David Brossard (BT Security Research Centre)
Theo Dimitrakos (BT Security Research Centre)

Tutorial Summary

In this tutorial we will analyse the main concepts, design patterns and reference implementations of security and governance solutions that protect services, information and resources within and across Enterprises. We will also explain how these solutions can be put together into the context of a Service Oriented Security Infrastructure enabling the evolution of SOA technology towards end-to-end integration and governance across business partners.
We will demonstrate the above through a concept infrastructure developed at BT’s research labs to illustrate new mechanisms for securely exposing and contextualizing services in a network-centric environment. BT acknowledges the fact that enterprises have an increasing need to share services and resources across corporate boundaries. This concept infrastructure therefore aims at enabling secure, measurable, dynamic, flexible, and adaptive service exposure.
During the tutorial we will be able to analyse five key areas:

We will then explain how capabilities for Identity Management, Authorisation, and Policy Enforcement can be integrated with a SOA Security governance layer in Secure Service Gateways.
Virtual Organisation Management will be explained by demonstrating a prototype that allows business partners to discover each other’s services, to assign them to some choreographed functionalities, to establish trust between them, to distribute policies implementing aspects of common agreements in accordance to the assigned functionality, to coordinate the establishment & dissolution of the circle of trust between business partners.
Federated Identity Management will be explored through a reference implementation of an adaptive Security Token Service (STS) which is able to bridge authentication and identity schemes that are internal to the administrative domain of a business partner to commonly agreed federated identity standards such as SAML and WS-Federation. We will explain how the identity meta-model has been implemented through the use of common Web Services standards such as WS-Trust and WS-Security. We will then explain a new flexible model for managing Circles of Trust and contextualising identity related information.
Distributed Authorisation will be explored through an analysis of a system that implements attribute and role based access control reference models, as well as a form of constrained delegation of administrative authority. In this part of the tutorial we will explain foundational aspects of attribute and role based access control models and design patterns of distributed access control architectures, using a policy decision point (PDP) complying with the OASIS standard XACML as a working example. This solution has been partly developed through the collaboration of BT’s UK Research labs with Axiomatics, a Swedish SME, supports the XACML 2.0 standard and offers one of the first implementations of the XACML 3.0 draft that adds obligation and administrative delegation elements into the XACML 2.0 standard. 
Secure messaging and service exposure will be explored through the analysis of Web Services secure message processing models and exemplar XML firewall and application gateway solutions. In this part of the tutorial we will cover design patterns for Web Service and XML application exposure, models for XML message interception, inspection and transformation, as well as common models of filtering policies for message processing, transformation, message-level security and intelligent routing. This part of the tutorial will also offer the opportunity to inspect standards such as WSDL, SOAP, WS-Security and XSLT.
SOA Governance will be explored through a thin layer called B2B gateway built on top of the security services and which manages their configuration as well as policies, policy templates, infrastructure profiles, and service exposure & virtualization. The SOA governance layer can manage the STS, PDP, and XML gateway integration and maintain a coherent configuration state and policy life-cycle between them so as to securely expose the services to be shared. The tutorial will show how to use the governance layer to define new policy templates, infrastructure profiles, and apply them to new VOs and new virtualized resources.
Integration within Secure Service Gateways will be explored through the demonstration of an integrated solution prototype that includes a Web Services gateway, an XML message processing component, a federated identity management service, an authorisation service, and a thin governance layer that coordinates the policy-life cycle and automates some of the administrative actions. Depending on interest and available time, we may also explore a further layer of integration where several such Secure Service Gateways are jointly managed through the mediation of a Virtual Organisation Management subsystem.
Finally, we will look at the demo as a whole applying the Service Oriented Infrastructure to an Online Gaming scenario. In this scenario we will assume three business partners: Andago, an online game community provider, Sunny, and Saygah, two game hosting platforms. We will see how Andago will negotiate the creation of a Virtual Organisation with Sunny and Saygah to address new business opportunities – in this case the ability to offer richer online gaming experiences to its end users while limiting the investment on gaming services and execution environments by outsourcing, and remotely managing, game application hosting..
We foresee a dynamic, audience-driven tutorial where we allow ample time for questions and selectively deepen into any specific aspects the audience would like to further explore. Depending on network availability constraints there may be an opportunity for the audience to interact with a live prototype of the infrastructure hosted at BT’s research laboratories at Adastral Park, UK.

About the tutors

David Brossard (M.Eng Institut National des Sciences Appliquées (INSA) , Lyon, France 2005, IISP, SCEA) is a Senior Researcher in the SOA Security Research Group in the IT Futures Research Centre of BT Group CTO.
He joined BT nearly three years ago and has been devoting most of his time to SOA security and governance experimenting with a variety of web services frameworks and WS specifications & implementations. During that time, he implemented the B2B security gateway’s governance layer and worked on integrating the different security components.
David has been actively involved in past European projects including TrustCoM and BEinGRID where he is now a Work Package Leader for the Security Cluster, providing consultancy to 25 business pilots
Prior to joining BT, David worked as a developer / designer at Portugalmail, a leading Portuguese ISP, working on a new blogging platform, blog.com. He also worked for leading European Defence company, Thales in various programming roles while at university.
David has been a Sun Certified Enterprise Architect since January 2008, an affiliate of the Institute of Information Security Professionals (IISP), and is currently working on his CISSP certification.
Theo Dimitrakos (BSc. 1993 University of Crete, Ph.D. 1998 Imperial College London) is leading the SOA Security Research Group in the IT Futures Research Centre of BT Group CTO. Theo is also leading the security activity of BT’s multidisciplinary research programme in Service Oriented Infrastructures. He has fifteen years of experience in a wide range of topics relating to Information Security, Identity and Access Management, Software and Systems Engineering, Service Oriented Architecture (SOA), Web Services and Grid Computing. He also has strong academic background in the areas of security risk analysis, formal modelling and applications of semantics and logic in computer science.
Theo has been the scientific coordinator of some of the largest and most successful research initiatives in Europe, such as the BEinGRID (www.beingrid.eu) programme, which includes 96 partners and oversees 25 business pilots in different market sectors (2006-10); and the TrustCoM project (www.eu-trustcom.com) that brought together innovation teams from Atos Origin, BT, Microsoft, IBM and SAP, among others (2004-07). He has also contributed in a UK DTI Foresight project on Cyber Trust and Crime Prevention, as well as projects in the Defence and Government sectors including an ongoing large-scale international collaboration defining the next-generation secure information infrastructure of coalition partners over a converged information and communication network. 
Theo is the vice-chair of an IFIP working group on Trust Management (www.ifip.org) and a member of the IFIP special interest group on Enterprise Interoperability. He has also fostered research communities on Trust Management (www.itrust.uoc.gr) and applications of Grid computing (www.lege-wg.org).
Prior to this position he was the technical leader of a multi-million collaborative research programme at the Central Laboratory of the Research Councils (UK) and an eCommerce and EDI specialist at Logica (UK). While at Logica he was involved in the development of EDI systems for Barclays Bank, RBOS and Citibank.
Theo Dimitrakos has been the editor or co-editor in five books, two journal special editions, and he has authored more than fifty (50) scientific papers published in international journals and conference proceedings.