Federal Office for Information Security (BSI)

Security of service-oriented architectures SOA security

Service-oriented architectures (SOA) denote a general approach to the configuration of complex IT systems and the mapping of business processes in such systems. In theory SOAs claim to solve many existing problems dealing with the integration and interaction of different subsystems. This has also been borne out in practice, at least in some cases.

SOA is one of the latest trends in IT and is very popular with management due to its practical relevance to business processes. However, very little attention is paid to the security aspects of SOA, especially in the parts where the type of security requirements which arise have been hitherto disregarded in conventional IT systems or have not been relevant in this form. Ultimately, SOAs always have background business processes which can be critical and therefore require protection. In addition to the security of individual service enquiries (confidentiality, authenticity, etc.), there are other aspects, such as transaction security, which are important. Indeed, additional security mechanisms are required if a service-oriented architecture is used not only inside an institution but is also open to outside users. One example might be safeguards against denial-of-service attacks.

The majority of current IT system designs based on a service-oriented architecture are initially designed according to purely functional aspects. The development of security functions is generally an afterthought limited to individual components. Consequently, such systems lack an integrated security concept in most cases, and many security requirements specific to SOA remain unmet. There is neither adequate provision in terms of security awareness nor is there an integrated security concept or best-practice approaches for this new technology. This often accounts for the failure of large-scale and promising IT projects.

It is necessary to establish an adequate awareness of security and to identify possible solutions which are conducive to running and operating IT systems according to SOA paradigms in public authorities and other institutions, and which comply with the respective security requirements. There is a palpable need in Federal Government authorities in particular where various major projects are based on this architecture and the technologies in question.

We will be pleased to answer any further questions and can be contacted at soa@bsi.bund.de.