Basic Concepts of SOA Security
This chapter presents the basic notions and concepts of security. We will elaborate on these in later chapters in context of a motivating case study from e-government in Chapter 5 and an extensive case study from healthcare in Chapter 12.
- PDF / 645,371 Bytes
- 19 Pages / 439.37 x 666.142 pts Page_size
- 99 Downloads / 213 Views
This chapter presents the basic notions and concepts of security. We will elaborate on these in later chapters in context of a motivating case study from e-government in Chapter 5 and an extensive case study from healthcare in Chapter 12. Based on the many meanings of security we elaborate a definition of security appropriate to the context of distributed and decentralized systems in Section 3.1. We move on to define security concerns in context of such systems in Section 3.2. We introduce the key concepts facilitating the expression of these concerns in terms of security “needs” of an asset: either when engineering and managing security-critical systems (as Security Policies in Section 3.3) or when evaluating them in light of the three driving forces defining the state of a system’s security: Vulnerabilities, Threats and Security Controls (as Security Requirements in Section 3.4). We close with Section 3.5 introducing Web Services Security Standards as a means to realize SOA Security.
3.1 What Is (SOA) Security? Common knowledge defines Security as a state of freedom from risk or danger. It can also mean a state free from doubt, anxiety, or fear. Computer security narrows the focus to computing systems. It describes a field of computer science dealing with risk, threats and mechanisms related to the use of computing systems. Even seen in that context, the definition of security comes in (too) many flavours. For example, Garfinkel et al. define computer security in a very broad sense, emphasising the notion of a system’s availability [96]: “A computer is secure if you can depend on it and its software to behave as you expect.” However security obviously does not only describe a desirable state, where systems function as intended. It also encompasses amongst other things - the
28
3 Security Policies
notion of actively taking measures to preserve this state through security measures. Gollmann gives a complementary definition [100]. Accordingly, security “. . . deals with the techniques employed to maintain security within a computer system.” Nevertheless, these two definitions – even taken together – fall short on one important point. Nowadays, computing systems cannot be viewed anymore as isolated hosts offering computational functionality to human users. Rather, modern computing systems are loosely coupled components distributed over a network and communicating with each other: they are heterogeneous, distributed, and inter-connected. For one, it is evident that a system which is connected to other systems is exposed to a considerable amount of additional security threats. Nevertheless there is another quality in todays computing architectures. Computer systems are not conceived as centralized architectures anymore. A Service Oriented Architecture represents an inherently decentralized computing concept. Hence, an appropriate understanding of the concept of security needs to take into account the system, its context and dependencies between both. Therefore, the first dimension we need to add to reach a working definition of
Data Loading...
