Service Oriented Security Architecture

Abstract

As Service Oriented Architectures (SOA) and Web services are becoming widely deployed, the issue of security is far from being solved. In an attempt to address this issue, the industry proposed several extensions to the SOAP protocol that currently reached different levels of standardization. However, no architectural guidelines have yet been proposed. In this paper we first outline the security challenges and the specifications that address these challenges and then present our concept the Service Oriented Security Architecture—SOSA. We argue that the different security functions (authentication, authorization, audit, etc.) should be realized as different stand-alone Web services These security services can then be chained together by means of Enterprise Application Integration (EAI) techniques such as message routing on Enterprise Services Buses (ESB). Next, we will present a prototypical implementation of this framework and describe our experiences so far. We show that by distributing the security functions, a more flexible architecture can be designed that would lower the costs associated with implementation, administration and maintenance.