ACM SIGSOFT Software Engineering Notes
Page 1
January 2015 Volume 40 Number 1
Incorporating Security Features in Service-Oriented Architecture using Security Patterns Ashish Kumar Dwivedi
Santanu Kumar Rath
Department of CSE NIT Rourkela Odisha, India
Department of CSE NIT Rourkela Odisha, India
[email protected] ABSTRACT Service-Oriented Architecture is an architectural style where different heterogeneous components share information with each other by using special types of messages based on the protocol known as Simple Object Access Protocol. Various technologies, such as Common Object Request Broker Architecture, Java 2 Platform, Enterprise Edition, Java Message Service etc. are applied to realize Service-Oriented Architecture for different applications. Besides these approaches, two other techniques, REpresentational State Transfer, and web services are applied for the realization of Service-Oriented Architecture. Web services provide a platform independent communication scheme between applications. The security preservation among the composition of services is an important task for Service-Oriented Architecture. In this study, an attempt is made to incorporate security features in ServiceOriented Architecture with the help of software security patterns. This scheme is described by developing an architectural model integrated with security goals and security patterns. The structural and behavioral aspects of composition of web services incorporated with security features are presented using a Unified Modeling Language class diagram and a sequence diagram respectively. At the end of this study, an evaluation is performed between identified security patterns and critical security properties along with Service-Oriented Architecture design principles. A case study of an online banking system is considered to explain the use of security patterns.
Keywords Security Patterns, Service Composition, SOA, Web Services.
1. INTRODUCTION Service-Oriented Architecture (SOA) is an architectural style being realized by use of web services. The model of web services is characterized by three elements, service provider, service requester, and service registry [1]. SOA is represented in terms of an architectural solution for integrating diverse systems by providing an architectural style. It promotes loose coupling, vendor diversity, reuse etc. The dynamic nature of SOA makes it a more prominent paradigm for current business requirements. Like Object-Orientation (OO), Service-Orientation (SO) also has some design principles. The SOA design principles are loose coupling, service contract, autonomy, reusability, composability, statelessness, extendibility, vendor diversity etc. The heterogeneous and distributed nature of SOA make it a more complex and challenging. The major challenge with SOA is the security issue. The SOA design principles, such as loose coupling, extendability, reusability etc. make it a more complex for integrating security features in it. The openness and distributed nature of SOA make it a more vulnerable for attackers. This challenge becomes more critical when SOA is used for mission-critical enterprise systems. In this study,
DOI:10.1145/2693208.2693229
[email protected] an attempt is made to improve security limitations by applying security patterns. In the past two decades, lots of patterns were identified, documented, visualized, classified, and analyzed [2] [3] [4] [5] [6] [7]. Many design pattern tools were also developed for detecting patterns in instantiating of design patterns [8]. These system patterns and tools facilitate the understandability and construction of systems that provide predictable and uninterrupted use of the services and the resources. Each pattern is represented using a standard pattern template that allows expressing a solution for solving a recurring problem. Generally, templates are used to capture all the elements of a pattern and describe its issues, motivation, strategies, technologies, applicable scenarios, solutions, and examples. Gamma et al. [2] proposed standard templates for their twenty three design patterns, which are considered as a base. Later on, other authors further extended or modified these templates for their individual application areas. The concept of security patterns was proposed by Yoder and Barcalow [9]. They proposed seven security patterns, single access point, check point, roles, session, full view with errors, limited view, and secure access layer, which are applied for securitycritical systems. After that lots of security patterns were proposed [6] [7] [10]. In order to demonstrate our approach, an online banking system is considered as a case study. According to an IBM Institute for Business Value study, “The paradox of Banking 2015: Achieving more by doing less,” makes the future of today’s bank going to change [11]. Nowadays, customers need more advocacy, personal security, and