In 2008, the SEI created a web service certification process for the U.S. Army’s Chief Information Office/G-6 (CIO/G-6) organization to address security and provisioning concerns the Army foresees in its development of service-oriented architecture (SOA) environments. The CIO/G-6 organization is responsible for the information management function of the Army.
SOA, according to a definition by IBM, is “the architectural style that supports loosely coupled services to enable business flexibility in an interoperable, technology-agnostic manner.” For the Army, and other Service branches in the U.S. Department of Defense, SOA promises a means to realize a vision in which warfighters have a Defense-enterprise-wide capability through which they can choose and assemble services quickly in order to adapt and change to conditions on the battlefield.
Key concerns for the Army in moving toward SOA are information assurance, interoperability, and networthiness, according to Sriram Bala, a member of the SEI team working with the Army CIO/G-6. “The central question is this: If we are to field SOA on DoD networks, how do we assure that it is safe to use,” Bala says.
The need for information assurance poses the question of how to protect information and services by ensuring confidentiality, integrity, authentication, availability, and non-repudiation, according to Bala. This level of protection is needed while the information is in storage, processing, or transit and whether it is threatened by malice or accident.
Web service interoperability aims to provide seamless and automatic connections from one software application to another. The networthiness of a web service in an SOA context depends on determining network impact of the web service, developing port and protocol white list policies for web service use, conducting network security scans to ensure that web services are not compromising networks, and other factors. White list policies define what a service is allowed to do, according to Ed Morris, another SEI team member.
The need for information assurance poses the question of how to protect
information and services by ensuring confidentiality, integrity,
authentication, availability, and non-repudiation, according to Bala.
This level of protection is needed while the information is in storage,
processing, or transit and whether it is threatened by malice or
In 2008, the SEI team created a certification and accreditation process for the Army CIO/G-6 that homes in on these concerns. “The intent of our process is to certify services in order to assure that they are not malicious to the SOA infrastructure that they are deployed on or interacting with,” Bala explains.
“We have devised a process that can be executed rapidly to certify and accredit web services—to accomplish these steps in days rather than months,” Morris explains. “An Army SOA is expected to be dynamic, and it does no good to be able to assemble services rapidly if those services cannot be certified in a timely way.”
This process is robust so that it can “deal with services for which source code is not available,” Bala says. “And it is flexible so that it can be modified and institutionalized by other service branches and commercial organizations eventually,” he notes.
In addition, the SEI process is “heavily tool-centric,” Morris says. It draws on applicable commercial and open-source technologies. Even so, the SEI has found that existing testing tools are inadequate for the job; as a result, the SEI process “includes manual review by sophisticated users to interpret what the tools are telling them,” Morris adds.
Now that the process has been created, the SEI team is working with the Army CIO/G-6 to make it operational.
“Our next steps include developing a strategy for testing end-to-end mission threads to integrate certified services to perform the tasks in a mission,” Morris says.