SOA security

SOA security

Introduction

SOA (Service Oriented Architecture) infrastructures are characterized generally by combining a variety of services to complex business processes from. This creates a high volume of communications with a large number of participating entities. A basic requirement for productive use of such systems is reliable and secure service of communication between service recipients and service providers. Sun Services will need to communicate securely with each other example, appropriate keys, certificates, and an optimally designed for this infrastructure. For this purpose the Open SOA Security Gateway (SSF), a variety of security services available, whilst providing the necessary infrastructure. Thus, a full Public Key Infrastructure is already implemented. Furthermore, there are available tools for implementing a certificate rollouts.

Discussion

Service-oriented architectures (SOA) denote a general approach to the configuration of complex IT systems and the mapping of business processes in such systems. In theory SOAs claim to solve many existing problems dealing with the integration and interaction of different subsystems. This has also been borne out in practice, at least in some cases. SOA is one of the latest trends in IT and is very popular with management due to its practical relevance to business processes.

However, very little attention is paid to the security aspects of SOA, especially in the parts where the type of security requirements which arise have been hitherto disregarded in conventional IT systems or have not been relevant in this form. Ultimately, SOAs always have background business processes which can be critical and therefore require protection. In addition to the security of individual service enquiries (confidentiality, authenticity, etc.), there are other aspects, such as transaction security, which are important. Indeed, additional security mechanisms are required if a service-oriented architecture is used not only inside an institution but is also open to outside users.

One example might be safeguards against denial-of-service attacks. The majority of current IT system designs based on a service-oriented architecture are initially designed according to purely functional aspects. The development of security functions is generally an afterthought limited to individual components. Consequently, such systems lack an integrated security concept in most cases, and many security requirements specific to SOA remain unmet. There is neither adequate provision in terms of security awareness nor is there an integrated security concept or best-practice approaches for this new technology. This often accounts for the failure of large-scale and promising IT projects.

It is necessary to establish an adequate awareness of security and to identify possible solutions which are conducive to running and operating IT systems according to SOA paradigms in public authorities and other institutions, and which comply with the respective security requirements. There is a palpable need in Federal Government authorities in particular where various major projects are based on this architecture and the technologies in question.

Despite the fact that security, SOA is still unresolved, it is not paid so much attention. Ironically, many believe that the mechanism of SOA security is similar to the security of Web services and Web sites and, therefore, no brainer. From this perspective, the problem of ...