Advanced Computing: An International Journal ( ACIJ ), Vol.2, No.4, July 2011
Security Model For Service-Oriented Architecture Oldooz Karimi, MSc Department of Computer Engineering, sofiyan Azad University, sofiyan, Iran, oldooz_karimi@yahoo.com
Abstract. In this article, we examine how security applies to Service Oriented Architecture (SOA). Before we discuss security for SOA, lets take a step back and examine what SOA is. SOA is an architectural approach which involves applications being exposed as "services". Originally, services in SOA were associated with a stack of technologies which included SOAP, WSDL, and UDDI. This article addresses the defects of traditional enterprise application integration by combining service oriented-architecture and web service technology. Application integration is then simplified to development and integration of services to tackle connectivity of isomerous enterprise application integration, security, loose coupling between systems and process refactoring and optimization.
Key words: service-oriented architecture, enterprise application integration, security
1 Introduction It is tempting to launch into a description of SOA Security without first asking "Why?" Why apply security to SOA? One obvious answer is to protect the SOA infrastructure against attack. This is a valid reason, but there are also enabling, positive reasons for applying security to SOA, such as the ability to monitor usage of services in a SOA. We begin by examining the attacks against SOA technologies, both EAI and ESA. Abstract: Interoperable software architecture requires interoperable security mechanisms. Security is frequently looked at as a black art, but in reality the core concepts of security - knowing your assets and designing for failure - are just good engineering practices. This article focuses on applying those practices to service-oriented solution design with an emphasis on considerations raised by authentication, authorization, auditing, and assurance.
2 SECURITY CHALLANGES Over time, application architecture has become more complex progressing through mainframe centric, client server, distributed computing, loosely coupled architecture, to Service Oriented Architecture (SOA). With each change in application architecture security has become more complex. Consider the needs for a loosely coupled architecture such as Enterprise Application Integration (EAI), having the goal of building composite applications from standalone applications with the use of Message Oriented Middleware (MOM), an integration broker and application adapters. In essence, EAI bypasses user-based security (e.g. a GUI sign-on) and creates new system-tosystem based security. Given the assumption that the standalone applications are secure, integrating these applications via APIs or direct database access will present the following new security requirements: * Authentication to the MOM server * Link level encryption or network segregation of MOM messages * Security of credentials passed to the standalone systems from the EAI broker (e.g. simulating a user sign-on, database or API credentials) DOI : 10.5121/acij.2011.2405
48