Decentralized security models and distributed infrastructures of scenarios based onService Oriented Architectures make the enforcement of security policies a key challenge - all the more so for business processes spanning over multiple enterprises. The current practice to im-plement security functionality exclusively at the endpoint places a significant processing burden on the endpoint, renders maintenance and management of the distributed security infrastructurescumbersome, and impedes interoperability with external service requesters. To meet these challenges, we propose a reference security architecture that transposes the model of Software as aService to the security domain and thereby realizes Security as a Service (SeAAS). The proposed architecture goes beyond the mere bundling of security functionality within one security domain.We illustrate the concepts of SeAAS at work with the requirement of fair non-repudiation. The architecture complements the SECTET framework for model-driven security engineering.

security as a service, service oriented architecture, security requirements