Towards an information security framework for service-oriented architecture

Abstract

Service-oriented architectures support distributed heterogeneous environments where business transactions occur among loosely connected services. Ensuring a secure infrastructure for this environment is challenging. There are currently various approaches to addressing information security, each with its own set of benefits and difficulties. Additionally, organisations can adopt vendor-based information security frameworks to assist them in implementing adequate information security controls. Unfortunately, there is no standard information security framework that has been adopted for service-oriented architectures. This paper analyses the information security challenges faced by service-oriented architectures. Information security components for a service-oriented architecture environment are proposed. These components were developed collectively from service-oriented architecture design principles, the ISO/IEC 27002:2005 standard, and other service-oriented architecture governance frameworks. The information security framework can assist organisations in determining information security controls for service-oriented architectures, aligned to current ISO/IEC 27002:2005 standards.