Level: Introductory John R. Betancourt (john.betancourt@gmail.com), President , Intelleges
28 Aug 2007 Examine a service-oriented architecture (SOA) security implementation
road map in this series. This article—the second in a three-part series—provides rules for assisting an SOA security team in developing a successful high-level design.
SOA security implementations, like SOA in general, should be viewed as a long journey.
As with any journey, you'll need certain items if the trip is going to be
successful.
Part 1 of this series focuses on the
road map, which provides a simple, 10-step process that serves as an overall guide for
an SOA security team. In step 7 of that process, "Follow an SDLC process for an
SOA security implementation," the SOA security team produces the high-level design
(HLD)—the Holy Grail—of any SOA security implementation. In
this step, the SOA security team is expected to follow the Software
Development Life Cycle.
Software Development Life Cycle
The Software Development Life Cycle (SDLC) typically consists of four stages:
- Requirements
- Design
- Coding
- Testing
The objective of the second stage in the SDLC—the design
stage—is to produce the overall design of the system. The design
stage includes two substages: the HLD and the detailed-level design (DLD). For
the HLD, you as the security enterprise architect (SEA) review the SOA security
implementation's functional and nonfunctional requirements and design an overall
solution architecture. Like the enterprise architect (EA), the SEA is responsible
for:
- Recognizing common paradigms so that high-level relationships among systems
can be understood and so that new systems can be built as variations on old
systems.
- Getting the right architecture, which is often crucial to the success of a
software system design. The wrong architecture can have disastrous results.
- Having a detailed understanding of software architectures that will allow
the team to make principled choices among design alternatives.
- Providing an architectural representation, which is essential to the
analysis and description of the high-level properties of a complex system.
The bottom line is that a well-constructed HLD is crucial for any successful SOA
security implementation, and the SEA is ultimately responsible for leading the SOA
security team toward its creation.
Simple rules for creating an HLD
Despite the criticality of an SOA security implementation HLD, SOA security teams
aren't always clear about what the goals of an HLD should be. Often without
dedicated architectural resources, team members are overwhelmed with architectural
notation and unfamiliar with modeling tools that can assist them in managing the
overall process.
Here, besides recommending tools, you can provide helpful hints and rules that SOA
security team members can adopt and incorporate into their processes toward
generating a winning SOA security implementation HLD.
SOA security team members should keep a few basic rules of thumb in mind before
beginning construction of their HLD documentation. Essentially, the HLD should:
- Be a diagram or set of diagrams with as few notes as possible.
- Start simple and at as high a level as possible.
- Be readable by all stakeholders.
- Satisfy the entire set of security requirements listed in the requirements
document.
- Use the least number of diagrams: One is best but not always feasible.
- Contain all the key objects that must be secured and represent them
generically.
- Contain all the key security relationships between objects.
- Serve to generate all security test cases.
- Leverage object-oriented concepts such as encapsulation, inheritance, and
polymorphism.
- Serve as a starting point from which to generate the DLD.
Your focus should be on providing answers to key questions, such as "when do we
start?" "How do we proceed?" "How do we know when we're done?"
Create the HLD
The main goal of the SOA security team's HLD effort should be to create a document
that serves as a communications tool: It must speak to and for the entire team.
Before SOA team members get mired in the nitty gritty of architectural
documentation, they should focus on thoroughly reviewing their requirements and
understanding what their overall security goals are. The HLD must serve to
communicate clearly what they have in mind in terms of providing overall security
for the SOA implementation.
Codifying the team's general agreement on key stakeholder SOA security implementation
questions is then the next step. For example, the document could include queries
such as:
- What do we need? (Security personnel and requirements documents)
- What are we building? (Developers)
- What are we paying for? (Upper management)
The HLD must also provide answers to more complex questions, such as nonfunctional
requirements. These requirements include system audit and control, extensibility,
resilience, vertical and horizontal scalability, multisite issues, and integration
of third-party tools.
Deciding when to begin the HLD isn't easy. The accepted industry guideline is
Capability Maturity Model Integration (CMMI) levels 3-4 (see
Resources as a basis for pursuing an enterprisewide SOA
security strategy. Much of the detailed requirements documentation should be
completed before you begin. And, counter-intuitively, much of the SOA security
services implementation must be understood simultaneously. Before beginning the
HLD, the team should have already listed their requirements, understood the
services that will be needed to satisfy those requirements, and associated those
services with the appropriate requirements.
Identify the principals
Before delving into an HLD, the team should create a list of all the entities
that they must secure. In the security domain, items that must be secured are
called principals. Here is a list of high-level principals for a typical
SOA system:
- Application or service
- Hardware
- Message
- Orchestration
- Service component
- SOA component (for example, Enterprise Service Bus, or ESB)
- User
- Utility
In addition, the SOA security team should generate a high-level graphic
representation of how team members will secure interactions among principals.
Figure 1 shows how principals are further divided into
participants and resources, where each participant can be a human
or a computing application invoking the capabilities of a resource, and each
resource is a service capability, data, component, or real-world effect. The
security intermediation between principals can be further deconstructed into
enforcement points, decision points, contracts, and attributes.
Figure 1. Secured principal interactions
Principal interactions
Because each principal listed above can potentially interact with other
principals, it follows that the intermediation shown in
Figure 1 will require one of these diagrams for each
interaction. For an SOA implementation with the aggregates shown in
Table 1, there are, in round numbers, potentially 1000 x
1000 interactions. That is 1,000,000 potential interactions between principals
that have to be accounted for, at least in the HLD.
