Service-Oriented Security Engineering

Service Oriented Security Engineering Richard Veryard

Security Is Sometimes Seen As A Challenge And Inhibitor For Enterprise SOA My product will make SOA safe. Is SOA safe? You can afford it. How much does it cost?

Decision Problems If I go ahead with this innovation, does it introduce new security risks and requirements? Should I abandon or postpone this innovation until the security issues are completely resolved? Risk Assessment How can I assemble a collection of security mechanisms and standards from different sources? Would I be better off acquiring everything from a single source? Integration Interoperability Should I adopt this standard, or insist that my suppliers conform to this standard? What does adoption entail? Standards How can I justify a given level of expenditure in security? How can I assess whether I am getting value-for-money from my investment in security? Business Case Do I need this class of security product? If so, how do I choose between the competing products in this class? What is a reasonable cost for this kind of product (direct and indirect)? Evaluation Comment Security Decision

Process Problems Disconnect between Functional Requirements and Non-Functional Requirements Disconnect between Business-Level and Detailed Security Requirements Piecemeal tool-driven approach to security No systematic business case for security. Tendency towards Cost-Avoidance rather than Risk/Reward Non-Functional Requirements as Afterthought

Why Security Doesn’t Remain Stationary Absolute Security My security is unaffected by what anyone else does. Relative Security I have to maintain at least as much security as everyone else. Innovation by other potential targets Innovation by attackers Responsive Security My security must respond to innovation by attackers. Agile Security My security should stay one step ahead of the game.

Layered Security Architecture (extract) Domain Services Stand-Alone Security Services Security in Platform Capability Services Business Transaction Risk and Compliance

Model-View-Controller Domain Services Security Services Security in Platform Capability Services Model View Controller

Multiple Entry Points Security Assessment Reviewing the levels of security contained in existing systems and artifacts (including models and plans) Security Implementation Implementing and activating a complete and consistent set of security policies and mechanisms Security Requirements Modeling the business and its ecosystem to determine detailed requirements and opportunities for (greater) security. Security Architecture Producing plans and portfolios that integrate security with other desired characteristics, including agility.

Security Lifecycle Runs Parallel with Service Engineering Lifecycle

Security Requirements

Processes and assets needing protection

Abuse frames and misuse cases

Business Requirements

Business processes and assets

Requirements frames and use cases

Security Architecture

Risk analysis. Stability analysis

Security policies and mechanisms

Service Architecture

Layered service architecture

Security Provisioning

Fine-grained decomposition and implementation of security policies.

Testing misuse-cases

Service & Solution Provisioning

Service provisioning and test

Solution assembly and test

Security Operation

Monitoring and control security effectiveness.

Monitoring emerging threats

Service Operation

Monitoring and control service operations and business effectiveness

How the Security Schema follows a Generic Business Schema What the attacker does attack capability attack opportunity attack goal What the defender does defensive capability defensive action threat security goal What the business does capability response (unit of work) event outcome (goal) anti-requirements requirements generic schema

If you were intrigued by this presentation …