The paper analyzes governance roles in service-oriented architecture (SOA) security at a macro level, mapping elements to a governance structure across four organizational decision-making levels. It proposes a prescriptive model that integrates theoretical frameworks with practical industry experience, highlighting the importance of clear role definitions and standard practices like SOGP and ISO/IEC 17799. The study emphasizes an agile governance model to effectively manage security requirements in complex enterprise systems.

1. I-SPAN09 – IASM
10th International Symposium on Pervasive Systems, Algorithms, and Networks
Governance of Information Security Elements in
Service-Oriented Enterprise Architecture
Mr Janne J. Korhonen Dr. Mehmet Yildiz Dr. Juha Mykkänen
Department of Computer Science Certified Executive IT Architect HIS R&D Unit
and Engineering IBM Australia and New Zealand University of Kuopio
Helsinki University of Technology Melbourne, Australia Kuopio, Finland
Helsinki, Finland
Proposed Abstract: This paper identifies and analyzes governance roles and tasks in SOA security
governance at macro level. Drawing from Information Security Management standards and frameworks on
one hand and SOA considerations on the other hand, the identified governance elements are mapped to a
governance structure that specifies planning and execution aspects at four organizational decision-
making levels, resulting in a prescriptive model with practical relevance. This constructive study
combines theoretical models and standards with industry experience of the authors.
1

2. IASM
Agenda
-Introduction & Background
-Methodology
-Security governance meta-structure
-Conclusion
2

3. IASM
Biography of Authors
• Janne J. Korhonen
• Researcher at Helsinki University of Technology
• Research areas:
– Enterprise Architecture and IT Governance
• Particular research interest: Agile Governance Model
• Dr Juha Mykkänen, post-doctoral researcher
• University of Kuopio, Health Information Systems R&D Unit
• Research activities: interoperability, standardization, modelling,
service-oriented architectures, application integration,
enterprise architecture
• projects developing and applying SOA and integration
approaches
• Dr. Mehmet Yildiz, Enterprise Architect, IBM
• Resarch interests: enterprise architecture, service oriented
arthitecture, cloud computing, self healing systems, social
computing
3

4. IASM
Background on EA and SOA in Dynamic Enterprise
S A
O
EA ESB
4

5. IASM
SOA Vendors for New Systematic Applications
Gartner’s Magic
Quadrant for
Application
Infrastructure for New
Systematic SOA
Application Projects
There are many
vendors investing
on SOA Application
Projects.
Leveraging their
experience is
important
5 Ref: Gartner’s Magic Quadrant for New Systematic Applications

6. IASM
Evaluation of Current Architecture Frameworks
None of the assessed frameworks fully meets the major criteria
in the Regensburg study. Hence use of combination of
frameworks is suggested.
6 Ref: Susanne Leist and Gregor Zellner University of Regensburg, Institute of Information Management, Germany

7. IASM
Key SOA Concepts
… a service? … service orientation?
A way of integrating your
A repeatable business business as linked
Composable services
task – e.g., check
customer credit; open and the outcomes that
new account they bring
Interoperable SOA
SOA Re-Usable
Loosely
… service oriented Coupled … a composite
architecture (SOA)? application?
An IT architectural style A set of related &
that supports integrated services that
service orientation support a business process
built on an SOA
7

8. IASM
A SOA Reference Architecture Sample
Enterprise
Architecture Ref Architecture for
Ref Architecture for a
Service Areas Ref Architecture for a
Program
Single Project
8 Ref: IBM and Open Group

9. IASM
Concerns at Layer 7 - QoS
1.Increased virtualization
2.Loose coupling
3.Widespread use of XML
4.The composition of federated services
5.Heterogeneous computing infrastructures
6.Decentralized SLAs
7.The need to aggregate IT QoS metrics to produce
business metrics
9 Ref: IBM and Open Group SOA Reference Architecture

10. IASM
Typical Security Architecture for an Enterprise
Externally Highly
Controlled Secure
Zone
External
Business
Zone
External Internal Zone
Uncontrolled
Demilitarized
Zone
Special Domain
10

11. IASM
SOA Security Reference Model by IBM
11 Ref: IBM SOA Security Red Book, Dr. Paul Ashley et al

12. IASM
Strategic
Strategy
Tactical
Macro Design
Real-Time Operational
Build /
Micro Design
Construct
Run / Operate
Design, Planning and Support Development and Execution
12

13. IASM
Security Policy
Strategic
Organizational
Security
Compliance
Tactical
Asset Classification
and Control
Real-Time Operational
Personnel Security Access Control
Business Continuity
Management System
Development and
Communications Maintenance
and Operations
Management
Physical and
Environmental
Security
Design, Planning and Support Development and Execution
13

14. IASM
Conclusion of paper
- Agile Governance Model promotes clarity in the role definition and
requirements management related to the key security elements in
enterprise architecture and SOAs.
- The governance model, combined with suitable industry standards such
as SOGP or ISO/IEC 17799 can be applied to the definition of roles and
responsibilities of security governance activities in complex enterprise
systems.
- Specifically, it helps in positioning the security activities at the right
organizational levels and at each level on either the planning or execution
side so that all security requirements will be addressed adequately
throughout the enterprise.
14