Security Analysis of Service Oriented Systems: A Methodical Approach and Case Study

Introduction

The concept of Service Oriented Architecture (SOA) lately became one of the most powerful architectural paradigms acquitting itself of IT’s original promise to boost an organization’s bottom line by an increase of productivity, sharpened competitive differentiation, and fostered operational effectiveness. SOA and Web services originally started as a technical trend, but soon unveiled their huge potential to businesses.

In a world where business process model innovation is the actual key differentiator, business processes change frequently. As a result, in the past technology constantly outpaced process (re-) engineering. With SOA and Web services emerging, organizations were suddenly given the perfect means to develop flexibility capabilities. This was possible through a highly flexible IT infrastructure which facilitated the proper alignment of IT and business processes. SOA became a top priority in many organizations and an important strategic initiative to pursue (Marks 08). The results are impressive: companies who built their strategy on flexible IT infrastructures and tightly linked IT and business shown clear gains in business results (Carter 07).

It soon became evident, that turning a business’ IT into a successful SOA – one that reliably meets defined business objectives over time – requires rules and guidelines for the organization and all participants, from architects and developers to service consumers, service providers, and even applications and the services themselves (Marks 2006). These so-called “policies” should cover the complete cycle of designing, developing, deploying, maintaining and operating the IT. The process of ensuring that all efforts related to SOA meet all stakeholders’ interests and enterprise requirements is called as SOA governance (WebLayers 2005). Nevertheless, security turned out to be a major challenge.

Along with all its advantages, the paradigm of SOA comes with an array of new security problems, mainly due to the “lowering” of security barriers between traditional applications. The distributed, peer-to-peer style architecture of SOA scenario and the general “statelessness” of services that may be reused in various contexts by potentially unknown clients impose a requirement of utmost flexibility on the underlying infrastructure and its security capabilities. This goes against the intuition of security experts who prefer to impose conservative and cumbersome restrictions on the use of functionality on target infrastructures - be they services or traditional applications. Fortunately, with SOA acceptance spreading among businesses new tools, standards and technologies were developed. Their aim: guaranteeing a high level of security without diluting the benefits of SOA.

An important step towards the systematic design of secure applications is the tight integration of security in the whole development process. In too many real-world projects security is conceived a mere technical aspect and security controls are designed in an ad-hoc way. This causes major drawbacks for the resulting system.

The acceptance of SOA as a mainstream paradigm for a business IT infrastructure depends on the ability to guarantee an appropriate level of security to mission-critical businesses. The major risks can be identified along three dimensions.

First, threats originating in the social or organizational context of the system may not be adequately covered. Examples of such threats are social engineering attacks where the attacker uses human interaction to compromise the system.

Second, the realized security solutions may not be in line with the requirements. Since most security controls have an impact on factors like user flexibility, system performance and budget a thorough analysis of requirements and possible security controls is an important step in a systematic design process.

Third, compliance plays a crucial role for many security-critical systems. For instance, in the e-government and e-health area privacy protection and authentication are connected with strict legal regulations. Moreover, regulations like Basel II and the Sarbanes Oxley Act have increasing influence also on applications in e-business. As a consequence the validation of compliance requirements plays an important role in many service oriented applications. A prerequisite for such a validation are interconnected requirements and solutions.