40 likes | 211 Views
SOA Security Concerns. Jim Ross, CISSP james.g.ross2@boeing.com. SOA Security Concerns. SOA issues that keep me up at night SOA IA is just starting to mature Standards defined to support security in SOAs Some still in work Not fully implemented in all products Distributed Services
E N D
SOA Security Concerns Jim Ross, CISSP james.g.ross2@boeing.com
SOA Security Concerns • SOA issues that keep me up at night • SOA IA is just starting to mature • Standards defined to support security in SOAs • Some still in work • Not fully implemented in all products • Distributed Services • Services are being offered that may be outside of our COI • Service requests may be passed on to third party providers • Distributed and Transitive Trust • Do we trust others services • Do we trust services that others trust • How is the trust of a service measured and communicated to a consumer
SOA Security Concerns • Federated Identity Management • Identity management needs to work across COIs, security domains and international boundaries • Certificate bridges • Use of XML • XML can be used as an attack vector • We need filtering and inspection of XML messages • How is this impacted by EFX binary encoding • Policy Management and Enforcement • Very complex policy issues • Could easily become intractable
SOA Security Concerns • Multi-Level Security Domains • Ensuring secure sharing of data without inhibiting sharing • Making SOAs work with guards • High assurance Policy Enforcement Points (PEP) and Policy Decision Points (PDP) • Separation of data cross SOAs in different security domains • Leakage of sensitive Meta-Data