126 Copyright © 2009 Open Geospatial Consortium, Inc.

10.15 Applicable standards to implement the different Requirements

As illustrated and discussed earlier, a Service Oriented Architecture SOA can be understood as a network of distributed self-contained software components services that provide simple business functionality that can be orchestrated to build complex applications. Due to the nature of the architecture, it is important that users can relay on the availability of the services and the information exchanged. Therefore, the most common security requirements for a Service Oriented Architecture are Availability of services and Information security. In order to apply security to a Service Oriented Architecture, a core set of functionality as defined in ISOIEC 10181 see [56] - [62] is required: Authentication, Access Control, Non-repudiation, Confidentiality, Integrity, Audit and Alarms. The Availability of services is important to ensure that the provided functionality can be used at any time. This can be achieved by taking care of safety issues as they are associated to any operating system. For a SOA, it is also important that denial of service attacks do not cause any harm. This can be achieved by using certified fail-safe and vulnerable- free software components. The ―Common Criteria‖ standard ISOIEC 15408 see [50] - [52] provides good and solid facts for evaluating and comparing secure software products. In addition ISOIEC 15443 see [53] - [55] defines concrete assertion criteria for different products depending on the context use of the product. Therefore ISOIEC 15408 and 15443 can in conjunction been used to select safe software components. In order to orchestrate services to accommodate electronic business, it is important to integrate business process across jurisdictions. ISOTS 15000 see [45] - [49] defines ebXML, a framework and an XML dialect to do so. For example in a secure Sensor Web, services of different organizations different security domains might have the need for accounting and compensating of common usedshared observation data. This integration of monetary transactions can be integrated using ebXML. In a modern service oriented architecture, the communication with a service between services takes place using XML formatted messages that are structured according to the SOAP see [6] recommendation and services and their operations are described in the Web Services Description Language WSDL, a W3C Note from 2001. The realization of different security requirements using message level security is possible by extending the SOAP protocol. An interoperable realization of the above core functions from ISO 10181 can be achieved by using a combination of appropriate standards:

10.15.1 Authentication

The important standard for exchanging authentication information is the Security Assertion Markup Language SAML see [10]. For this ER, it can be assumed that identity management systems are in place that provide localized nationwide authentication. For the interoperable and secure exchange of identity information on a project level, SAML can be used. In addition, XML Common Biometric Format XCBF Copyright © 2009 Open Geospatial Consortium, Inc. 127 see [18] – can be used to collect, distribute and process biographic identity information. SAML integration with LDAP see [17] is possible in a seamless manner.

10.15.2 Access Control