Model Driven Security Frameworks for Addressing ... - IEEE Xplore

Model Driven Security Frameworks for Addressing Security Problems of Service Oriented Architecture Muhammad Qaiser Saleem1, Jafreezal Jaafar2, Mohd Fadzil Hassan3 Department of Computer and Information Sciences, Universiti Teknologi PETRONAS, 31750 Tronoh, Perak Darul Ridzuan, Malaysia. 2 3 1 [email protected], [email protected], [email protected] Abstract —Service Oriented Architecture (SOA) based on Web Services technology gained popularity because business work flows can easily be executed as an orchestration of Web Services. These Web Services are independently developed and may be internal or external. With increase in connectivity among the Web Services, security risks rise exponentially. Moreover the security requirements are not defined at organizational level rather they left until the technical level. Many security problems related to SOA applications are highlighted by different authors which if not properly managed might have serious consequences. Various Model Driven Security Frameworks are presented by different research groups to overcome the security problems of SOA based applications. In this paper we have highlighted the security problems for SOA based applications and few Model Driven Security Frameworks are presented to develop secure software applications; their working style and security goals are also discussed in the course of paper. Keywords: Service Oriented Architecture, Model Driven Architecture, Model Driven Software Development, Model Driven Security.

I.

INTRODUCTION

SOA facilitate the merging of business and Information Technology (IT) domain. Application development is becoming easy with the emergence of Web Services technology and SOA paradigm. SOA environment; where Web Services, which serve as application components can be coupled over the intranet or via the Internet to form business applications resulting a complex distributed, heterogeneous, loosely-coupled architecture composed of complicated topologies, firewalls and intermediary servers where organizational assets and resources are exposed by business services [1, 2]. Web services located in various businesses are connected to form an application and these businesses have their own security infrastructure which makes security a difficult task [1]. During the past few years, several security protocols, access control models and security implementations are emerged to enforce the security goals [1, 2]. But focus of the SOA security standards and security protocols is towards technological level; they do not provide low level of abstraction and mastering them is also a daunting task [3]. Security must be unified with the software engineering

      

S 
$

process but in practise it is left on to the developer and added when the functional requirements are met or at the time of integration of distributed applications which is not a realistic approach [1]. SOA security configuration is very complex and it is very difficult for developer even if it is properly defined [4]. Two supporting technologies are proposed for security configuration in [4] are: Model Driven Security (MDS) and Pattern-based Policy Configuration. MDS is a technology where software architect define the security requirement as a model during designing phase and concrete security configuration files can be generated by model transformation. While Pattern-based Policy Configuration is used for the specification of security requirements for the composite services. Focus of our research is MDS for SOA systems. MDS and automatically developed software having security configuration has been a topic of interest among the research community [1, 2, 5-8]. In this paper different security problems for SOA based applications are highlighted and how different research groups across the globe are trying to solve them by presenting different Model Driven Security Frameworks. II. FOUNDATION CONCEPT A. Service Oriented Architecture (SOA) SOA paradigm makes the application development easy by coupling Web Services over the intranet and via the Internet [1]. SOA paradigm has changed the Internet from being repository of data to repository of services [9]. SOA is an architectural style in which software applications are comprised of loosely coupled reusable services by integrating them through their standard interface. Services are independent of language, platform and location and may be locally developed or requested from the provider. A business process can be realized as a runtime orchestration of set of services. Software applications are often comprised of numerous distributed components such as databases, web servers, computing nodes, storage nodes etc and these components are distributed across different independent administrative domains. Services are used but not owned by the user and they reside on provider side. The reusability, agility, cost effectiveness and many other attributes of SOA paradigm has attracted the organizations to adopt it for software development [10-12].

1341

Services are distributed over the network; their description finding and access is a big issue. Organizations like Organization for the Advancement of Structured Information Standards (OASIS), World Wide Web Consortium (W3C), Object Management Group (OMG) etc and companies like SUN, IBM, Microsoft etc have presented a standardise way to describe, locate and access service that are distributed over the network known as Web Service Specification Stack as shown in the figure 1. Since variety of different protocols are used in SOA environments, this stack provide a bird-eye view of them and categorized them according to their functionality and level of abstraction [13].

confidentiality is basically access-control which include authentication, authorization and auditing [13]: 1.

