Hasso-Plattner-Institut
  
    • de
 

Layers of SOA-Security

This page describes briefly each layer within the SOA-Security stack which is shown in the figure below. It should become clear that the security of a service-oriented architecture is not only a technical issue, but a business requirements, which needs to be considered on all levels within an enterprise -reaching from the basic network infrastructure to the business contracts between a company and its partners, customers, and employees.

Layers of SOA Security

Security Enablers

Security Enablers are all mechanisms in an SOA infrastructure, which "enable" security. This means, all basic algorithms, mathematical models and fundamental concepts fall into this category without which security would not be applicable. This includes for example all encryption and decryption algorithms, key generation algorithms as well as basic network protocols to secure a network below the application layer.

Service-Level Security

Service-Level Security comprises all mechanisms to secure a single service. This includes for example specifications as XML Encryption and XML Signature, which ensure integrity and confidentiality of a single message. Furthermore, concepts to describe the identity of a web service consumer and his access rights are handled by this layer.

Security Policy Infrastructure

This layers uses the concepts of the layer below and provides the infrastructure to enforce them properly. While the layer below describes the mechanisms to encrypt or sign a message and to describe the identity of a calling entity, this layer enforces that only authorized entities call the service and that messages exchanged between the service and a consumer are encrypted and signed. Therefore several components are involved as for example components for the administration of policies, for the enforcement of policies, for deciding about an access request, and so on.

Security on an Organizational Level

This layer considers security on an organizational level. Compliance to governmental requirements as well as business contracts between the participating organisations of a service-oriented architecture are the fields of research on this layer.

back