Security as a Service - A Reference Architecture for SOA Security

Mukhtiar Memon, Michael Hafner, Ruth Breu



Securing service-oriented systems is challenging, because like business services the security services are equally distributed in SOA systems. Enforcing security exclusively at the endpoints creates a significant security burden. Also, every endpoint has to implement the entire security infrastructure, which is an expensive approach. Currently, there is very little work done to separate security from service endpoints. We propose a Security As A Service (SAAS) approach, which shifts major security burden from service endpoints to dedicated and shared security services within a security domain. Security services are composed from components, and integrated based on the Service Component Architecture (SCA) model. In this contribution, we apply the SAAS paradigm to implement security for SECTISSIMO, which is a platform-independent framework for security modeling and implementation (M. Memon, M. Hafner, and R. Breu).


  1. SCA Implementation with Java, 2007.
  2. R. Breu, M. Hafner, F. Innerhofer-Oberperfler, and F. Wozak. Model-Driven Security Engineering of Service Oriented Systems. Lecture Notes in Business Information Processing, 5(5):59-71, 2008.
  3. F. Satoh et. al. Methodology and Tools for End-to-End SOA Security Configurations. In SERVICES 7808, pages 307-314, Honolulu, HI, 2008.
  4. M. Hondo H. Hinton and B. Hutchison. Security Patterns within a Service-Oriented Architecture, 2005.
  5. M. Hafner. SECTET A Domain Architecture for Model Driven Security, 2006. PhD Thesis November 2006.
  6. R. Kanneganti and P. Chodavarapu. SOA Security in Action. Manning Publications Co., Greenwich, CT, USA, 2007.
  7. J. Lopez, J. A. Montenegro, and et. al. Specification and Design of Advanced Authentication Authorization Services. Computer Standards and Interfaces, 27(5):467-478, 2005.
  8. MacAfee. Security as a Service, 2008.
  9. M. Memon, M. Hafner, and R. Breu. SECTISSIMO: A Platform-Independent Framework for Security Services. In ModSec 7808: MODELS 2008, Toulouse, France, 2008.
  10. P. Niblett and S. Graham. Events and service-oriented architecture: the OASIS web services notification specifications. IBM Syst. J., 44(4):869-886, 2005.
  11. OASIS. Security Assertion Markup Language (SAML), 2005.
  12. OASIS. WS-Trust Sepcifications, 2005.
  13. OASIS. Extensible Access Control Markup Language(XACML), 2006.
  14. OASIS. WS-SecurityPolicy, 2007.
  15. Oracle. Service-Oriented Security: An Application-Centric Look at Identity Management, 2008.
  16. OSOA. Service Component Architecture, 2007.
  17. G. Peterson. Service Oriented Security Architecture, 2005.

Paper Citation

in Harvard Style

Memon M., Hafner M. and Breu R. (2009). Security as a Service - A Reference Architecture for SOA Security . In Proceedings of the 7th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2009) ISBN 978-989-8111-91-3, pages 79-89. DOI: 10.5220/0002174900790089

in Bibtex Style

author={Mukhtiar Memon and Michael Hafner and Ruth Breu},
title={Security as a Service - A Reference Architecture for SOA Security},
booktitle={Proceedings of the 7th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2009)},

in EndNote Style

JO - Proceedings of the 7th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2009)
TI - Security as a Service - A Reference Architecture for SOA Security
SN - 978-989-8111-91-3
AU - Memon M.
AU - Hafner M.
AU - Breu R.
PY - 2009
SP - 79
EP - 89
DO - 10.5220/0002174900790089