Confidentiality: Only authorized entities with appropriate permission can read the data. Basically it is access control which is implemented through authentication and authorization [13].

2.

Integrity: Define the authorized way and authorized entities to altering information i.e. data integrity and origin integrity are ensured [13].

3.

Availability: It is a system state where provision of a specific resource (service) has to be guaranteed. It is an important aspect of reliability and interpreted as non-repudiation [13].

D. Web Services Security Standards Different techniques, algorithms and mechanisms are used to counters a specific threat in information systems. Web services security standards leverage them and abstract from the specific implementation detail [13]. In SOA environment all the above mentioned security objectives are achieved through XML based security standards like XMLDigital Signature, XML-Encryption and WS-Security etc [13].

Figure 1 : Web Service Specification Stack [13] B. SOA Security In SOA environment, software applications are not considered as isolated host. Many partners are working together to achieve a business goals and they span over multiple security domain. These partners may not know each other and want to have control over their portion of the workflow. Business applications are seems to be as virtualorganizations making a decentralized architecture of peer-topeer style [13]. Security in SOA is defined as “The sum of all techniques, methods, procedures and activities employed to maintain an ideal state specified through a set of rules of what is authorized and what is not in a heterogeneous, decentralized, and inter-connected computing system” [13]. C. Security Objectives. Basic security needs for an organization is known as security objectives and also known as security policies, security aspects, security concerns and security states. It can be defined as “A statement of intent to counter identified threats and/or satisfy identified organization security policies and assumptions” [13]. Different authors enlisted different numbers of security objectives for information security e.g. A. Menezes in [14] enlisted seventeen basic security objectives. In [13] Michal Hafner presented three basic security goals which are necessary for an asset i.e. Confidentiality, Integrity and Availability. Many other security objectives; one way or other comes under the umbrella of these basic security objectives defined below e.g.

Figure 2: Web Services Security Standards [13] Figure 2 shows these web services security standards which come in the quality of service layer of the web services specification stack [13]. III.

PROBLEMS IN SOA SECURITY

Web Service based SOA applications face many problems regarding security during their design and development which are highlighted by different authors in their work. A. Unavailability of Tool Support for Security Modelling: To model a business process several standardized and well defined business process modelling notions are available and utilized by the business domain expert e.g. Unified Modelling Language (UML), Business Process Modelling Notion (BPMN) etc. Business domain experts use these notions to orchestrate Web Services with certain business logic in order to cope with the business demand or market changes. But currently available process modelling standards do not have ability to capture the security goals resulting the specification of security goals at a very technical level [2]. Currently available modelling tools do not cater all properties of a software solution; security is one

1342

of them [15]. Some characteristics of SOA applications such as choreography and service orchestration can be directly expressed as a part of business process model but currently it is not possible to graphically express their security goals [2]. It is evident that business domain expert and security expert, both should define their security goals collaboratively at business process level. Currently available process modelling standards do not have capability to capture security goals as first-class citizen in process modelling. As a result security experts can only specify security goals at very technical level resulting loss of valuable domain knowledge [2]. Security Tools are only available for the runtime systems i.e. applications servers and database systems; no tool support is available for security at design time [1]. B. Unavailability of the comprehensive security modeling approach Authorization is mostly focus in current security modelling approaches [3]; while ignoring the other security goals such as confidentiality, integrity etc; which is not said to be a comprehensive security approach. C. Security is Added at the time of Implementation In practice security is considered afterthought i.e. security is added after the implementations of functional requirements. Existing applications are cross-domain and coupled over various network technologies and protocols; just adding security code to software applications is not a realistic approach because all required security information are not available at the downstream phases. Complexities of security goals would make the SOA application easily prone of error. SOA security configuration is too much complex for a developer, who is not a security expert. Finding security defects towards downstream would be a tedious task and their removal and repair would increase the cost [1, 4]. D. Difference on Notion of security between business and technical people: Information gathered during modeling of the business process is not sufficient to generate enforceable security configuration, expert knowledge for each field must required for successful implementation because multiple solutions for a security goal might exist [16]. Security experts and developer (technical people) at one side and business domain expert (business analyst) at other side, have differences on notion of security. Business analyst defines security at a very abstract level in the context of business application to fulfill some business goal. Whereas technical people want to achieve security through some technical means i.e. algorithm, protocol or implementation [13]. For example business analyst defines security goal “authorization” for accessing an application. Technical people have different options for implementing authorization i.e. a certificate based authorization mechanism and four-eyes-principle etc [13]. Same is the case for the security goal “confidentiality”,

