Service Oriented Architecture (SOA) - Security Challenges and Mitigation Strategies

Service Oriented Architecture (SOA) is a new way of operating a network system, and as with all new technologies, it comes with its share of challenges. Of particular difficulty is the challenge of securing a service-oriented system. Due to the intentionally decentralized nature of this system, data flows in all directions and needs to be protected at all times. Additionally, to implement access control it must be first defined somewhere, and the rest of the system needs to be aware of the rules and respect them. Since there are many resources in such a system, it becomes cumbersome to require users to authenticate themselves every time they attempt to access a new resource. "Single Sign On" (SSO) functionality, where a user\´s credentials are promulgated throughout the Global Information Grid (GIG) to reach all desired services, is a desirable capability but problematic. Additionally, in an SOA all of these security functions are implemented in XML, which brings its own set of problems. This paper will address the security challenges for a SOA. We will describe the problems stemming from the fact that XML is not inherently secure, resulting in special vulnerabilities in the security protocols. We will present strategies for mitigating these vulnerabilities to defend against replay attacks, encryption problems and policy considerations.