control in their banking relationships. Nowadays, different banks face number of challenges, such as gaining flexibility, more shared services, easy to use, align business to technology etc. This paper indicates that the solution to the above challenges can be found with the help of SOA. In this case study, different services, such as Online Funds Transfer Service, Insurance Claim Service, Credit Card Requisition Service etc. are connected through an Enterprise Service Bus (ESB), as shown in Figure 1. Users can initialize the required services with the help of ESB. ESB provides a virtual environment whereby services are made available to different consumers. The basic overview of this study outlined in this paper is as follows. In the second section, a few related research works are presented. The third section is further divided into other three subsections. In the first subsection, six security patterns, Identification and Access Management [12], Check Point [9], Data Confidentiality [13], Policy [14], Proxy-Based Firewall [6], and Secure Channel [6], are considered for the composition of web services. These services are connected through a heterogeneous and dis-
http://doi.acm.org/2693208.2693229
ACM SIGSOFT Software Engineering Notes
Online Fund Transfer Service
Insurance Claim Service
Page 2
Schumacher [6] et al. proposed a number of security patterns for the different types of applications, such as message level security, communication channel level security, application server level security etc. They described different patterns using different examples, UML class diagrams, and sequence diagrams etc., but this work has certain limitations in terms of the composition of different security patterns. They did not mention pattern languages for the proposed patterns.
Credit Card Requisition Service
ESB
3.
Login/Authenticate
Transform, Route, Notify, Augment
Other Service
Name Change Form
Name & Address
Figure 1: Different services connected through ESB
tributed environment. The main contribution of this subsection is the security model for SOA. In the next subsection, the structural and behavioral aspects of the composition of security patterns are presented using a UML class diagram and a UML sequence diagram. In the third subsection, quality evaluation of the identified security patterns and the SOA principles is performed. In the fourth section the conclusion and future work are described.
2. RELATED WORK In the area of SOA, a number of design patterns and security patterns were proposed by different authors, available in literature. Few of them are as follows. Schnjakin et al. proposed an architecture for a security advisor that support security policies in SOA [15]. They facilitated a pattern-driven approach, that enables the transformation from general security goals to concrete security mechanism. They claimed that their approach is helpful for the integration of additional security modules. Bhargavan et al. proposed a plugin for Microsoft Web Services Enhancements (WSE), which guide users to find incorrect uses of WS-Security in Simple Object Access Protocol (SOAP) processors [16]. They developed a tool for detecting typical errors in WSE configuration and policy files. Thomas described different security patterns, such as Data Confidentiality, Data Origin Authentication, Direct Authentication, Brokered Authentication etc. for the security of the web applications [13]. Data confidentiality and data origin authentication are used for message level security. Whereas, direct authentication and brokered authentication are used for access control that enable services to verify that only intended users can access data. But the author has not considered other security patterns, such as communication channel related patterns, proxy patterns, encryption related patterns etc. They did not presented SOA design principles for different security patterns and goals.
PROPOSED WORK
A good number of security patterns were proposed by different authors to preserve the security properties, such as authentication, integrity, non-repudiation, confidentiality, availability, and authorization. Corresponding to these security properties, number of security threats are available, such as spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege. Some threats are categorized as man-in-the-middle attacks, which can damage Virtual Private Networks (VPN), where data is available. These attacks are dangerous for financial transactions, such as fund transfer in Internet banking systems, online bill payment, loan applications, and other transactions. In this section, security patterns are identified initially for web applications and then described for structural and behavioral aspects of the composition of security patterns. At the end of this section, an evaluation of security patterns against security goals and the SOA design principles are performed.
