SOA Security Overview

Elements of SOA Security

• Three main areas of concern have been recognized to be part of the SOA security arena:
• Message Level Security provides the ability to ensure security requirements are met within an SOA environment, where transport level security is inadequate because transactions are no longer point-to-point in SOA
• Security as a Service provides the ability to implement security requirements for services by using security services including Policy Decision Points and Policy Implementation Points
• Declarative and Policy-Based Security provides the ability to implement security requirements that are transparent to the security administrators and that can be used to quickly implement emerging new security requirements or security services for services that are being created to rapidly implement new business functionality


Message Level Security
• The OASIS set of WS-Security standards have been created to address message level security and are supported by key vendors including IBM, Microsoft and Oracle
• The set of standards are intended to provide the following:
– a secure conversation model describing how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys
– a Web service endpoint policy describing the capabilities and constraints of the security and other business policies on intermediaries and endpoints including required security tokens, supported encryption algorithms and privacy rules
– a federated trust model describing how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities
– a Web service trust model describing a framework for trust models that enables Web services to securely interoperate
– an authorization model describing how to manage authorization data and authorization policies
– a Web service privacy model describing how to enable Web services and requesters to state subject privacy preferences and organizational privacy practice statements

Security as a Service
• Security as a Service can be accomplished by the following:
• Collecting an inventory of service security requirements throughout the Enterprise Architecture
• Specifying the set of discrete security services that will be needed for the enterprise
• Designing and implementing these security services as services themselves within the Enterprise
• A toolkit approach would specify the set of typical security services that could provide most of the requirements and provide a springboard to establish the Security as a Service model in an organization

Declarative and Policy-Based Security
• The implementation of Declarative and Policy-Based security requires tools and techniques for use at the enterprise management level and at the service level
• These tools and techniques should provide:
– Transparency for security administrators
– Policy enforcement
– Policy monitoring
– Policy violation alerts
– Data traceability
– User traceability
• This work can leverage previous initiatives in Quality of Service (QuOS) and Policy-Based Networking

Foundations of SOA Security
• The foundations of SOA security are already widely used in the IT industry, but must be understood by SOA practitioners in order to provide adequate security for the systems being developed
• These building blocks are:
– Public Key Infrastructure
– Kerberos
– XML Encryption
– XML Digital Signatures

SOA Security Roadmap
• A roadmap for SOA security, covering the three areas of Message Level Security, Security as a Service and Declarative and Policy-Based Security would be useful for SOA practitioners
• Microsoft and IBM jointly created an initial roadmap when they were working to create the WS-Security set of standards
• This roadmap can be expanded to cover the areas that emerged later including Security as a Service and Declarative and Policy-Based security, re-targeted for practitioners rather than standards committee members

SOA Security Design Patterns
• Design Patterns were introduced in 1994 as a way to represent best practices for the design of Object-Oriented software and are widely used in the industry
• Microsoft and IBM have been starting to develop a set of design patterns for SOA, mostly focusing on message level security
• Design patterns are needed for the provision of each of the standard security requirements at the enterprise level, in order to provide basic services, monitoring and alerts, using the Security as a Service model of SOA
• Enterprise level design patterns are needed for the implementation of Declarative and Policy-Based Security at the enterprise management level and at the security service level

SOA Security in the Enterprise
• A number of paradigm shifts in the IT industry are happening in the same time frame as SOA adoption
• Organizations are establishing Enterprise Architectures and using them as the basis for IT governance
• Organizations are leveraging the Grid model of computation in order to reduce costs and improve availability
• Organizations are adopting wireless, mobile, and RFID technologies that are recognized to be part of the emerging Pervasive Computing paradigm
• All of these parallel technology initiatives need to be taken into account when considering SOA security


Problems for SOA Security in the Federal Enterprise
• Enterprise Architecture inventories are being undertaken by agencies as the first step toward adopting Enterprise Architectures that fit within the overall Federal Enterprise Architecture
• E-Government initiatives including E-Authentication, HSPD-12, Business Gateway, PAY.GOV and others are impacting agencies
• Agencies are working with wireless, mobile, and RFID technologies that are recognized to be part of the emerging Pervasive Computing paradigm (also referred to as Ubiquitous Computing or Everyware)
• There has so far been limited awareness of the Grid model within the DOT and perhaps other agencies
• All of these must be taken into account when considering SOA security for Federal enterprises


Tools for SOA Security in the Federal Enterprise
• A roadmap for implementing SOA security within the wider context of establishing and following an Enterprise Architecture would provide value for SOA practitioners
• Documentation is needed for bridging the gap between the NIST standards documentation and IT system design and development for HSPD-12 would provide value for SOA practitioners within the Federal sector
• A survey of the security work being done within the Pervasive Computing field would be helpful for SOA practitioners who are faced with the convergence of wireless, mobile and RFID technologies with SOA in their current project
• An assessment of the security concerns in implementing SOA along with the Grid model would help SOA practitioners who are working with the Grid model


Research Areas Related to SOA Security
• The convergence of Virtualization, Grid and SOA is a key research area for Intel’s Software Solutions Group
• One of the most comprehensive approaches of enterprise security being taken is the Trusted Virtual Domain initiative being undertaken between the T.J. Watson, IBM Zurich and IBM Tokyo Research Centers
• A survey of the findings of these groups and others would be useful for SOA practitioners faced with the challenges of implementing systems for complex enterprises such as Federal agencies that interact with many other organizations in a set of overlapping virtual enterprises