SeAAS - A Reference Architecture for Security Services in SOA

Decentralized security models and distributed infrastructures of scenarios based on Service Oriented Architectures make the enforcement of security policies a key challenge - all the more so for business processes spanning over multiple enterprises. The current practice to im- plement security functionality exclusively at the endpoint places a significant processing burden on the endpoint, renders maintenance and management of the distributed security infrastructures cumbersome, and impedes interoperability with external service requesters. To meet these chal- lenges, we propose a reference security architecture that transposes the model of Software as a Service to the security domain and thereby realizes Security as a Service (SeAAS). The proposed architecture goes beyond the mere bundling of security functionality within one security domain. We illustrate the concepts of SeAAS at work with the requirement of fair non-repudiation. The architecture complements the SECTET framework for model-driven security engineering. 1