SOA Security
Encyclopedia
Service-oriented architecture
(SOA) allows different ways to develop applications by combining services. The main premise of SOA is to erase application boundaries and technology differences. As applications are opened up, how we can combine these services securely becomes an issue. Traditionally, security models have been hardcoded into applications and when capabilities of an application are opened up for use by other applications, the security models built into each application may not be good enough.
Several emerging technologies and standards address different aspects of the problem of security in SOA. Standards such as WS-Security
, SAML
, WS-Trust
, WS-SecureConversation
and WS-SecurityPolicy
focus on the security and identity management aspects of SOA implementations that use Web services. Technologies such as virtual organization
in grid computing
, application-oriented networking
(AON) and XML gateways are addressing the problem of SOA security in the larger context.
XML gateways are hardware or software based solutions for enforcing identity and security for SOAP, XML, and REST based web services, usually at the network perimeter. An XML gateway is a dedicated application which allows for a more centralized approach to security and identity enforcement, similar to how a protocol firewall is deployed at the perimeter of a network for centralized access control at the connection and port level.
XML Gateway SOA Security features include PKI, Digital Signature
, encryption
, XML Schema
validation, antivirus, and pattern recognition
. Regulatory certification for XML gateway security features are provided by FIPS
and United States Department of Defense
.
Service-oriented architecture
In software engineering, a Service-Oriented Architecture is a set of principles and methodologies for designing and developing software in the form of interoperable services. These services are well-defined business functionalities that are built as software components that can be reused for...
(SOA) allows different ways to develop applications by combining services. The main premise of SOA is to erase application boundaries and technology differences. As applications are opened up, how we can combine these services securely becomes an issue. Traditionally, security models have been hardcoded into applications and when capabilities of an application are opened up for use by other applications, the security models built into each application may not be good enough.
Several emerging technologies and standards address different aspects of the problem of security in SOA. Standards such as WS-Security
WS-Security
WS-Security is a flexible and feature-rich extension to SOAP to apply security to web services. It is a member of the WS-* family of web service specifications and was published by OASIS....
, SAML
SAML
Security Assertion Markup Language is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider and a service provider...
, WS-Trust
WS-Trust
WS-Trust is a WS-* specification and OASIS standard that provides extensions to WS-Security, specifically dealing with the issuing, renewing, and validating of security tokens, as well as with ways to establish, assess the presence of, and broker trust relationships between participants in a secure...
, WS-SecureConversation
WS-SecureConversation
WS-SecureConversation is a Web Services specification, created by IBM and others, that works in conjunction with WS-Security, WS-Trust and WS-Policy to allow the creation and sharing of security contexts...
and WS-SecurityPolicy
WS-SecurityPolicy
is a WS* specification, created by IBM and 12 co-authors, that has become an OASIS standard as of version 1.2. It extends the fundamental security protocols specified by the WS-Security, WS-Trust and WS-SecureConversation by offering mechanisms to represent the capabilities and requirements of web...
focus on the security and identity management aspects of SOA implementations that use Web services. Technologies such as virtual organization
Virtual Organization (Grid computing)
In grid computing, a Virtual Organization refers to a dynamic set of individuals or institutions defined around a set of resource-sharing rules and conditions...
in grid computing
Grid computing
Grid computing is a term referring to the combination of computer resources from multiple administrative domains to reach a common goal. The grid can be thought of as a distributed system with non-interactive workloads that involve a large number of files...
, application-oriented networking
Application-oriented networking
Application-oriented networking involves network devices designed to aid in computer-to-computer application integration.Application-oriented networking was popularized by Cisco Systems in response to increasing use of XML messaging to link miscellaneous applications, data sources and other...
(AON) and XML gateways are addressing the problem of SOA security in the larger context.
XML gateways are hardware or software based solutions for enforcing identity and security for SOAP, XML, and REST based web services, usually at the network perimeter. An XML gateway is a dedicated application which allows for a more centralized approach to security and identity enforcement, similar to how a protocol firewall is deployed at the perimeter of a network for centralized access control at the connection and port level.
XML Gateway SOA Security features include PKI, Digital Signature
Digital signature
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
, encryption
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
, XML Schema
XML Schema
XML Schema, published as a W3C recommendation in May 2001, is one of several XML schema languages. It was the first separate schema language for XML to achieve Recommendation status by the W3C...
validation, antivirus, and pattern recognition
Pattern recognition
In machine learning, pattern recognition is the assignment of some sort of output value to a given input value , according to some specific algorithm. An example of pattern recognition is classification, which attempts to assign each input value to one of a given set of classes...
. Regulatory certification for XML gateway security features are provided by FIPS
FIPS
- Computer :*FIPS , Fully Interactive Partition Splitter, a disk partitioner*Federal Information Processing Standard, United States government standards*FTC Fair Information Practice, FIPs, US Federal Trade Commission guidelines- People :...
and United States Department of Defense
United States Department of Defense
The United States Department of Defense is the U.S...
.
External links
- Security in SOA, by Gunnar Peterson : Risk management and security services in an SOA
- Toward A Theory of SOA Security, by Philip Wik : Machiavelli's SOA
- Understanding SOA Security Design and Implementation : Understanding SOA Security Design and Implementation