Soa Governance And Security V1.1

14
1 Governance of Information Security Elements in Service-Oriented Enterprise Architecture Dr. Mehmet Yildiz Certified Executive IT Architect IBM Australia and New Zealand Melbourne, Australia I-SPAN09 – IASM Proposed Abstract: This paper identifies and analyzes governance roles and tasks in SOA security governance at macro level. Drawing from Information Security Management standards and frameworks on one hand and SOA considerations on the other hand, the identified governance elements are mapped to a governance structure that specifies planning and execution aspects at four organizational decision- making levels, resulting in a prescriptive model with practical relevance. This constructive study combines theoretical models and standards with industry experience of the authors. Mr Janne J. Korhonen Department of Computer Science and Engineering Helsinki University of Technology Helsinki, Finland Dr. Juha Mykkänen HIS R&D Unit University of Kuopio Kuopio, Finland 10th International Symposium on Pervasive Systems, Algorithms, and Networks

description

This is a presentation for the paper "Governance of Information Security Elements in Service-Oriented Enterprise Architecture" published in the proceedings of 10th International Symposium on Pervasive Systems, Algorithms, and Networks

Transcript of Soa Governance And Security V1.1

Page 1: Soa Governance And Security V1.1

1

Governance of Information Security Elements inService-Oriented Enterprise Architecture

Dr. Mehmet YildizCertified Executive IT Architect IBM Australia and New ZealandMelbourne, Australia

I-SPAN09 – IASM

Proposed Abstract: This paper identifies and analyzes governance roles and tasks in SOA security governance at macro level. Drawing from Information Security Management standards and frameworks on one hand and SOA considerations on the other hand, the identified governance elements are mapped to a governance structure that specifies planning and execution aspects at four organizational decision-making levels, resulting in a prescriptive model with practical relevance. This constructive study combines theoretical models and standards with industry experience of the authors.

Mr Janne J. KorhonenDepartment of Computer Scienceand EngineeringHelsinki University of TechnologyHelsinki, Finland

Dr. Juha MykkänenHIS R&D UnitUniversity of KuopioKuopio, Finland

10th International Symposium on Pervasive Systems, Algorithms, and Networks

Page 2: Soa Governance And Security V1.1

2

IASM ���

Agenda

-Methodology

-Security governance meta-structure

-Conclusion

-Introduction & Background

Page 3: Soa Governance And Security V1.1

3

IASM ���

Biography of Authors• Janne J. Korhonen• Researcher at Helsinki University of Technology• Research areas:

– Enterprise Architecture and IT Governance

• Particular research interest: Agile Governance Model

• Dr Juha Mykkänen, post-doctoral researcher• University of Kuopio, Health Information Systems R&D Unit• Research activities: interoperability, standardization, modelling,

service-oriented architectures, application integration, enterprise architecture

• projects developing and applying SOA and integration approaches

• Dr. Mehmet Yildiz, Enterprise Architect, IBM• Resarch interests: enterprise architecture, service oriented

arthitecture, cloud computing, self healing systems, social computing

Page 4: Soa Governance And Security V1.1

4

IASM ���

Background on EA and SOA in Dynamic Enterprise

SO

A

E AE S B

Page 5: Soa Governance And Security V1.1

5

IASM ���

There are many vendors investing on SOA Application Projects. Leveraging their experience is important

Gartner’s Magic Quadrant for Application Infrastructure for New Systematic SOA Application Projects

SOA Vendors for New Systematic Applications

Ref: Gartner’s Magic Quadrant for New Systematic Applications

Page 6: Soa Governance And Security V1.1

6

IASM ���

Ref: Susanne Leist and Gregor Zellner University of Regensburg, Institute of Information Management, Germany

Evaluation of Current Architecture FrameworksNone of the assessed frameworks fully meets the major criteria in the Regensburg study. Hence use of combination of frameworks is suggested.

Page 7: Soa Governance And Security V1.1

7

IASM ���

… a service?

A repeatable business task – e.g., check

customer credit; open new account

… service orientation?

A way of integrating your business as linked

servicesand the outcomes that

they bring

… service oriented architecture (SOA)?

An IT architectural stylethat supports

service orientation

… a composite application?

A set of related & integrated services that

support a business process built on an SOA

ComposableComposable

InteroperableInteroperable

LooselyLooselyCoupledCoupled

ReRe--UsableUsableSOASOASOA

Key SOA Concepts

Page 8: Soa Governance And Security V1.1

8

IASM ���

EnterpriseArchitecture Ref Architecture for

Service Areas Ref Architecture for a Program Ref Architecture for a

Single Project

A SOA Reference Architecture Sample

Ref: IBM and Open Group

Page 9: Soa Governance And Security V1.1

9

IASM ���

1.Increased virtualization

2.Loose coupling

3.Widespread use of XML

4.The composition of federated services

5.Heterogeneous computing infrastructures

6.Decentralized SLAs

7.The need to aggregate IT QoS metrics to produce

business metrics

Concerns at Layer 7 - QoS

Ref: IBM and Open Group SOA Reference Architecture

Page 10: Soa Governance And Security V1.1

10

IASM ���

Typical Security Architecture for an Enterprise

External Uncontrolled

Internal Zone

HighlySecure Zone

Demilitarized Zone

External Business Zone

Special Domain

Externally Controlled

Page 11: Soa Governance And Security V1.1

11

IASM ���

SOA Security Reference Model by IBM

Ref: IBM SOA Security Red Book, Dr. Paul Ashley et al

Page 12: Soa Governance And Security V1.1

12

IASM ���

Real

-Tim

eTa

ctic

alO

pera

tiona

lSt

rate

gic

Design, Planning and Support Development and Execution

Strategy

Macro Design

Micro DesignBuild /

Construct

Run / Operate

Page 13: Soa Governance And Security V1.1

13

IASM ���

Real

-Tim

eTa

ctic

alO

pera

tiona

lSt

rate

gic

Development and ExecutionDesign, Planning and Support

Security Policy

Organizational Security

Asset Classification and Control

Access Control

Compliance

Personnel Security

Physical and Environmental

Security

Business Continuity Management

Communications and Operations Management

System Development and

Maintenance

Page 14: Soa Governance And Security V1.1

14

IASM ���

- Agile Governance Model promotes clarity in the role definition and requirements management related to the key security elements in enterprise architecture and SOAs.

- The governance model, combined with suitable industry standards such as SOGP or ISO/IEC 17799 can be applied to the definition of roles and responsibilities of security governance activities in complex enterprise systems.

- Specifically, it helps in positioning the security activities at the right organizational levels and at each level on either the planning or execution side so that all security requirements will be addressed adequately throughout the enterprise.

Conclusion of paper