Requirements for SOA Security Implementation Templates

1. Managing Security Policies
In advance of interacting with a business partner's SOA resources, you will need to determine appropriate security policies such as requirements for transport and message layer protection as well as data level protection.

2. Defining Transport Security Policies
Transport layer security refers to the type of protection offered in the actual delivery protocols involved in the interaction, such as using secure sockets layer (SSL) over Internet transactions.

3. Defining Message Layer Security Policies
Message layer security allows the system to protect the message body itself (transmitted in the HTTP message body, for example) in terms of integrity and confidentiality; this is on top of any protection applied at the transport level.

4. Defining Data Protection Policies
You can achieve data protection by applying encryption mechanisms to the data-level elements within a message. Although not widely adopted, the notion of data element confidentiality is recognized as critical in many SOA environments (especially those that will be applied within financial and health sector environments).

5. Defining Security Token Policies
At some level, cooperating business partners will determine the types of security tokens they can issue, manage, and exchange with each other. These tokens are used to assert information about requestors of business processes.

6. Defining Cryptographic Key Policies
An SOA environment requires that partners establish key management policies when used for signing or encrypting information. This is both a technical consideration—technically, one should never use the same key pairs for both signing and encryption—and a legal liability consideration

7. Coordinating Policies Between Business Partners
Establishing common policies for transport layer security across the enterprise (business) is a well-understood exercise today. Almost all businesses using the Internet have SSL certificates. Businesses have a well-established understanding of managing such certificates and SSL sessions with the help of IETF-defined standards.

SOA Security Ramarao Kanneganti 2007

Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Magnoliacom
  • Google
  • Yahoo
  • Technorati

Trackback URL for this post:

http://www.desktopauditing.com/trackback/88

User login

Who's new

  • Ticksaicy
  • Preenryirrert
  • InfimiAmamb
  • vorobev.7676
  • emineswift55

Who's online

There are currently 0 users and 2 guests online.