TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Addressing Security Concerns with WSO2 Governance Registry Policy Store
1. Addressing Security Concerns with WSO2
Governance Registry as Policy Store
Arudsothy
Sriragu
(S
rArudsothy Sriragu
(Senior Software Engineer-WSO2 Governance Registry)
&
Eranda Sooriyabandara
(Senior Software Engineer-WSO2 Governance Registry)
Engineer-‐WSO2
Governance
Registry)
&
Eranda
Sooriyabandara
(Senior
Software
Engineer-‐WSO2
Governance
Registry)
2. About WSO2
• Providing the only complete open source componentized cloud
platform
– Dedicated to removing all the stumbling blocks to enterprise agility
– Enabling you to focus on business logic and business value
• Recognized by leading analyst firms as visionaries and leaders
– Gartner cites WSO2 as visionaries in all 3 categories of application
infrastructure
– Forrester places WSO2 in top 2 for API Management
• Global corporation with offices in USA, UK & Sri Lanka
– 200+ employees and growing
• Business model of selling comprehensive support &
maintenance for our products
4. Agenda
} Understanding the policy enforcement in SOA environment
} Why does a typical SOA enterprise need policy management
} Some terminologies used in policy enforcement
} How WSO2 Identity Server plays as XACML policy engine
} Run-time policy vs Design-time policy
} Demo - Sample usecase where WSO2 Governance Registry can
be used as policy store
} Q&A
5. Understand the policy enforcement in SOA environment
} A typical service oriented enterprise will have mainly three
objects in interaction which are service consumers, services and
resources
} How can a SOA environment control varies authorization level
depends on the consumer type such as admin user, publisher
level user, subscriber level user, login level user..etc.
} To address the above complexity SOA environment forced to
have a varies type of policies.
} Therefore applying policies for SOA environment to control its
activities during the service consumption or service design will
be called as policy enforcement.
6. Why a typical SOA enterprise need policy management
} To control authorization level among the users accessing the
services in any typical SOA environment.
} Prevent Unauthorized access to the services must be
prevented.
} Quality of service should be managed by service policy.
Therefore SOA enterprise needs a policy management system.
} Giving the access to the correct version of the service based on
the consumer type. It can be managed by a versioning policy.
} SOA enterprises need to enforce the policy to accept the
content passed as payload in terms of encoding format.
7. Some terminologies used in policy enforcement
} PEP -it stands for policy enforcement point where the incoming
request is received and authorization request will be generated
and sent over to authorization engine.
} PIP - stands for policy information point where information about
policy elements such as attribute value and meaning, resource
information used in policy, environment in which the particular
policy to be evaluated.
} PDP - stands for policy decision point where the authorization
request is evaluated which has been sent by the PEP and
decision is made whether to authorize or not. This point in general
called as authorization engine since it is the decision maker for
authorization request.
8. Contd………
} PAP - stands for policy administration point where the policy is
managed.
} PRP - stands for policy retrieval point where the policy is stored
and retrieved by authorization engine to evaluate against the
incoming authorization request.
} WSO2 IS can be used as a PAP, PIP and PDP.
} WSO2 Governance Registry is used as PRP.
} WSO2 ESB can be used as PEP.
9. How WSO2 Identity Server plays as XACML policy engine
} WSO2 IS uses the xacml policy based authorization. XACML
stands for eXtensible access control markup language.
} WSO2 IS has the capability to play as a XACML based
authorization engine.
} WSO2 IS makes decision based on the policy relevant to the
request, in other word IS functions as policy decision point.
} WSO2 Identity Server (IS) makes authorization decision based on
XACML request.
} IS returns it authorization response to the policy enforcement point
with what action to be taken for the client request. Response will
be allow or deny the access.
10. Run-time policy vs Design-time policy
} Design time policies define the behavior of the service at the
design time while the runtime policies define the behavior of the
service at the runtime.
} Design time policies are enforced during the period when
developer creates the services. For an example, WS-security to
be used for security mechanisms.
} An example of runtime policy would be "Only users with admin
role are allowed to update the resource A between 10 and 12
o'clock. This policy will be enforced and evaluated at the service
invocation.
13. Demo
} Client requests some resource via ESB proxy service.
} When the ESB receives the client request “entitlement
mediator”[PEP] will generate the xacml request and call the
WSO2 IS [PDP] “entitlement admin service” endpoint.
} WSO2 IS retrieves the policy stored in the Governance Registry
and evaluates xacml request. WSO2 IS functions as xacml
engine
} Depends on the decision made by the IS request will be
processed further and returned the resource to the client or
returned with an unauthorized message.
16. Engage with WSO2
• Helping you get the most out of your deployments
• From project evaluation and inception to development
and going into production, WSO2 is your partner in
ensuring 100% project success
17. Engage with WSO2
• Helping you get the most out of your deployments
• From project evaluation and inception to development
and going into production, WSO2 is your partner in
ensuring 100% project success