which can be implemented by securing part of a Simple Object Access Protocol (SOAP) messages or through Secure Socket Layer (SSL) channel [16]. Implementing a particular solution for a security goal might have different implication or it can re-organize the whole business process [13]. E. SOA Security Standards are also problematic: Plenty of standards are available to fulfill the security requirements of Web Services based SOA applications like WS-Trust, WS-Security and XACML etc; for detail have a look on figure 2. . These security standards have two kinds of limitations; firstly they only deals with technical level and do not provide low-level abstractions of security requirements. These standards abstract the heterogeneity of the middleware platform only; application design is not their focus i.e. domain expert (business analyst) cannot utilize them while aligning security requirements with the functional requirements. Secondly enormous growth in these standards and interdependencies issues among these standards make it daunting task for a software developer to be mastered in these standards [17, 18]. F. Best Practices and Proven Patterns cannot solve SOA Security problem: SOA applications are virtual-organizations; challenges of the SOA security cannot be met only by relying on Best Practices and Proven Patterns [13]. G. Inability of security control of a Web Services to adopt new situation: Loose coupling nature of SOA paradigm affects the security of software applications. Web services are reuseable and re-configurable and have to serve in multiple and different scenarios. Same would be the case for security control i.e. it should be fit in the new situations and realizes the security objectives in different environment [13]. IV. MODEL DRIVEN SOFTWARE DEVELOPMENT( MDSD) MDSD is a promising approach for development of complex software applications and it can be seen as new generation of visual programming languages which provides methods and tools to streamline the process of software engineering. Different levels of abstractions are presented through models [8, 13]. MDSD provides a systematic way of software development. Model is the basis of MDSD which will go to the process of stepwise refinement and transformed into software system. In MDSD, meta-modelling is the key activity which defines syntax of the modelling language i.e. the concept that needs to be modelled. In MDSD; models acts as a source and transformed either to model or to code as a target. Source and target meta-model defines the transformation process. On the basis of meta-model, code

1343

generator define the code templates for the target language which replace the compiler. Productivity of the development process is significantly improved by MDSD approach and it also increases the quality of the resulting software system [8, 13]. OMG’S (Object Management Group) framework, Model Driven Architecture (MDA) specifies three level of abstraction: Platform Independent Model (PIM), Platform Specific Model (PSM) and Implementation Specific Model (ISM) [13]. UML modelling is used to capture the domain knowledge at PIM level which is transformed to either other PIM or to PSM which specifies the intended platform of the system. PSM is transformed into ISM which is a runtime environment where system has to operate. Rather than a visual aid for communication and understanding; models are considered as essential part for the definition of software in MDA paradigm [13, 17].

instance level (M0) and model level (M1) e.g. at level (M1), the designer of the system make model of the software application and draw UML-class diagram, which are instantiated to objects at the level (M0). The level (M2) provides the means to model concepts needed for the level (M1) i.e. meta-modelling is performed at this level. The UML is a modeling language that is defined and formalized at level (M2). Level (M2) elements are themselves instances of the MOF meta-model elements (M3) [13].

MDSD is particularly suited for those software applications which require highly specialized technical knowledge due to the involvement of complex technologies and large number of complex and unmanageable standards [13, 17] same is the case with SOA environment. A. Model Driven Security (MDS) MDS specializes MDSD towards information security [13]. Here security concepts are modelled side by side with the business process modelling using modelling notions like UML, BPMN etc; at the PIM level of abstraction and stepwise refined to further level of abstraction i.e. PSM and ISM [2, 13, 17]. In MDS business process expert and IT security expert work collaboratively and define their security goals on a common abstract level i.e. during business process modelling. Both domain experts have new roles to establish a platform to link business process with secure SOA. Each domain expert is responsible for his domain specific activities and communication is takes place over a common process model [2].