Table 1. SOA principals count
| SOA principal | Count |
|---|
| Application or service | 50 |
|---|
| Hardware | 50 |
|---|
| Message | 700 |
|---|
| Orchestration | 50 |
|---|
| Service component | 50 |
|---|
| SOA component (ESB) | 1 |
|---|
| User | 50 |
|---|
| Utility | 49 |
|---|
|
Total
|
1000
|
|---|
Secure the principal interactions
As the interactions between principals are further detailed, specific SOA
security services will emerge with specific responsibilities for securing those
interactions. Prior to beginning an SOA HLD, the team should create a table
linking services to principals. Table 2 shows an excerpt
from a requirements document in which the identification service is associated
with all the principals.
Table 2. SOA security requirement
| Requirement number | Service | Description |
|---|
| 1 | Identification | All principals must be uniquely identifiable. |
|---|
| 2 | Identification | Security must provide the mechanism for unique identification assignment to
all designated principals. |
|---|
| 3 | Identification | Security must provide a mechanism to record when a principal’s identification
is added, deleted, or modified. |
|---|
| 4 | Identification | Security must provide an administrative interface for managing identities. |
|---|
This association is further illustrated in the principal/service matrix, which is
useful when constructing an HLD. Table 3 shows such a matrix.
Table 3. SOA security principal/service matrix
| Audit | Authentication | Credential | Identification |
|---|
| Application or service | | | X |
|---|
| Hardware | | | X |
|---|
| Message | | | X |
|---|
| Orchestration | | | X |
|---|
| Service component | | | X |
|---|
| SOA component (ESB) | | | X |
|---|
| User | | | X |
|---|
| Utility | | | X |
|---|
Note that this process isn't static but dynamic: When sufficient requirements have
been gathered, the team is almost ready to begin a preliminary HLD. As other
requirements are added, they will continue to affect the HLD. Moreover, as the HLD
is fleshed out, additional and unexpected requirements will likewise appear until
a steady state is achieved and changes in one document don't substantially affect
the other.
At first, the team shouldn't focus too much on architectural notation, because the
process of creating an SOA HLD can be highly dynamic and involve many stakeholders.
Therefore, it's best to use tools that can help with both the HLD design and the
HLD design-management process. SOA security team members should familiarize
themselves with online tutorials such as
"Developing
a J2EE Architecture with Rational Software Architect Using the Rational Unified
Process." Again, the purpose of the HLD is to communicate clearly to the SOA
security team first. Afterwards, you should work with the EA to ensure that the
document is consistent with the overall architectural notation of the enterprise
model.
Create a diagram
Let's begin with the simple diagram shown in Figure 2.
Figure 2. The SOA security cloud
Here, the "SOA security cloud" represents all security services meeting all SOA
security requirements. It permeates the overall SOA implementation and can
accommodate current and future requirements. Notably, this diagram meets the first
five rules, which require that it:
- Be a diagram or set of diagrams.
- Start simple and at as high a level as possible.
- Be readable by all stakeholders.
- Satisfy the entire set of requirements listed in the requirements document.
- Use the least number of diagrams. (One is best but not always feasible.)
Figure 2, however, doesn't meet any of the other rules and must therefore be further
refined, although it's important to note that it can serve as a much better
jumping-off point than simply a blank page.
Using Figure 2 as your base diagram, in your next diagram
(Figure 3), you add SOA security services, principals, and
principal interactions elements to your SOA cloud. In addition, you include
elements such as third-party tools and an electronic perimeter. Besides the
interaction between principals and the intermediation of security services, take
into consideration third-party tools and services that will provide critical
services in addition to those that SOA security provides.
Figure 3. SOA security cloud (detail)
A careful review of this diagram reveals that it meets the other rule requirements,
including:
- Containing all the key objects that must be secured and representing them
generically
- Containing all the key security relationships between objects
- Leveraging object-oriented concepts such as encapsulation, inheritance,
and polymorphism
Figure 3 contains all the key SOA security services for this implementation. You can
include additional services as needed, but you gain no additional information by
including more than three or four. Figure 3 also contains all the principals; by
using different shapes, it serves to represent all principal interactions
polymorphically.
If you assume that each border surrounding each principal is an enforcement point
(EP) and decision point (DP), then in this diagram, you have incorporated all the
elements needed for an HLD. You're not offering details about how those EPs or DPs
will be implemented: Those details are left to the detailed design.
Create the DLD
From this HLD, you can begin to generate the DLD, which is rule of thumb number 10.
In this case, you can use product-agnostic Unified Modeling Language (UML) notation
to illustrate relationships between SOA security services, as shown in
Figure 4.
Figure 4. Primary security components
In Figure 4, you provide a detailed component diagram for the security services
based on your HLD diagram.
Summary
When creating an SOA security HLD, it's important to start with detailed
requirements. Using the right tools to design and manage the process and following
the rules of thumb in this article, you and the SOA security team can create an
HLD that everyone agrees is clear without getting bogged down in notations.
The next and final article in this series focuses on creating a useful notation
for generating SOA security test cases. In pursuit of rule number 10, you'll use
this HLD to begin to generate test cases. Until then, continue to send in your
useful comments and thoughts.
Resources Learn
Get products and technologies
-
Download IBM
product evaluation versions and get your hands on application development tools
and middleware products from DB2®, Lotus®, Rational®, Tivoli®, and
WebSphere®.
Discuss
About the author  | 
| | John Betancourt is President and CEO of Intelleges, a company focusing on
supply chain security, large-scale SOA implementations, and cybersecurity. |
Rate this page
| 
