Information Assurance for SOA

Abstract

This paper addresses securing information technology (IT) systems having Service-Oriented Architecture (SOA) designs. The paper describes the challenges of securing SOA-based systems, discusses various security-related design alternatives for them, and, where practical to do so, provides specific recommendations on how to overcome these challenges. An SOA-based system is an alternative to prevailing IT system designs that delivers functionality through loosely coupled and independent components, in contrast to the tight integration found in most existing systems. Although the security objectives for SOA-based systemsconfidentiality, integrity, access control, accountability, and availabilityare in almost all respects the same as those for non-SOA designs, securing SOA-based systems presents some unique challenges. For example, SOA-based systems naturally support sharing information and capabilities across organizational boundaries in keeping with the stated goal of increased information sharing across the Federal Government. However, sharing and security are often in conflict and must achieve a proper balance. In addition, service use and delivery across organizational boundaries complicate the development of security requirements and responsibilities. SOA-based systems often involve resolving tradeoffs, for example, deciding where to place security services or which services must authenticate to other services or service consumers while meeting accessibility and performance objectives. SOA-based systems can be incompatible with existing certification and accreditation (C and A) processes and procedures because they can be deployed incrementally, have difficult-to-define boundaries, can operate across and might support user populations that cannot be defined a priority. This paper covers these challenges and how to meet them in five sections: SOA Security Architecture discusses how SOA-based systems can deliver many security functions as services.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2009
Accession Number
AD1108419

Entities

People

  • J. J. Brennan

Organizations

  • MITRE Corporation

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Agreements
  • Asymetric Encryption
  • Commerce
  • Computer Access Control
  • Computer Network Security
  • Computing System Architectures
  • Cryptography
  • Department Of Defense
  • Deployment
  • Information Assurance
  • Information Exchange
  • Information Processing
  • Information Systems
  • Infrastructure
  • Markup Languages
  • National Governments
  • Security
  • Security Protocols
  • Service Oriented Architecture
  • Standards
  • Systems Engineering
  • Transport Protocols
  • Validation
  • Web Service
  • Xml

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Software Engineering.
  • Systems Analysis and Design