Integration of a Security Product in Service-Oriented Architecture

The future of enterprise software development lies in the use of a service-oriented architecture (SOA) to support business concerns. Business services are using security services offered by service-oriented security architectures for security support. The question remains how to implement the security services using traditional security products and how to map security policies defined at service level to product-specific policies. In this paper we present an approach for integrating existing security products into service-oriented security architectures. We show how traditional security products can be adapted to fit into the overall service-oriented paradigm. We present a case study that applies our approach

Integration of a Security Product in Service-Oriented Architecture

The future of enterprise software development lies in the use of a service-oriented architecture (SOA) to support business concerns. Business services are using security services offered by service-oriented security architectures for security support. The question remains how to implement the security services using traditional security products and how to map security policies defined at service level to product-specific policies. In this paper we present an approach for integrating existing security products into service-oriented security architectures. We show how traditional security products can be adapted to fit into the overall service-oriented paradigm. We present a case study that applies our approach

An Access Control Metamodel for Web Service-Oriented Architecture

With the mutual consent to use WSDL (Web Service Description Language) to describe web service interfaces and SOAP as the basic communication protocol, the cornerstone for web service-oriented architecture (WSOA) has been established. Considering the momentum observable by the growing number of specifications in the web service domain for the indispensable cross-cutting concern of identity management (IdM) it is still an open issue how a WSOA-aware IdM architecture is built and how it is linked with WSOA’s main elements, the web services providing functional core concerns. In this paper we present an access control model for WSOA and a blueprint of a WSOA-aware authorization verification service which is part of the IdM architecture. We show the integration of this service with WSOA consisting of both basic and composite web services. Our solution has been tested and evaluated in an implementation case study

Research Article Novel Security Conscious Evaluation Criteria for Web Service Composition

Abstract: This study aims to present a new mathematical based evaluation method for service composition with respects to security aspects. Web service composition as complex problem solver in service computing has become one of the recent challenging issues in today's web environment. It makes a new added value service through combination of available basic services to address the problem requirements. Despite the importance of service composition in service computing, security issues have not been addressed in this area. Considering the dazzling growth of number of service based transactions, making a secure composite service from candidate services with different security concerns is a demanding task. To deal with this challenge, different techniques have been employed which have direct impacts on secure service composition efficiency. Nonetheless, little work has been dedicated to deeply investigate those impacts on service composition outperformance. Therefore, the focus of this study is to evaluate the existing approaches based on their applied techniques and QoS aspects. A mathematicalbased security-aware evaluation framework is proposed wherein Analytic Hierarchy Process (AHP), a multiple criteria decision making technique, is adopted. The proposed framework is tested on state-of-the-art approaches and the statistical analysis of the results presents the efficiency and correctness of the proposed work

A unified framework for security visualization and enforcement in business process driven environments

Service-oriented architecture offers a promising approach for supporting interoperability and flexibility in the context of increasingly dynamic and rapidly changing requirements in the business world. However, encapsulation of business functionalities as self-contained services, as one of the main concepts in a SOA, brings new challenges. While business experts concentrate on the domain-specific aspects, other non-functional requirements such as security remain mostly neglected, if all understood. Costs for security administration may increase, business-driven security requirements may not be addressed and security configurations may not match at all internal and external regulations and guidelines. Based on these needs, we propose a technology-independent framework that provides graphical concepts for incorporating the security demands, facilitating the handling of security requirements from the specification to their realization

Security-Driven Software Evolution Using A Model Driven Approach

High security level must be guaranteed in applications in order to mitigate risks during the deployment of information systems in open network environments. However, a significant number of legacy systems remain in use which poses security risks to the enterprise’ assets due to the poor technologies used and lack of security concerns when they were in design. Software reengineering is a way out to improve their security levels in a systematic way. Model driven is an approach in which model as defined by its type directs the execution of the process. The aim of this research is to explore how model driven approach can facilitate the software reengineering driven by security demand. The research in this thesis involves the following three phases. Firstly, legacy system understanding is performed using reverse engineering techniques. Task of this phase is to reverse engineer legacy system into UML models, partition the legacy system into subsystems with the help of model slicing technique and detect existing security mechanisms to determine whether or not the provided security in the legacy system satisfies the user’s security objectives. Secondly, security requirements are elicited using risk analysis method. It is the process of analysing key aspects of the legacy systems in terms of security. A new risk assessment method, taking consideration of asset, threat and vulnerability, is proposed and used to elicit the security requirements which will generate the detailed security requirements in the specific format to direct the subsequent security enhancement. Finally, security enhancement for the system is performed using the proposed ontology based security pattern approach. It is the stage that security patterns derived from security expertise and fulfilling the elicited security requirements are selected and integrated in the legacy system models with the help of the proposed security ontology. The proposed approach is evaluated by the selected case study. Based on the analysis, conclusions are drawn and future research is discussed at the end of this thesis. The results show this thesis contributes an effective, reusable and suitable evolution approach for software security

