Abstract
Flexibility to adapt to changing business needs is a core requirement of today’s enterprises. This is addressed by decomposing business processes into services that can be provided by scalable service-oriented architectures. Service-oriented architectures enable requesters to dynamically discover and use subservices. Today, service selection does not consider security. In this paper, we introduce the concept of Service-Oriented Assurance (SOAS), in which services articulate their offered security assurances as well as assess the security of their sub-services. Products and services with well-specified and verifiable assurances provide guarantees about their security properties. Consequently, SOAS enables discovery of sub-services with the “right” level of security. Applied to business installations, it enables enterprises to perform a well-founded security/price tradeoff for the services used in their business processes.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
L. Baresi, R. Heckel, S. Thöne, and D. Varró. Modeling and Validation of Service-Oriented Architectures: Application vs. Style. In ESEC/FSE'03, pages 68–77. ACM Press, 2003.
T. Erl. Service-Oriented Architecture: Concepts, Technology, and Design. Prentice Hall PTR, 2005.
J. L. Griffin, T. Jaeger, R. Perez, R. Sailer, L. van Doom, and R. Cáceres. Trusted Virtual Domains: Toward secure distributed services. In Workshop on Hot Topics in System Dependability, 2005.
V. Haldar, D. Chandra, and M. Franz. Semantic remote attestation: A virtual machine directed approach to trusted computing. In USENIX Virtual Machine Research and Technology Symposium, pages 29–41, 2004.
A. Keller and H. Ludwig. The WSLA framework: Specifying and monitoring service level agreements for web services. Journal of Network and Systems Management, Special Issue on E-Business Management, 11(1), Mar. 2003. Plenum Publishing Corporation.
H. Ludwig, A. Dan, and R. Kearney. Cremona: an architecture and library for creation and monitoring of WS-agreements. In 2nd International Conference on Service Oriented Computing (ICSOC '04), pages 65–74. ACM Press, 2004.
J. S. Park, B. Montrose, and J. N. Froscher. Tools for information assurance arguments. In DARPA Information Survivability Conference and Exposition II (DISCEX'01), volume 1, pages 287–296, 2001.
J. Poritz, M. Schunter, E.V. Herreweghen, and M. Waidner. Property attestation — scalable and privacy-friendly security assessment of peer computers. IBM Research Report RZ 3548, 2004.
Public Sector Outsourcing, Information & Privacy Commissioner for British Columbia. Privacy and the USA Patriot Act-Implications for British Columbia. http://www.oipcbc.org/sector_public/usa_patriot_act/pdfs/report/privacy-final.pdf, Oct. 2004.
A.-R. Sadeghi and C. Stüble. Property-based attestation for computing platforms: Caring about policies, not mechanisms. In New Security Paradigm Workshop 2004, pages 67–77. ACM Press, 2005.
R. Sailer, T. Jaeger, X. Zhang, and L. van Doom. Attestation-based policy enforcement for remote access. In 11th ACM Conference on Computer and Communications Security, pages 308–317. ACM Press, 2004.
J. Skene, D. Lamanna, and W. Emmerich. Precise service level agreements. In 26th Int. Conference on Software Engineering, pages 179–188. IEEE Computer Society Press, 2004.
V. Tosci, B. Pagurek, and K. Patel. WSOL-a language for the formal specification of classes of service for web services. In International Conference on Web Services (ICWS'03), pages 375–381. CSRA Press, 2003.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer Science+Business Media, LLC.
About this paper
Cite this paper
Karjoth, G., Pfitzmann, B., Schunter, M., Waidner, M. (2006). Service-oriented Assurance — Comprehensive Security by Explicit Assurances. In: Gollmann, D., Massacci, F., Yautsiukhin, A. (eds) Quality of Protection. Advances in Information Security, vol 23. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-36584-8_2
Download citation
DOI: https://doi.org/10.1007/978-0-387-36584-8_2
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-29016-4
Online ISBN: 978-0-387-36584-8
eBook Packages: Computer ScienceComputer Science (R0)