Project Name

SOA and Security

Background

This brief document seeks to define and clarify the specific terms of reference and responsibilities of the SOA and Security Project, and to formalise its scope and deliverables in a project charter.

The project is a joint initiative of The Open Group’s SOA Working Group and Security Forum, with input from the Jericho Forum.

The mission of The Open Group's SOA Working Group is to develop and foster common understanding of SOA in order to facilitate alignment between the business and information technology communities.

The Security Forum works to raise industry confidence levels by defining standards and guidelines to counter the whole range of security risks and vulnerabilities; it looks at both the business and technical perspectives, drawing upon the expertise of security professionals on both the customer and supply sides of industry, government, and academia, to assess, evaluate and address security issues, so as to deliver secure computing solutions that will interoperate with other systems.

The Jericho Forum is an international IT security thought-leadership group dedicated to defining ways to deliver effective IT security solutions that will match the increasing business demands for secure IT operations in our open, Internet-driven, globally networked world. Its key concern is de-perimiterization. Its interest in contributing to the SOA-Security project arises from its perception of significant parallels between security requirements in SOA and de-perimeterized environments.

The Security Forum embraces the Jericho Forum approach that, whilst traditional security solutions like network boundary technology will continue to have their roles, we must respond to their limitations. In a fully de-perimeterized network, every component will be independently secure, requiring systems and data protection on multiple levels, using a mixture of encryption, inherently-secure computer protocols, inherently-secure computer systems, and data-level authentication. The Security Forum already has membership overlap with the Jericho Forum so will involve the Jericho Forum membership in review and feedback contributions with the SOA and Security Project, as appropriate.

Purpose of the Project

There is a common requirement to align the streams of activity in the SOA Working Group and the Security Forum. The SOA and Security project will address that requirement by identifying and analysing security issues for SOA. This will contribute to the understanding of a vital area of SOA, and assist business people and IT professionals in their adoption of SOA in an appropriately secure fashion.

Particular issues that should be addressed include the following.

• In common with other approaches to Architecture, the delivery of SOA requires that consideration is given to maintaining the Confidentiality, Integrity and Availability of data and services delivered to support business functionality in addition to considering the wider requirements for Identity Management, Access Control, Authentication, Authorisation, Accounting, and Trust Management.
• This can be a complex undertaking – requiring as it does consideration of business drivers and the impact of the threats and vulnerabilities to the C, I & A of the data and systems to be protected.
• In a distributed SOA environment there are significantly more complex relationships to manage regarding the controller of a service authenticating the requesters at the correct levels (identity management), authorizing the appropriate level of use of that service (provision management), and the effective federation/delegation controls that this requires when one service cascades to call on another service. All of these must be managed at the required level of security commensurate with managing the overall accepted risk for the transaction involved.
• Open systems architectures are by their nature technology neutral. Interoperability of implementations of SOA will depend on use of industry-standard protocols for passing authentication attributes and provisioning information between the service provider controllers.
• Added to the above considerations are the various compliance frameworks that may apply through commercial good practice or increasingly stringent regulatory constraints.

Deliverables

The project shall:

• Produce as appropriate white papers analysing security issues for SOA and identifying work to be undertaken by The Open Group. These white papers, which project members may decide to keep internal to the project or publish as external deliverables, will address steps leading to comprehensive understanding of the components which will be included in the Guide. Such steps will be identified as the project proceeds, but at the start are anticipated as including:
  • A white paper that describes the characteristics which define SOA security services, and identifies and elaborates the core Security and Information Assurance services required to deliver a non-industry specific Service Oriented Architecture
  • A white paper that makes recommendations for the definition of new service types (where none exist), identifies gaps in the existing standards needed to support security for SOA, proposes extensions to those services which may be required to deliver appropriate levels of assurance, considers the technologies which may exist to deliver these services, and from this identifies the extent to which a service may currently be realised conceptually, logically or physically.
  • A white paper that gives set of use-case descriptions and an SOA threat profile that is based on them
• Deliver a guide for enterprise architects on how to address security in Service-Oriented Architectures, including material from the white papers as appropriate.

Liaisons

It is expected that, in the course of the project, input may be required from, or the project may require to direct or influence, the output of other project streams. These are expected to include liaison with:

• The SafeSOA Task Force, which has identified four main categories of issue: federated identity; roles and authorisation; threat prevention; and policy enforcement.
• SAFE - an organisation that is doing work that is in the pharmaceuticals area, but which is probably generally applicable.
• OASIS, which is developing standards for federated identity and Web services security.
• Project Liberty, which is developing web-based interactions scenarios.
• The SOA Governance and Service-Oriented Infrastructure projects and the SOA Reference Architecture project.
• The Jericho Forum.

Governance

The project is a joint project of The Open Group's Security Forum and SOA Working Group. It will use normal Open Group procedures for development and review of documents. Decisions will be taken by majority vote of Open Group member companies that are represented on the soa-sec e-mail list (except for approval of changes in formal reviews, where the normal 75% rule described in The Open Group technical procedures will apply).

Timelines

The project shall produce its deliverables to a timescale agreed with the Open Group Security Forum and SOA Working Group.

Interim releases shall be made available as appropriate during the project lifecycle to demonstrate progress and assure alignment with parallel streams of activity.