Distributed System Security Contd..
In my previous post, i tried connecting Recent approaches to host security concerns using the technique of proof carrying code borrowing ideas from Aristotle..
Today i am going to talk briefly of a higher level in the distributed system logical model - namely Services..
Key point to ponder in Service level security, is while loose coupling is a key tenet of Service based distributed systems architecture, is the same required of security too in distributed systems based on services..
The answer is yes.. Couple of reasons:
- If you can take the widely popular SSL mechanism for SOA, the very fact that SOA is based on federation of messages passing between multiple intermediaries, SSL will not work as it is based on end to end SSL encryption..
- A requirement to be able partially encrypt a message while sending part of the message intact is key in SOA as the crucial metadata is kept in the header
- The above two requirements of being able to address multiple hops, and of partial encryption of documents / messages necessitates a more loosely coupled mechanism
This prompts the need to keep a flexible, loosely coupled approach to SOA security, which is addressed by adopting message level security with appropriate headers to capture security assertions/tokens. All SOA standards of Security right from WS-Security to WS-Policy to SAML follow this loosely coupled idea of carrying around assertions/tokens in headers..A detailed analysis of the relevant standards for SOA, and their considerations in typical enterprise deployments can be found in the text book , Distributed Systems Security: Issues, Processes and Solutions, accessible at http://tinyurl.com/distsecurity