Information Assurance for SOA

This paper addresses securing information technology (IT) systems having Service-Oriented Architecture (SOA) designs. The paper describes the challenges of securing SOA-based systems, discusses various security-related design alternatives for them, and, where practical to do so, provides specific recommendations on how to overcome these challenges.

An SOA-based system is an alternative to prevailing IT system designs that delivers functionality through loosely coupled and independent components, in contrast to the tight integration found in most existing systems. Although the security objectives for SOA-based systems—confidentiality, integrity, access control, accountability, and availability—are in almost all respects the same as those for non-SOA designs, securing SOA-based systems presents some unique challenges.

For example, SOA-based systems naturally support sharing information and capabilities across organizational boundaries in keeping with the stated goal of increased information sharing across the Federal Government. However, sharing and security are often in conflict and must achieve a proper balance. In addition, service use and delivery across organizational boundaries complicate the development of security requirements and responsibilities.

SOA-based systems often involve resolving tradeoffs, for example, deciding where to place security services or which services must authenticate to other services or service consumers while meeting accessibility and performance objectives. SOA-based systems can be incompatible with existing certification and accreditation (C&A) processes and procedures because they can be deployed incrementally, have difficult-to-define boundaries, can operate across organizations, and might support user populations that cannot be defined a priori.

This paper covers these challenges and how to meet them in five sections:

SOA Security Architecture discusses how SOA-based systems can deliver many security functions as services. It also examines services' message protection and service location, each with respect to possible system performance impacts.

Mediating Access to Services presents examples of how SOA implementations might use identification and authorization services as well as an example showing how chained service invocations can arise. It also examines alternatives for identity delegation and public key infrastructure (PKI) certificate use. Mutual authentication of security services and attribute-based access control also receive treatment. Trust and Policy discusses the major concerns arising when SOA systems cross organizational boundaries, including system governance and security controls.

Audit and SOA-Based Systems deals with the facts that service consumer and provider interactions are often unpredictable, that services can be made discoverable, and that service provision crosses organizational boundaries, all of which make the task of building audit trails difficult. It discusses how orchestrating usage patterns can make SOA auditing feasible and presents options regarding audit record storage.

Certification and Accreditation for an SOA-Based System presents three tactics to cope with the challenge of obtaining C&A for an SOA system. The section also discusses how to describe services in terms of their commitments, provisions, and obligations as an aid to obtaining accreditation.

The discussion of each subject covers how delivering security differs with service vs. traditional architectures, provides illustrative examples, and summarizes key observations. The paper's intended audience is technology executives, system and security architects, and program managers who have an interest in securing SOA-based systems.