3.1
DOI:10.1145/2693208.2693229
January 2015 Volume 40 Number 1
Architectural Model for SOA
A good number of security patterns are identified in the literature. Hafiz et al. [17] described a pattern language for security, having 96 security patterns. For any application, all patterns cannot be used, because it is difficult to compose all available patterns for an application. On the basis of security requirements, six security patterns, Identification and Access Management (IAM), Check Point, Data Confidentiality, Policy, Proxy-Based Firewall, and Secure Channel are considered. The architectural model of SOA incorporated with security patterns is represented in Figure 2. This model is inspired by the Advancing Open Standards for the Information Society (OASIS) group. This architecture supports a set of guiding artifacts that are helpful with patterns. The relationships among security goals, security patterns, architectural patterns, SOA design principles, SOA implementation etc. helps architects and developers to compose their own SOAs. The associations and compositions described by this architecture enable solution patterns to solve an exiting problem. An architecture cannot exist in isolation; it should be applied for a particular requirement. A software designer often intends to connect SOA with different standards based on certain SOA design principles and protocols. For example, each bank intends to support a number of services for their consumers. These services are to be supported with SOA design principles, standards, and protocols. There are a number of security goals, such as integrity, authentication, confidentiality, authorization etc. that are required to be achieved based on SOA. In this study, security goals are achieved using security patterns. It is a difficult task to achieve security goals in the presence of SOA design principles, because security properties violate SOA design principles, such as loose coupling, service contract, abstraction, reusability, composability, discoverability, granularity, extendability, vendor diversity, statelessness and autonomy. Hence, those patterns need to be considered that can be used to minimize these limitations. The model presented in Figure 2 is a courtesy of the OASIS group [18] with our selected patterns and security goals.
http://doi.acm.org/2693208.2693229
ACM SIGSOFT Software Engineering Notes
Abstract
Page 3
January 2015 Volume 40 Number 1
Security Goals Confidentiality Authentication
Integrity
Non Repudiation
Authorization
Availability
To achieve Security Patterns Identity and Access Management
Proxy-Based Firewall
Secure Chanel Check Point
Policy
Data Confidentiality
SOA Principles Loose coupling, Reusability, Autonomy, Statelessness, Discoverability etc.
Requirements
Accounts for
Incorporate
Consider
Protocols Authentication
Motivation
Architectural Patterns Reference Architecture
Goals
Standards
Related Models
Specifications Input
Concrete Architecture
Related Patterns
Constrained by
Service Oriented Implementation
Concrete
Figure 2: Architectural model for SOA incorporated with security
3.2 Structural and Behavioral Aspects of Patterns In general, each pattern, such as architectural pattern, security pattern, analysis pattern etc. has four essential elements. The elements are context, problem, forces, and solution. In this approach, the context of identified patterns can be defined as a situation, where consumer wants to access a service through the online network. The online network supports different barriers, which force the consumer to represent essential information, so that the consumer can access the required service. In order to preserve the integrity of data during transmission of data, the consumer needs a secure communication channel. In the above context, there are two major problems. Firstly, how can user information be verified by online network barriers, and secondly, how can a communication channel protect transmitted data. There are many forces for the identified patterns. Firstly, the information presented by the user to the online network is based on a shared secret, i.e., a password. It can be possible that the access of a service is so simple that does not require Identification and Access Management. In the case of a secure channel, performance may be degraded by the processing overhead associated with its encryption mechanism. Other forces associated with secure channel are scalability, availability, cost etc. Consumer and web services need to trust one another to manage security policy rules for an application. In this scenario, problem can be resolved by transmitting confidential request messages through the secure channel. The consumer should interact only with a proxy of the service requested. Each proxy should have its own access rules specified by the administrator that may be used to inspect, authenticate, and filter incoming requests. Identification and Access Management (IAM) enables the administration
DOI:10.1145/2693208.2693229
