Securing a service-oriented architecture (SOA) environment

Abstract

Securing access to information is important for any business. Security becomes even more critical for implementations structured according to service-oriented architecture (SOA) principles, due to loose coupling of services and applications and their possible operations across trust boundaries. To enable a business so that its processes and applications are flexible, changes should be expected — both to process and application logic, as well as to the policies associated with them. Merely securing the perimeter with firewalls or routers is not sufficient for a flexible on demand business. Security must be factored into the SOA life cycle, reflecting that security is a business requirement, not just a technology attribute. This approach helps enable the capability to secure services. Another characteristic of SOA security is about rendering and using security functionality itself as security services. This paper discusses the SOA life cycle and security. It presents an SOA security model that captures the essence of security services and securing services. These approaches to SOA security are discussed in the context of scenarios, and observed patterns. The paper also introduces a reference model to address the requirements, patterns of deployment and usage, and an approach to integrated security management for SOA.