A New Approach for Designing a Secure Model in Service Oriented Architecture (SOA)

1

Paper Title: A New Approach for Designing a Secure Model in Service Oriented Architecture (SOA)

A New Approach for Designing a Secure Model in Service Oriented Architecture (SOA)

Deepak Panwar

ASET, Amity University Jaipur, Rajasthan, INDIA

Email:

G.L. Saini

ASET, Amity University Jaipur, Rajasthan, INDIA

Email:

1

Paper Title: A New Approach for Designing a Secure Model in Service Oriented Architecture (SOA)

Abstract—Service Oriented Architecture (SOA) is an architectural concept for developing distributed system. There are many challenges in SOA like reliability, security etc-.Security is the major challenges in designing of Service Oriented Architecture because it affects discovery and interaction of services and applications in an SOA environment. Previously, many researchers implemented the solutions for Web Service Security and Web Service Security Policy standards. But these set of standards are not enough for promising enterprise system protection. In this paper, we projected a security model for Service Oriented Architecture that represents the base for our Security As A service (SAAS) techniques. Our proposed idea is based on SAAS concepts for implement the separate security as service which reduced the load of consumer service and provider. On the basis of model for service interaction that explains swap of secured communication in distributed atmosphere.

Index Terms—Service-Oriented Architecture, Security As A Service, WS-Trust, Web Services

I. Introduction

Service-Oriented Architecture (SOA) has become a popular architecture pattern in enterprise application development. Due to the emergence of web services that are implemented using SOA is a solution of enterprise application development due to platform and language independent. SOA based application is a combination of services and these services could be implemented in different technologies and are deployed over heterogeneous networks [1]. In distributed environment, security is a critical issue for enterprise systems and it is necessary to ensure security in SOA based application. When the advance of Web services technologies have been used increasingly, the next issue which should be concerned is security for the information or message transferred across the network. There are several approaches for implement the security in SOA based application. In traditional security approaches make the impact of performance and high cost maintenance of application[12]. Another approach has come up with the solution of these problem is called Security As A Service (SAAS). For example: In traditional security approaches, application has built with few services and each service implemented it’s with own security which is invoked as a part of service consumer and provider as depicts in figure 1.1

Fig. 1.1 Security implementation as part of each service

When enterprise needs to secure large number of services. The traditional security approach is not right way of security implementation due to replication of security enforcement machinery across all services and serviceconsumers [12]. Worse still, if security requirements differ for each application then the security machinery of each security will check similar security leading to high maintenance cost.

Fig 1.2 Security implementation as a separate service

Security as service depicts in figure 1.2 is a solution over traditional approach for building secure large number of services. This approach explores a way of shifting some of the security enforcement burden from service consumer and service to a shared security service. A shared service helps to enforce security polices consistently across all services. This approach is not completely suitable from the performance point of view. For example, suppose several service consumers want to access the service at the same time, the security credentials will be checked at the server side and take more time for validation.

II. RELATED WORK

The well-known standard for security requirements of web services are integrity, confidentiality and availability. There are various techniques to tackle these three security aspects such as using XML Signature or digital signature in XML format to ensure the data integrity, using XML Encryption to provide confidentiality while a message is in transit over the network [8]. WS-Reliable Messaging Protocol to guarantee that a message transited in the network layer has been received by receiver [4]. Although, there are various standards for Web services security but perhaps the most important standard is WS-Security because it provides authentication by using various security token approaches and encryption technologies into SOAP message header. SOAP message security is one of the most vital concerns for security in Web services as a result of various types of attacks such as replay attack, man-in-the middle attack and token substitution attack which can break down message confidentiality and integrity[11]. So WS-Security is a security standard to deal with those problems by using XML Encryption and XML Signature to protect confidentiality and integrity respectively. Furthermore, WS-Security supports security token which is commonly used to provide authentication and authorization. According to Zhang [10], there are several techniques for token-based authentication namely username, X.509 PKI certificates, Kerberos tickets, Security Assertions Markup Language (SAML) and Web Services Security Rights Expression Language (REL) or known as XML Rights Management Language (XrML) [8]. They can be categorized into three types which are unsigned security token namely username token profile, signed security token namely X.509 certificates and Kerberos tickets, XML security token namely SAML and XrML [7][9].

III. STANDARDS FOR IMPLEMENTING SECURITY AS A SERVICE

A number of standards and technologies are available for implementing security as a service. Some of them are as followings:

WS-Trust: WS-Trust defines a standard interface for obtaining/issuing, renewing, cancelling, and validating security tokens such as SAML assertions. Specifically, a security token service (STS) is defined, providing these mechanisms as web services [6][13]. So, after discovering what security token is required, the service consumer may use WS-Trust in order to obtain required token from an STS.

Security Assertion Markup Language (SAML): SAML is used to exchange the security information among different security domain [5]. SAML provides two services such as authentication and authorization services. Based on SAML protocol, authentication service creates request and response which are used by Security Token Service (STS) for validating the user.