An investigation of interoperability issues between authorisation systems within web services

The existing authorisation systems within the context of Web Services mainly apply two access control approaches – Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). The RBAC approach links an authenticated Web Service Requester to its specific access control permission through roles, but RBAC is not flexible enough to cater for some cases where extra attribute information is needed in addition to the identity. By contrast, the ABAC approach has more flexibility, as it allows a Web Service Requester to submit necessary credentials containing extra attribute information that can fulfil the policies declared by a Web Service Provider, which aims to protect the sensitive resources/services.RBAC and ABAC can only help to establish a unilateral trust relationship between two Web Services to enable a Web Service Provider to make an access control decision. Unfortunately, the nature of Web Services presents a high probability that two Web Services may not know each other. Therefore, successful authorisation may fail, if the Web Service Requester does not trust the Web Service Provider.Trust Negotiation (TN) is also an access control approach, which can provide a bilateral trust relationship between two unknown entities, so it sometimes can enable authorisation success in situations where success is not possible through RBAC or ABAC approaches. However, interoperability issues will arise between authorisation systems within Web Services, where a bilateral trust-based authorisation solution is applied. In addition, a lack of a unified approach that can address the interoperability issues remains as a research problem. This research aims to explore possible factors causing the lack of interoperability first, and then to explore an approach that can address the interoperability issues. The main contributions of this research are an improved interoperability model illustrating interoperability issues at different layers of abstraction, and a novel interoperability-solution design along with an improved TN protocol as an example of utilising this design to provide interoperability between authorisation systems within Web Services

La sécurité des futures architectures convergentes pour des services personnalisés : aspect architectural et protocolaire

The emergence and evolution of Next Generation Networks (NGN) have raised several challenges mainly in terms of heterogeneity, mobility and security. In fact, the user is able, in such environment, to have access to many networks, via multiple devices, with a vast choice of services offered by different providers. Furthermore, end-users claim to be constantly connected anywhere, anytime and anyhow. Besides, they want to have a secure access to their services through a dynamic, seamless and continuous session according to their preferences and the desired QoS. In this context, security represents an important concern. In fact, this user-centric session should obviously be secured. However, many challenges arise. In such environment, system boundaries, which were well delimited, become increasingly open. Indeed, there are multiple services which are unknown in advance and multiple communications between services and with users. Besides, heterogeneity of involved resources (terminals, networks and services) in the user session increases the complexity of security tasks. In addition, the different types of mobility (user, terminal, network and service mobility) affect the user-centric session that should be unique, secure and seamless and ensure continuity of services.L’émergence et l’évolution des réseaux de nouvelles génération (NGN) a soulevé plusieurs défis surtout en termes d’hétérogénéité, de mobilité et de sécurité. En effet, l’utilisateur est capable, dans un tel environnement, d’avoir accès à plusieurs réseaux, à travers différents terminaux, avec un choix vaste de services fournis par différents fournisseurs. De plus, les utilisateurs finaux demandent à être constamment connectés n’importe où, n’importe quand et n’importe comment. Ils désirent également avoir un accès sécurisé à leurs services à travers une session dynamique, seamless et continue selon leurs préférences et la QoS demandée. Dans ce contexte, la sécurité représente une composante majeure. Face à cette session user-centric sécurisée, plusieurs défis se posent. L’environnement est de plus en plus ouvert, de multiples services ne sont pas connus d’avance et nous avons une diversité de communications entre les services et les utilisateurs. L’hétérogénéité des ressources (terminaux, réseaux et services) impliquées dans la session de l’utilisateur accentue la complexité des tâches de sécurité. Les différentes déclinaisons de mobilité (mobilité de l’utilisateur, mobilité du terminal, mobilité du réseau et mobilité du service) modifient la session user-centric que l’on veut unique, sécurisée et seamless avec la délivrance d’un service continu

Zugriffskontrolle in dienstorientierten Architekturen

Diese Arbeit zeigt, wie Zugriffskontrolle im Kontext Webservice-basierter dienstorientierter Architekturen umgesetzt werden kann. Dazu wird zunächst eine querschnittlich nutzbare, dienstorientierte Zugriffskontroll-Architektur entwickelt, die eine Erweiterung der dienstorientierten Fach-Architektur darstellt. Parallel wird ein Zugriffskontroll-Modell und eine zugehörigen Policy-Sprache spezifiziert sowie die Einbettung in einen modellgetrieben Software-Entwicklungsprozess geschaffen