of authentication and authorization of consumer requests. If any user fulfills all the security requirements for the particular service, he will be allowed to access that service. Some other elements are also equally important, such as motivation, applicability, participants, collaborations, consequences, implementation, related patterns etc. These elements are called as pattern templates. Generally, patterns are described by using pattern templates. For the structural demonstration of the identified patterns, a UML-based class diagram of selected security pattens is presented in Figure 3. In this diagram, all identified patterns are considered as classes. The Consumer class is associated with SecureChannel using the dependency relationship, which request for a secure channel. If secure channel is granted, a consumer requests for the service. When a request reaches the ProxyBasedFirewall, it sends a request for check using the CheckPoint pattern. This pattern requests the Identification and Access Management pattern for the authentication and authorization. It establishes data confidentiality using the DataConfidentiality pattern. When the ProxyBasedFirewall pattern satisfies the Check Point condition, it sends a request to the Proxy for filtering the request sent by the consumer. After filtering the request, Proxy enforces the Policy for accessing the service. If the policy rules are satisfied for the consumer’s request and the service is available, then it is provided to the consumer. Figure 4 shows the behavioral aspects of composition of selected security patterns. It presents a typical scenario when a consumer requests a secure channel. If the channel is free, the system allocates a secure channel to the consumer, otherwise it denies the request. The SecureChannel transmits a service request to the
http://doi.acm.org/2693208.2693229
ACM SIGSOFT Software Engineering Notes
Page 4
January 2015 Volume 40 Number 1
Figure 3: Class diagram of the composition of security patterns
Figure 4: Sequence diagram of the composition of security patterns
DOI:10.1145/2693208.2693229
http://doi.acm.org/2693208.2693229
ACM SIGSOFT Software Engineering Notes
Page 5
January 2015 Volume 40 Number 1
Table 1: Evaluation of security patterns with security goals and the SOA principles
S. No. Properties SOA Principles Patterns 1. Confidentiality Service Contract Secure Channel, Data Confidentiality 2. Integrity Service Contract IAM, Secure Channel 3. Availability Loose coupling, Discoverability Check Point 4. Authentication Service Composability Proxy-Based Firewall, Check Point, IAM 5. Authorization Service Composability IAM, Proxy-Based Firewall, Policy 6. Non-repudiation Service Contract Policy, Proxy-Based Firewall
Proxy-Based Firewall. The Proxy-Based Firewall sends a request to the CheckPoint for the consumer authentication and authorization. Authentication and authorization are performed by IAM. If a consumer is being authenticated, the Proxy-Based Firewall transmits a service request to Proxy. The Proxy performs two task; first it filters the request then it checks the policy rules for that service request. If a policy rule is matched, the proxy allows the consumer service access. When all requirements are satisfied successfully, service is provided to the consumer. This behavioral description of identified patterns helps researchers, architects, and developers to understand the complexity of the problems.
3.3 Evaluation of Security Patterns with Security Properties The essential properties of security systems are confidentiality, integrity, availability, privacy, authentication, and non-repudiation. The evaluation of these security properties against the identified patterns, Identification and Access Management (IAM), Check point, Proxy-Based Firewall, Policy, Secure Channel, and Data Confidentiality are presented in Table 1. In this table, different SOA design principles are considered, which are supported by security properties and selected security patterns. This table presents quality evaluation of selected security patterns with respect to security properties and the SOA design principles. Confidentiality can be achieved by using Secure Channel and Data Confidentiality patterns. The security goal comes under the service contract principle. Similarly, integrity can be preserved with the help of IAM and Secure Channel, which also come under service contract principle. Availability can be achieved by Check Point. Availability supports loose coupling and the discoverability design principle. Web service composition require authentication and authorization of the web services. Authentication and authorization can be preserved by using the IAM, Proxy-Based Firewall, Check Point, and Policy patterns. Non-repudiation can be preserved by using the Proxy-Based Firewall and Policy patterns. This security property supports the service contract principle.
4. CONCLUSION AND FUTURE SCOPE At present, software design patterns are used in all types of applications. Among the different types of software patterns, the use of security patterns are essential for different safety-critical and mission-critical systems, such as nuclear reactor control systems, robotic surgery machines, air traffic control systems etc. The distributed and heterogeneous nature of SOA encourages reuse and provides a high level of agility for businesses. But the major challenge with SOA is a security issue. In this study, six security patterns, Identification and Access Management (IAM), Check Point, Data Confidentiality, Policy, Proxy-Based Firewall, and Secure Service Proxy are considered for incorporating security features in SOA. The structural and behavioral demonstration of
DOI:10.1145/2693208.2693229
identified security patterns help to understand similar types of problems. The quality evaluation among security goals, identified security patterns, and SOA design principles provides a guideline for assessment of security parameters. This work may be extended towards formal verification of security patterns for service-oriented architecture.
