Web Services and Service Oriented Architectures (SOA) provide a vision for how consumers could create customized solutions by assembling pre-existing components and services and if successful, software in the future would be designed to be packaged and sold as a service. While there is considerable work and standards around Web Services and Web Service security, there is much less work on the infrastructure that would be required to deliver on this vision and on securing such an infrastructure. For example, such an infrastructure would have to support the dynamic creation and deployment of solutions assembled by different customers, provide customized end-to-end security and provide
isolation guarantees with respect to data and processing done by different customers. We are investigating the security issues that arise in such a scenario and exploring how these can be solved.
We have participated in the design and development of the security architecture of a software as a service platform that is being deployed by IBM to support enterprise customers. The key design principles of this architecture are multi-tenancy i.e. the ability
to support multiple customers on the same physical infrastructure, end-to-end security and the ability to capture the security models formally so a majority of the configuration can be done automatically.
A version of this architecture has been used to support engagements like the IBM E-HR Engagement
Last updated 3 Jul 2008