Figure 3: Four Levels MOF Meta-Model [13]. Security Goals: This is a general framework used as a standards for the model driven software development; not focusing any particular quality attribute [13]. It serves as a reference model for rest of the frameworks mentioned hereafter. B. SECTEC Framework. Michal Hafner et al. in [5] presented the framework for the model driven development and management of security critical workflow for Web Services based SOA systems.

V. MODEL DRIVEN SECURITY FRAMEWORKS Main idea of these frameworks is to incorporate the security requirement during business process modelling. Abstract security artifacts i.e. security goals are expressed graphically at the time of business process modelling and security annotated business process model is developed; which would be transformed to corresponding security policies and access controls at implementation level. These frameworks tried to address the security problems mentioned in the previous section. A. Meta Object Facility (MOF) from OMG MOF metadata architecture is a reference model for meta-modelling. MOF is a subset of UML which support the definition of modelling language. Meta-model is mapped to XMLI (XML Metadata Interchange) and API are provided for different programming languages[13]. Working: Object oriented systems have the concepts of classes and objects; these concepts are represented at

Figure 4: SECTEC Framework [5] Working: Working is almost same as presented in MDA by OMG i.e. security annotated model is developed at PIM which is transformed to PSM and PSM is transformed to ISM as shown in figure 4. Security Goals: Security objectives for SECTEC frameworks is Access rights i.e. Authentication and Authorization through Role Based Access Control (RBAC) [5].

1344

C. SECTISSIMO Framework SECTTISSIMO is an extension of the SECTECT framework [6].

Figure 6: Model Driven Framework [2]. 5.1 IBM’s Model Driven Security Tool IBM has presented a model driven security tool.

Figure 5: SECTISSMO Framework [6] Working: Working is almost same as of SECTEC framework except after PIM; a new layer is added naming Abstract Security Service Model to further elaborate the security requirement. This layer is still PIM which is transformed into PSM; and PSM is further transformed to ISM as shown in figure 5 [6].

Working/Security Goals: Here user can add their security concern during business modelling. A transformation library is provided containing the security goals. User can select a specific transformation from library according to his security goals which transformed into WSSecurity policy as described by figure 7 [1].

Security Goals: SECTISSMO have many more security goals then SECTECT framework covering access rights, non-repudiation, right delegation, single sign-on privacy and auditing [6]. D. SAP Research, Hasso-Plattner Institute; Germany. Wolter et al. in [2] have provided a very detailed discussion about the different abstract security aspects i.e. Confidentiality, Integrity, Authentication, Authorization, Traceability, Auditing and Availability and developed a security policy model based on these security requirements. This model describes the secure interaction of different objects and the necessary information to be stored about these interactions. This policy model will serve as security model for their model driven security framework presented in figure 6. Working: In their framework, they have introduced a new level of abstraction i.e. CIM (Computational Independent Model). Security expert and business process expert work side by side to prepare CIM which is transformed to PIM; which is further transformed to PSM. Security Goals: Security Policy Model describes the security goals i.e. Confidentiality, Integrity, Authentication, Authorization, Traceability, Auditing and Availability.

Figure 7: IBM’s Model Driven Security Tool [1] VI.

DISSCUSSION

MOF is a general framework; security is not its focus and it just serves as a standard for Model Driven Software Development. Remaining frameworks presented in the paper have security as a main focus for development of SOA based applications. SECTEC framework does not provide a complete security solution because it only deals with access control. SECTISSMO is an extension of the SECTEC framework, where more security goals are addressed; here at PIM level, a new layer is introduced naming Abstract Security Services Model for further elaboration of security requirements. Framework presented by SAP Research and Hasso-Plattner Institute is very comprehensive covering most of the security requirements efficiently. IBM’s Model Driven

1345

Security Tool is effective for the development of security enabled SOA application. VII.

[15]

CONCLUSION

We have discussed various security problems related to SOA environment which organizations must have to consider for successful development of their software solutions. A study of various Model Driven Security Frameworks is provided to highlight the efforts of different people to solve the security problems of SOA based applications. We believe our effort is a contribution towards stressing one of the most important issues “Security” for SOA applications which if not properly addressed might cause serious consequences. Focus of our research is to incorporate security at design time for SOA application using Model Driven approach and providing an optimal solution for designing security along with business process model for SOA based applications.

