Service Oriented Architecture

Share this page:

Service Oriented Architecture

There is a rapid movement to SOA because of the promise it brings for unprecedented levels of agility by allowing the business to respond to rapidly changing forces quickly, easily and with a minimum of risk. SOA can be used to create reusable business services, discover existing business services within and beyond an environment, manage business services throughout their lifecycle, assemble business services to support an end-to-end business process, and deliver the outcome of business services in deployment. When well executed, it robustly connects business processes end to end, allowing for easy and non-disruptive changes, and it reduces IT costs with reusable, componentized services. The distributed and open nature of SOA demands security due diligence in order to ensure that identity and security are appropriately managed across a range of systems, organizations, and a diverse mix of new and old technologies.

Service Oriented Architecture Review

A review and analysis of relevant SOA artifacts (e.g. requirements, system security plan, business use cases, threat analysis, vendor specific documentation ) to identify how the data, application, and technology architecture of the solution (e.g., ESB, gateway, web services) protects critical assets, sensitive data stores and business-critical interconnections in accordance with the organization’s business and security objectives.

Key activities include:

Leveraging Vulnerability and/or Risk Assessment output (where available) to understand potential attack vectors to focus the audit activities on the most critical elements;
Consult with members of the application development team and management to understand:

the business goals and control objectives (security requirements) as they relate to data confidentiality, integrity, availability, and provability;
SOA communication scope (e.g., intranet, extranet, internet);
ingress, egress, and intra-application data flows (and corresponding security treatment);
data classification/risk level relating to the services exposed and the data they process;
core technologies integral to the SOA implementation (e.g., ESB, XML Gateway, Federated Identity Management) that the implementation is reliant upon to achieve its security objectives; and
core operational processes (e.g., user provisioning, system audit) integral to the implementation and/or those that the application is reliant upon to achieve its security objectives.

Analysis of the solution against prevailing good practice (e.g., OASIS, NIST), the organization’s business and security objectives and relevant laws/regulations; and,
Formal reporting on the process, relevant findings, and remediation advice. Where possible the report will also include: root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.

The predominant benefits realized by a SOA Architecture Review are:

Provides a high-level of design assurance by looking at the SOA implementation in a comprehensive and holistic manner;
Provides assurance that consumers of SOA services are properly authenticated, SOAP messages remain confidential in transit, the SOA architecture is sufficiently resilient, and SOAP messages have integrity and are provable;
Findings can be used to identify other necessary assurance activities and to optimally focus downstream activities (e.g., Network Security Assessments, Application Architecture reviews, Authentication Services Reviews) on relevant issues/targets for large scale enterprise level applications;
Allows an entity to address security deficiencies in the design phase at the lowest possible cost.

SOA Architecture Reviews are best used:

During the early design phases of the development life cycle to ensure that security is designed into the solution. This approach reduces the likelihood that security will need to be retrofitted to the application. Building security into an already developed solution can result in significant architectural changes, code modification, and a generally lower level of assurance that the solution meets the organization’s security objectives.
Post-design and pre-deployment to validate that the deployment is consistent with the design and to focus the certification and accreditation activities on those areas that will provide the greatest level of assurance.

Service Oriented Architecture Operational Assessment

The complexities of SOA implementations and the criticality of the data they generally process and transit impose a greater requirement on organizations to ensure that the SOA Implementation and the processes it relies on are operating as intended to provide management with assurances that key control objectives are being achieved and that core risks are mitigated to an acceptable level. Operational Assessments are an effective mechanism to provide this assurance.

Key activities include:

Leveraging the SOA Design Review, System Security Plan, Threat/Vulnerability Assessment, or Penetration Testing to understand which operational activities (e.g. XML Gateway Services, User Provisioning, System Audit) are critical to the security of the application;
Conducting a compliance review of those operational activities that are deemed essential to the ongoing achievement of critical security objectives; and,
Formal reporting on the process, relevant findings, and remediation advice. Where possible the report will also include: root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.

The predominant benefits realized by an Operational Audit are:

Provides assurance that key operational security controls are in place and operating as intended; and
Provides a measure of assurance that the SOA control environment can perpetuate the current security posture over an extended period of time.

Operational Audits are best used:

As part of a compliance management program a to demonstrate compliance with relevant laws and regulations over an extended period of time; and,
As part of a broader “certification and accreditation” exercise to provide a higher level of assurance for critical services such as SOA.

Learn How We Can Help You

ISO 27001 Roadmap

ISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know – and things you may already be doing.

Database Security Roadmap

Database Security is one step in a comprehensive approach to building a robust Information Security Management System.

Penetration Testing

Penetration Tests are often used in a manner that is inconsistent with achieving the assurance that the organization seeks.

SIEM Whitepaper

Best Practices for SIEM learned from working closely with numerous vendors and customers on a wide variety of SIEM projects.