WS-Addressing: Standardize SOAP specification explicitly supports the use of one or more intermediaries (such as secure services) in message path by laying down specific rule for preventing destination endpoint information when routing a message via the security service [7].

IV. NEW APPROACH FOR MODELLING SECURITY AS A SERVICE (SAAS)

Security As A Service (SAAS) approach is a better choice to solve SOA security based on the concept of shared services. Security services are effectively and correctly implemented and also scaled locally outside the system or as a domain wide service [3][12]. We proposed a new way of implementing the security by using SAAS approach shown in figure 1.3.

In this way, SAAS approach is implemented on the Enterprise Service Bus (ESB). An ESB has the ability to implement the shared security and improve the performance of application. On ESB, security credentials are validating during the transmission of data or request from the service consumer to service. The time will be reduced for processing the request due to security validation has validated on ESB and the overall performance of the system will be increased.

Fig 1.3 Security implementation as a separate service on ESB

V.PROPOSED MODEL FOR SAAS IMPLEMENTATION

The proposed architecture of SAAS approach is based on concept of shared security service implemented in University System as depicts in figure 1.3.The higher part of this architecture shows the University System, which contain various service endpoints.

Fig 1.3 Shared security service architecture in a domain

The lover part shows SAAS components and security interfaces. The global request and response handlers are integrated with service endpoints. These handlers interrupt the incoming and outgoing message to or from a service endpoint and provide primitive security. Proposed SAAS based architecture approach breaks the security tasks into SAAS Component and service endpoint security architecture. Endpoint integrated security perform security task such as encryption/decryption, validation and key exchange by using Security Proxy Handler [3][2]. SAAS components are the cores which are deployed by security domain that provides shared security to all service endpoints in this domain. Policy Repository contains policies for different security requirements such as authentication, authorization etc.

• Authentication Service: Authentication Service provides user authentication inside or outside the domain. Authentication Services validate the user identity and send the signed authentication decision to endpoint. At the endpoint, SPH validates the signature before forwarding the authentication decision to intended services.
• Authorization Service: Authorization Service is used to verify the permission assigned to user from the policy repository. Authorization Service sends the authorization assertion to endpoint. At the endpoint, SPH validates the signature and then permits to valid user.
• Monitoring Service: Monitoring Service is responsible to handle the events which are generated by endpoint or security service of SAAS components.
• Logging Service: Logging Service registers the service request and response messages for access the information or resources from the system.

VI. CONCLUSION

In this paper, we presented an approach for implements the security in SOA based system. Our approach is based on Security As A Service (SAAS) concepts that gives an idea for implement the separate security as service which reduced the burden of consumer service and provider. This approach needs more research for increasing message reliability and privacy of information in distributed system.

REFERENCES

[1]. Hariharan, C. ; Babu, C..: Security testing of orchestrated business processes in SOA , IEEE International conference, pp 1426 - 1430, (2014).

[2]. Phan, Cecilia: ServiceOrientedArchitecture (SOA) - Security Challenges and Mitigation Strategies, Military Communications IEEE Conference, pp 1 - 7, (2007).

[3]. Memon, M., Michael, M., Breu, R.: SECTISSIMO: Security as a Service- a Reference Architecture for SOA Security, ICT-FET-231101, FWF project, (2008)

[4]. Pollmann, C., Claessens, J.: Web services and Web service security standards. Information security technical report, pp 15-24, (2005).

[5]. Zernadji, T. ; Tibermacine, C. ; Cherif, F.: Quality-Driven Design of Web Service Business Processes, IEEE International conference, pp 110 - 112, (2014).

[6].

[7].OASIS: WS-SecurityPolicy, tutorial, (2007).

[8].

[9]. Allanqawi, K.L.S.K. ; Khaddaj, S.: A Conceptual Approach for Assessing SOA Design Defects' Impact on QualityAttributes, IEEE International conference, pp 66 - 70, (2013).

[10]. Galster, M. ; Avgeriou, P.: Qualitative Analysis of the Impact of SOA Patterns on QualityAttributes, IEEE International conference, pp 167 - 170, (2012).

[11]. Mcheick, H. ; Yan Qi: Qualityattributes and design decisions in Service-Oriented Computing , IEEE International conference, pp 283 - 287, (2012).

[12]. Mcheick, H. ; Dodge, S. ; Karam, M.: Serviceoriented specification and study of quality performance attribute, IEEE International conference, pp 80 - 84, (2012).

[13].

[14]. Nadalin, A., Goodner, M., Gudgin, M., Barbir, A.: Web services security policy language 1.2. Public Draft Specification (2007).

Authors’ Profiles

Deepak Panwar

B.Tech., M.Tech (CSE), PhD*

He is currently working in Amity School of Engineering & Technology, Amity University Rajasthan, India. He has more than three years experience in teaching & research field.

G.L. Saini

B.E., M.Tech (CSE)

He is currently working in Amity School of Engineering & Technology, Amity University Rajasthan, India. He has more than seven years experience in teaching & research field. He has published five research papers in reputed international journals.