In this article, we examine how security applies to Service Oriented Architecture (SOA).
In a basic SOA, a loosely coupled service does not have a coordinating service that provides security features. Moreover, the loose coupling predicts that none of the services is aware of its context. A resource that a service provides could require authentication/authorization. The service client must then provide the required information to authorize for that specific service. Because of the loose coupling of services, securing the confidentiality and integrity of the message could pose a problem. Traditionally transport level protocols (such as SSL/TLS) were used between two endpoints to maintain confidentiality and integrity. Since services are also location transparent, it is not possible to predict where the endpoints are and if they can be trusted. Therefore, instead of using transport-level security, message-level security should be employed.
Service registration / deregistration
The service repository (which can be either within the organization security domain or outside) can be susceptible to replay attacks. An adversary could capture the registration or deregistration of a service and perform a replay attack. This replay attack could result in some sort of denial of service attack or registration of an (insecure) older service. An adversary could also perform an enumeration attack
which allows the adversary to create an inventory of available services To prevent these attacks authentication, authorization, integrity and confidentiality must be maintained during registration and deregistration.
Use of standards
Since SOA relies on standards, it is imperative that standards have an emphasized security. Standards used in SOA (mostly web services standards such as XML, SOAP, UDDI) do not emphasize security . Some protocols enable security within these standards, such as SSL for HTTP and encryption for XML. An example where usage of standards can lead to problems is with firewalls. Most companies use firewalls that control all traffic from the external organization to the internal organization. When SOA is implemented using web services, HTTP and SSL are normally used. These protocols use TCP ports 80 and 443 that usually can pass-through the firewall . Therefore, additional security features have to be implemented to prevent possible threats. Services require a description language to describe what the service offers and what it requires. (One of these description languages commonly used in SOA is the Web services description language WSDL). Description languages should use open standards to have full compatibility with potential service consumers. The open standards also allow a possible adversary to scan for vulnerabilities in the service. Using standards alone does not provide a secure SOA . In order to have a secure SOA the basic security principles, confidentiality, integrity and availability (CIA) should be implemented. In addition, security principles such as authentication, authorization, auditing and non-repudiation be implemented.
In the next and final part of this article we will see the technologies that can be used to secure SOA.