This document discusses security considerations for service-oriented architectures (SOAs). It defines what SOAs are and outlines aspects of a SOA platform that are relevant to security, including people and processes, business continuity, technology, services, and governance. It then describes specific security aspects for each of these areas, such as identity and access management, monitoring, change management, and risk analysis. Finally, it lists typical deliverables for a SOA security architecture, such as security policies, risk analysis, and operational procedures.
2. 2
What is SOA?
- Applications expose functionality as services
- Services are composable
- Services implement APIs, are discoverable, consume and
modify resources and have a runtime behaviour
- Service APIs and resources are subject to security
considerations: who is allowed to do what?
3. 3
A SOA platform
- Runtime environment for deploying, configuring, monitoring
and operating IT services
- Operational quality
- Security quality
- Out of scope: build process (dependency management, pen-
test, static code analysis of deployment artefacts)
4. 4
Applicable security practices
- TOGAF 21.3 Guidance on Security for the Architecture
Domains
- ISO/IEC 17799:2005 establishing security practices
- OWASP
6. 6
Security aspects: business continuity
- Policies must be enforceable
- Cost and complexity manageable
- Risk management
- Contingency plans
- Availability, scalability
- Graceful service degradation
- Low MTTR
- DR class
7. 7
Security aspects: people & proccesses
- HR and operational policies and processes documented,
maintained
- Personnel training, vetting
- Monitoring access, interactions, auditing
- Change management
- IAM (identity, roles, ownership, channels)
- ISO, security architect