The Journal of the Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회논문지)

The Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회)
권호 표지
DOI QR코드

DOI QR Code

Security Architecture Proposal for Threat Response of insider in SOA-based ESB Environment

SOA 기반 ESB 환경에서 내부 종단 사용자 위협 대응을 위한 보안 아키텍처 제안

  • 오시화 (고려대학교 정보보호대학원 정보보호학과) ;
  • 김인석 (고려대학교 정보보호대학원)
  • Received : 2016.10.23
  • Accepted : 2016.12.09
  • Published : 2016.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

SOA(service oriented architecture) based ESB(enterprise service bus) model is widely adopted in many companies for the safe processing of enormous data and the integration of business system. The existing web service technologies for the construction of SOA, however, show unsatisfactory in practical applications though the standardization of web service security technologies is in progress due to their limitations in safe exchange of data. Internal end users using a large business system based on such environment are composed of the variety of organizations and roles. Companies might receive more serious damage from insider threat than that from external one when internal end users get unauthorized information beyond the limits of their authority for private profit and bad purposes. In this paper, we propose a security architecture capable of identifying and coping with the security threats of web service technologies arouse from internal end users.

많은 기업에서 방대한 데이터를 안정적으로 처리하고 업무시스템을 통합하기 위하여 SOA(service oriented architecture) 기반의 ESB(enterprise service bus) 모델을 적용하고 있다. 그러나 SOA 구축을 위한 기존 웹 서비스 기술은 안전하게 데이터를 교환하기에는 한계가 있어 웹 서비스 보안 기술의 표준화가 진행되고 있지만, 실질적인 적용이 미흡한 상황이다. 이와 같은 환경으로 구축된 대규모 업무시스템을 사용하는 내부의 종단 사용자는 다양한 조직과 역할로 구성된다. 종단 사용자가 규정된 일정한 권한을 넘어 인가되지 않은 정보를 취득하여 개인의 이익이나 악의적인 목적으로 이용하고자 하는 경우 기업은 외부의 공격보다 더 큰 피해를 입을 수 있다. 본 논문은 종단 사용자가 이용하는 웹 서비스 기술의 보안 위협을 식별하여 대응 할 수 있는 보안 아키텍처를 제안하고자 한다.

Keywords

References

  1. Erl Thomas, "Service-oriented architecture : a field guide to integrating XML and Web services," 2007.
  2. Yan Liu, Ian Gorton, and Liming Zhu. "Performance Prediction of Service-Oriented Applications based on an Enterprise Service Bus," 2007 IEEE International Computer Software and Applications Conference (COMPSAC 2007), 2007. DOI : https://doi.org/10.1109/COMPSAC.2007.166
  3. 2011 CyberSecurity Watch Survey. CERT. 2011
  4. Chol Hong Im, Do Seok Hong, and Jeong Joon Choi, "A Study of a Scheme to Assess and Improve ESB-based SOA Applications from the S/W Architecture Perspective," Korea IT Service article 5 (2006): 169-178.
  5. Won-kyu Park, Young-bum Park, "Design and Implementation of SOA based S/W Services for Dynamic Behavior of Embedded System", The Journal of The Institute of Webcasting, Internet and Telecommunication VOL. 10 No. 4
  6. Bae Hyun Kim, In Te You. (2005.6). Web Service Security Technology. Review of Korean Society for Internet Information, 6(2), 16-23.
  7. http://api.epeople.go.kr/guide/
  8. Eun-Mi An, Jeong-yong Byun. Beneficial Web Service Security with WS-Policy. Korea Information Science Society 1(1), 131-135, 2007.12.
  9. W3C, "XML Signature Syntax and Processing," Recommendation February 2002.
  10. W3C, "XML Encryption Syntax and Processing," Candidate commendation March 2002
  11. Kim, Youn-deok, "A Design of Secure Key Exchange Protocol and Framework for SOA based ESB Environment", Department of Computing, Graduate School of Soongsil University, 2013.06
  12. Yoon-Ho Kim, "Design and Implementation of Lightweight ESB Bus Engine for Service Oriented Architecture", The Journal of The Institute of Internet, Broadcasting and Communication (JIIBC), Vol. 14, No. 6, pp.131-137, Dec. 31, 2014 DOI : https://doi.org/10.7236/JIIBC.2014.14.6.131
  13. https://www.simple-talk.com/dotnet/net-framework/tlsssl-and-net-framework-4-0/
  14. Salvatore et. al., "Insider Attack and Cyber Security Beyond the Hacker," Springer, 2008.