soa governance and security v1.1

1

Governance of Information Security Elements inService-Oriented Enterprise Architecture

Dr. Mehmet YildizCertified Executive IT Architect IBM Australia and New ZealandMelbourne, Australia

I-SPAN09 – IASM

Proposed Abstract: This paper identifies and analyzes governance roles and tasks in SOA security governance at macro level. Drawing from Information Security Management standards and frameworks on one hand and SOA considerations on the other hand, the identified governance elements are mapped to a governance structure that specifies planning and execution aspects at four organizational decision-making levels, resulting in a prescriptive model with practical relevance. This constructive study combines theoretical models and standards with industry experience of the authors.

Mr Janne J. KorhonenDepartment of Computer Scienceand EngineeringHelsinki University of TechnologyHelsinki, Finland

Dr. Juha MykkänenHIS R&D UnitUniversity of KuopioKuopio, Finland

10th International Symposium on Pervasive Systems, Algorithms, and Networks

2

IASM ���

Agenda

-Methodology

-Security governance meta-structure

-Conclusion

-Introduction & Background

3

IASM ���

Biography of Authors• Janne J. Korhonen• Researcher at Helsinki University of Technology• Research areas:

– Enterprise Architecture and IT Governance

• Particular research interest: Agile Governance Model

• Dr Juha Mykkänen, post-doctoral researcher• University of Kuopio, Health Information Systems R&D Unit• Research activities: interoperability, standardization, modelling,

service-oriented architectures, application integration, enterprise architecture

• projects developing and applying SOA and integration approaches

• Dr. Mehmet Yildiz, Enterprise Architect, IBM• Resarch interests: enterprise architecture, service oriented

arthitecture, cloud computing, self healing systems, social computing

4

IASM ���

Background on EA and SOA in Dynamic Enterprise

SO

A

E AE S B

5

IASM ���

There are many vendors investing on SOA Application Projects. Leveraging their experience is important

Gartner’s Magic Quadrant for Application Infrastructure for New Systematic SOA Application Projects

SOA Vendors for New Systematic Applications

Ref: Gartner’s Magic Quadrant for New Systematic Applications

6

IASM ���

Ref: Susanne Leist and Gregor Zellner University of Regensburg, Institute of Information Management, Germany

Evaluation of Current Architecture FrameworksNone of the assessed frameworks fully meets the major criteria in the Regensburg study. Hence use of combination of frameworks is suggested.

7

IASM ���

… a service?

A repeatable business task – e.g., check

customer credit; open new account

… service orientation?

A way of integrating your business as linked

servicesand the outcomes that

they bring

… service oriented architecture (SOA)?

An IT architectural stylethat supports

service orientation

… a composite application?

A set of related & integrated services that

support a business process built on an SOA

ComposableComposable

InteroperableInteroperable

LooselyLooselyCoupledCoupled

ReRe--UsableUsableSOASOASOA

Key SOA Concepts

8

IASM ���

EnterpriseArchitecture Ref Architecture for

Service Areas Ref Architecture for a Program Ref Architecture for a

Single Project

A SOA Reference Architecture Sample

Ref: IBM and Open Group

9

IASM ���

1.Increased virtualization

2.Loose coupling

3.Widespread use of XML

4.The composition of federated services

5.Heterogeneous computing infrastructures

6.Decentralized SLAs

7.The need to aggregate IT QoS metrics to produce

business metrics

Concerns at Layer 7 - QoS

Ref: IBM and Open Group SOA Reference Architecture

10

IASM ���

Typical Security Architecture for an Enterprise

External Uncontrolled

Internal Zone

HighlySecure Zone

Demilitarized Zone

External Business Zone

Special Domain

Externally Controlled

11

IASM ���

SOA Security Reference Model by IBM

Ref: IBM SOA Security Red Book, Dr. Paul Ashley et al

12

IASM ���

Real

-Tim

eTa

ctic

alO

pera

tiona

lSt

rate

gic

Design, Planning and Support Development and Execution

Strategy

Macro Design

Micro DesignBuild /

Construct

Run / Operate

13

IASM ���

Real

-Tim

eTa

ctic

alO

pera

tiona

lSt

rate

gic

Development and ExecutionDesign, Planning and Support

Security Policy

Organizational Security

Asset Classification and Control

Access Control

Compliance

Personnel Security

Physical and Environmental

Security

Business Continuity Management

Communications and Operations Management

System Development and

Maintenance

14

IASM ���

- Agile Governance Model promotes clarity in the role definition and requirements management related to the key security elements in enterprise architecture and SOAs.

- The governance model, combined with suitable industry standards such as SOGP or ISO/IEC 17799 can be applied to the definition of roles and responsibilities of security governance activities in complex enterprise systems.

- Specifically, it helps in positioning the security activities at the right organizational levels and at each level on either the planning or execution side so that all security requirements will be addressed adequately throughout the enterprise.

Conclusion of paper