[16] [17] [18]

M. Jensen and S. Feja, "A Security Modeling Approach for WebService-Based Business Processes," in Engineering of Computer Based Systems, 2009. ECBS 2009. 16th Annual IEEE International Conference and Workshop on the, 2009, pp. 340347. M. Menzel and C. Meinel, "A Security Meta-model for ServiceOriented Architectures," in Services Computing, 2009. SCC '09. IEEE International Conference on, 2009, pp. 251-259. M. Alam, "Model Driven Security Engineering for the Realization of Dynamic Security Requirements in Collaborative Systems," in Models in Software Engineering, 2007, pp. 278-287. H. Klarl, C. Wolff, and C. Emig, "Identity Management in Business Process Modelling: A Model-Driven Approach," in Konzepte, Technologien, Anwendungen: 9. Internationale Tagung Wirtschaftsinformatik, Wien, 25 -27. Februar 2009. Teil 1, H. R. Hansen, D. Karagiannis, and H.-G. Fill, Eds. Wien: Ãsterreichische Computer Gesellschaft, 2009, pp. 161-170.

RERERENCES [1]

[2] [3]

[4]

[5]

[6] [7]

[8]

[9] [10]

[11] [12]

[13] [14]

Y. Nakamura, M. Tatsubori, T. Imamura, and K. Ono, "Modeldriven security based on a Web services security architecture," in Services Computing, 2005 IEEE International Conference on, 2005, pp. 7-15 vol.1. C. Wolter, M. Menzel, A. Schaad, P. Miseldine, and C. Meinel, "Model-driven business process security requirement specification," J. Syst. Archit., vol. 55, pp. 211-223, 2009. M. Menzel, I. Thomas, and C. Meinel, "Security Requirements Specification in Service-Oriented Business Process Management," in Availability, Reliability and Security, 2009. ARES '09. International Conference on, 2009, pp. 41-48. F. Satoh, Y. Nakamura, N. K. Mukhi, M. Tatsubori, and K. Ono, "Methodology and Tools for End-to-End SOA Security Configurations," in Services - Part I, 2008. IEEE Congress on, 2008, pp. 307-314. R. B. Michal Hafner, Berthold Agreiter, "SECTET: an extensible framework for the realization of secure inter-organizational workflows," Emeral Internet Research, vol. Vol.16 No. 5,2006, pp. pp.491-506, 2006. M. H. a. R. B. Mukhtiar Memom, "SECTISSIMO: A Platformindependent Framework for Security Services," MODSEC08 Modeling Security Workshop, 2008. J. Jurjens, "UMLsec: Extending UML for Secure Systems Development- Tutorial," in Proceedings of the 5th International Conference on The Unified Modeling Language: SpringerVerlag, 2002. T. Lodderstedt, D. A. Basin, J\, \#252, and r. Doser, "SecureUML: A UML-Based Modeling Language for ModelDriven Security," in Proceedings of the 5th International Conference on The Unified Modeling Language: SpringerVerlag, 2002. S. Hanna and M. Munro, "Fault-Based Web Services Testing," in Information Technology: New Generations, 2008. ITNG 2008. Fifth International Conference on, 2008, pp. 471-476. G. A. Lewis, E. Morris, S. Simanta, and L. Wrage, "Common Misconceptions about Service-Oriented Architecture," in Commercial-off-the-Shelf (COTS)-Based Software Systems, 2007. ICCBSS '07. Sixth International IEEE Conference on, 2007, pp. 123-130. A. D. a. P. Narasimhan, "Dependable Service-Oriented Computing," IEEE Internet Computing, March/April 2009, pp. 11-15, 2009. R. K. Philip Bianco, Paulo Merson, "Evaluation of ServiceOriented Architecture," Software Engineering Institute/ Carnegie Mellon, vol. Technical Report, CMU/SEI-2007-TR-015, September 2007, 2007. R. B. Michal Hafner, "Security Engineering for Service-Oriented Architectures," BOOK, 2009 Springer-Verlag Berlin Heidelberg. P. v. O. A. Menezes, and S. Vanstone, "Handbook of Applied Cryptography," CRC Press, 1996.

1346