Evaluating Information Security Controls Applied by Service-Oriented Architecture Governance Frameworks

Ensuring a secure Service-Oriented Architecture implementation within an organisation is challenging. Without sound information security principles supporting a Service-Oriented Architecture implementation, the rate of success is low. The information security principles of identification, authentication, authorization, confidentiality, integrity, availability and accountability remain the same for Service-Oriented Architectures. However, the Service-Oriented Architecture environment consists of agile implementations, which are designed around principles that demand a different approach that can be to the detriment of information security. Unless all information security issues related specifically to Service-Oriented Architecture are taken into consideration, an organisation faces unnecessary risks. An organisation faced with these added challenges may choose to avoid confronting this architectural approach altogether. Regrettably, an organisation could also miss out on the advantages and potential value that a Service-Oriented Architecture has to offer. In order to identify information security shortcomings regarding Service-Oriented Architecture governance frameworks, this paper evaluates two existing Service-Oriented Architecture governance frameworks against ISO/IEC 17799 (2005) controls. The paper presents an analysis and evaluation regarding the state of governance of information security for Service-Oriented Architectures, to assist managers on how this complex issue should be approached.