Applying Common Criteria (CC) to Service Oriented Architectures (SOA)

A paradigm shift in software provisioning and consumption models is taking place, due to the adoption of Service Oriented Architectures (SOA) by the industry. SOA based solutions such as Gmail, Dropbox, SAP ByDesign are enjoying huge popularity. Such solutions offer enormous benefits to consumers by insulating them from the complexities of maintaining the IT infrastructure and by providing them with large scale inter-organizational inter-operability. However, a wider adoption of service-based solutions is hampered by the lack of transparency and control of the service (CC-TOE) and its underlying IT infrastructure (which overlaps with the service Operational Environment (CC-OE)) for the security-conscious consumers. This results in the lack of significant assurance that the service meets the relevant security requirements.
CC certification can be used as a means to provide this assurance to service consumers once the relevant criteria are adapted to the challenges presented by the SOA environment.
One of the key challenges is to provide significant assurance about the security requirements delegated by the service (CC-TOE) to its OE. We propose different solutions for the IT and non-IT components of the OE. For the non-IT components, we propose ways to rely on process certifications (e.g., ISO27001). As for the IT components, since we can rely on product certification (CC), we propose ways to describe in the ST both the IT components in the OE and the mapping between these and the corresponding OE Security Objectives.
SOA empowers service consumers to rather quickly compose services to create composed applications such as business process orchestrations, mashups etc. This gives rise to another key challenge on providing the assurance on the overall composition when the component services that participate in the composition are certified. In such scenarios, it is not realistic nor is feasible to expect that every possible composition is certified by the certification authority, especially considering the dynamic nature of service compositions. Hence mechanisms that enable a service consumer to infer the assurance of the overall composition from the certificates of component services should be provided. This is not trivial, especially because of the descriptive nature of the CC Security Targets that may be available for the different component services. To overcome this problem, we propose a flexible and structured approach to describe the Security Target of a service and, in particular, we present a modular approach in describing the target of evaluation (CC-TOE). Finally, by relying on the structured description of the security targets, we propose a semi-automated mechanism through which a service consumer can infer the assurance on the overall composition from the certificates of the component services.