A Formal SOA Security Model

Why formal Model?

The best way to capture SOA Security requirements, define and compare alternative architectural solutions and security capabilities of the existing products and in general talk about SOA Security is in the context of a comprehensive formal model. I could not find anything of like this as I was preparing for a SOA Security talk at the last year’s Horizons conference so I decided to come up with one.

Only after I have defined mine, I stumbled across a somewhat similar approach that was adopted by the NSTISSC which stands for National Security Telecommunications and Information Systems Security Committee – something that has the word “Security” twice in its name has got to be a serious joint. Actually as it turned out when I was checking the links for this post, it has been since renamed to something less conspicuous: Committee on National Security Systems (CNSS).

NSTISSC Model

However if you bother to compare the two you would kind some key differences:

  1. My model is specifically designed to address the SOA Security domain.
  2. My model has many additional dimensions. 
  3. My model uses graphical notation to facilitate analysis and comparison.

Description

This is a three-dimensional model which represents the SOA security domain as a matrix of seven Security Aspects (or different manifestations of system security):

  • Authentication
  • Authorization
  • Integrity
  • Confidentiality
  • Accountability
  • Identity Management
  • Security Policies

versus six Security Facets (or application layers where security can be implemented)

  • Transport Security 
  • Message Security 
  • Application Security 
  • Asset (Data) Security
  • Knowledge Security 
  • Control Security

The third dimension represents a Capability (or Support Level provided by a solution to a particular combination of a Facet and an Aspect). The model uses an intuitive graphical notation that facilitates human compression and comparison of different models. I plan to describe Aspects, Facets and Capabilities in-depth in a separate posting, but to give you the look and feel for the end product I provided the model for an ad-hoc SOA running in a typical application server:

Ad-hoc SOA Security

Please bookmark with social media, your votes are noticed and appreciated:

Posted on: Nov 15, 2007

Posted by: Alex Maclinovsky

Category: Security

Permanent link to this entry

Comments:

I have lost control of this blog, so i can not update it any more. If you are interested in following my professional enevours, the best place will be on mu profile page http://www.randomfour.com/alex/profile.html at my company site.

Posted by Alex Maclinovsky on October 08, 2009 at 02:17 PM CDT #

Post a Comment:
  • HTML Syntax: NOT allowed

This blog copyright 2009 by Alex Maclinovsky