5.
REFERENCES
[1] Schahram Dustdar and Wolfgang Schreiner. A survey on web services composition. International journal of web and grid services, 1(1):1–30, 2005. [2] Erich Gamma, Richard Helm, Ralph Johnson, and John Vlissides. Design patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley, 1995. [3] Deepak Alur, Dan Malks, John Crupi, Grady Booch, and Martin Fowler. Core J2EE Patterns (Core Design Series): Best Practices and Design Strategies. Prentice Hall, 2nd edition, 2003. [4] Martin Fowler. Patterns of enterprise application architecture. Addison-Wesley, Boston, USA, 2002. [5] Frank Buschmann, Kelvin Henney, and Douglas Schimdt. Pattern-Oriented Software Architecture: On Patterns and Pattern Language, volume 4. John Wiley & Sons Ltd., West Sussex, England, 2007. [6] Markus Schumacher, Eduardo Fernandez-Buglioni, Duane Hybertson, Frank Buschmann, and Peter Sommerlad. Security Patterns: Integrating security and systems engineering. John Wiley & Sons, West Sussex, England, 2005. [7] Christopher Steel, Ramesh Nagappan, and Ray Lai. Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management. Prentice Hall PTR, 2005. [8] J¨ org Niere, Wilhelm Sch¨ afer, J¨ org P Wadsack, Lothar Wendehals, and Jim Welsh. Towards pattern-based design recovery. In Proceedings of the 24th international conference on Software engineering, pages 338–348. ACM, 2002. [9] Joseph Yoder and Jeffrey Barcalow. Architectural patterns for enabling application security. In In proceeding of the 4th Conference on Patterns Language of Programming (PLoP’97), 1997. [10] Robert Hanmer. Patterns for fault tolerant software. John Wiley & Sons, 2007. [11] Jay DiMare and Richard S. Ma. Service-oriented architecture revolutionizing today’s banking systems. Technical report, IBM Global Business Services, 2008. [12] Ajay Tipnis and Ivan Lomelli. Security ˚ U a major imperative for an service-oriented architecture : HP SOA
http://doi.acm.org/2693208.2693229
ACM SIGSOFT Software Engineering Notes
Page 6
security model and security assessment. Technical report, Hewlett-Packard Development Company, December 2009. [13] Thomas Erl. SOA Design Patterns. Prentice Hall PTR, Upper Saddle River, NJ, USA, 1st edition, 2009. [14] Bob Blakley and Craig Heath. Security design patterns. Technical Report G031, The Open Group, Apex Plaza, Forbury Road, Reading Berkshire, RG1 1AX, UK, 2004. [15] Maxim Schnjakin, Michael Menzel, and Christoph Meinel. A pattern-driven security advisor for service-oriented architectures. In Proceedings of the 2009 ACM workshop on Secure web services, pages 13–20. ACM, 2009.
DOI:10.1145/2693208.2693229
January 2015 Volume 40 Number 1
[16] Karthikeyan Bhargavan, C´edric Fournet, Andrew D Gordon, and Greg O’Shea. An advisor for web services security policies. In Proceedings of the 2005 workshop on Secure web services, pages 1–9. ACM, 2005. [17] Munawar Hafiz, Paul Adamczyk, and Ralph E Johnson. Growing a pattern language (for security). In Proceedings of the ACM international symposium on New ideas, new paradigms, and reflections on programming and software, pages 139–158. ACM, 2012. [18] OASIS | advancing open standards for the information society. https://www.oasis-open.org/.
http://doi.acm.org/2693208.2693229
