Security in a Loosley Coupled SOA Environment
LAYERS OF SOA SECURITY
From another perspective, each aspect of SOA security outlined above should be addressed as a separate layer of security. In my discussions with clients, I have found the following three conceptual categories to be quite helpful in sorting out the major challenges in securing an SOA. If you engage in a discussion of security with a vendor, partner, or colleague, you may hear security issues referred to in this framework. Before we look at actual SOA security solutions, let's go over security policy, message level security, and governance.
Security policy and provisioning
Security policy refers to the issues that arise around authentication and authorization. In general terms, any SOA security discussion is going to have a component of security policy. Who is allowed to use the web service, and who is not? How can you establish the identity of a user (or a machine that functions as a user)? How can you systematically manage the policies that you have created for security? For example, you might set a policy that all users with the role of VP can use a specific web service. How do you enforce that policy? Another way you may hear this question is in terms of "provisioning"- that is, who will be provided with a specific web service. Many vendors and analysts talk about provisioning issues and systemic provisioning capabilities.
At a high level, we have governance. Governance addresses how enterprise IT systems are run by people who report to corporate boards and answer to auditors. Governance refers to the broad combination of security policy, provisioning, message-level security, corporate IT policies, human resources (HR) policies, compliance, and other administrative aspects of managing enterprise IT. Governance affects many areas of IT, and with SOA, governance has particular relevance for security. In the age of Sarbanes- Oxley, corporate boards and auditors are quite interested in knowing that the information they use to run the company is drawn from IT systems of high integrity. The goal of SOA security in the context of governance is to provide assurance that the SOA can deliver verifiable data that will stand the test of an audit.
Part two of this series will appear on this site on Friday, May 19th. It will offer information on
- Solutions to SOA security
- The savvy manager cautions: don't let security paralyze you
About the Authors
Eric Pulier is a pioneer in the software and digital interactive industries. A frequent public speaker at technology conferences around the world, Eric has helped establish cutting-edge technology companies in media management, professional services, voice systems, and peer-to-peer networking.
Hugh Taylor is an SOA marketing executive who writes, teaches, and promotes the business value of SOA and web services to major companies. The authors live in Los Angeles, California.
About the BookUnderstanding Enterprise SOA
By Eric Pulier and Hugh Taylor