action
  • Separation of concerns
  • Loosely-coupled security layer
  • SES/SDS in Action
  • Layering and service granularity
  • Security Service Granularity
  • Process-centric Security
  • Discussion Question
  • Summary
 

4. Applying Traditional Security to SOA

 
  • Objectives
  • Public Key Infrastructure (PKI)
  • Digital Signature
  • Digital Signature Process
  • Certificates
  • Authentication
  • Basic HTTP Authentication
  • Secure Socket Layer (SSL)
  • Basic Authentication Over HTTPS
  • Securing non-HTTP Traffic
  • Summary
 

5. SOA Security Standards

 
  • Objectives
  • WS-Security
  • XML Encryption & Signature
  • SAML
  • WS-Trust
  • WS-Trust Interoperability
  • WS-Federation
  • WS-SecureConversation
  • Web Services Policy Framework
  • WS-SecurityPolicy
  • Security Standards Review
  • Summary
 

6. Simple Object Access Protocol (SOAP)

 
  • Objectives
  • SOAP Overview
  • SOAP in Protocol Stack
  • SOAP Components
  • SOAP HTTP Request Example
  • SOAP HTTP Response Example
  • Message Envelope
  • The Header Element
  • Header Attributes
  • SOAP Body
  • SOAP Fault
  • Communication Style
  • RPC/Encoded Style
  • RPC/Literal Style
  • Enabling RPC Styles
  • Document/Literal Style
  • Document/Literal Wrapped Style
  • Details of the Wrapped Style
  • Enabling Document Literal Style
  • Summary
 

7. SOA Security Standards

 
  • Objectives
  • SOA Security Model
  • SOA Security Policies
  • Transport Level Security Policy
  • Message Level Security Policy
  • Data Level Security Policy
  • Overview of Web Services Security
  • Securing XML Data
  • XML Digital Signatures
  • XML Encryption
  • WS-Security Tokens
  • WS-Security Considerations
  • Putting it all together
  • Phase 1: The Service-side
  • Phase 1: Build a secure service
  • Phase 2: The Client
  • Phase 2: Build a secure client
  • Phase 3: Production
  • Audit Tracking
  • Identity Assertion Using SAML
  • SAML SOAP Example
  • Summary
 

8. SOA Security Threats and Countermeasures

 
  • Objectives
  • The Price of Open Standards
  • Generic Vulnerabilities
  • XML-specific Attacks
  • Countermeasures
  • Summary
 

9. Governing SOA Security

 
  • Objectives
  • Security Governance
  • Collecting Security Requirements
  • Policies and Contract Management
  • Policy and Contract Management
  • SOA Security Lifecycle
  • Governance Model Overview
  • Models for Governing Security
  • Discussion Question
  • Summary
 

Appendix A. Glossary

 
  • Glossary
  • Glossary
  • Glossary
  • Glossary
 

Appendix B. Introduction to Web Services

 
  • Objectives
  • A Conceptual Look at Services
  • Defining Services
  • SOA Runtime Implementation
  • SOA Runtime Implementation
  • What is a Web Service?
  • Enterprise Assets as Services
  • Typical Development Workflow
  • Advantages of Web Services
  • Web Service Business Models
  • Case Study: Internal System Integration
  • Case Study: Business Process Externalization
  • SOAP Overview
  • SOAP in Protocol Stack
  • SOAP Structure
  • SOAP Message Architecture
  • Applying SOAP
  • WSDL Overview
  • WSDL Structure
  • Applying WSDL
  • UDDI Overview
  • UDDI Terminology
  • UDDI Structure
  • Locating a Service
  • Applying UDDI
  • WS-I Overview
  • WS-I Deliverables
  • Summary