SOA Security

From Training Material
Revision as of 18:45, 8 November 2012 by Izabela Szlachta (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


  • SOA doesn't define any standards for security
  • Security depends of the technologies used in a specific case
  • Some aspects of security can be generalized and managed regardless of the technologies


Security Requirements

  • Authentication
  • Authorization
  • Confidentiality
  • Integrity
  • Availability
  • Accounting
  • Auditing


Security in Practise

  • Security does require effort
  • Security doesn't bring immediate business value
  • It is impossible to achieve absolute security
  • Firewalls and special protocols such as SSL) are enough?
  • Does infrastructures provide enough security?
  • It is not clear who is responsible for security


Dealing with Confidentiality and Integrity

  • Transport-layer security
    • SSL (point-to-point)
  • Message-layer security
    • nobody is able to read the messages or modify them without being detected
    • WS-Security
    • Encrypt only the business data of a message (its payload)


Security as a Service

Soa-security-as-a-service.png

  • Policy decision point (PDP), AKA access control decision function,” or ADF
  • Policy enforcement point (PEP), access control enforcement function,” or AEF