May 20, 2019
Hot Topics:

Security in a Loosley Coupled SOA Environment

  • May 12, 2006
  • By Eric Pulier and Hugh Taylor
  • Send Email »
  • More Articles »


From another perspective, each aspect of SOA security outlined above should be addressed as a separate layer of security. In my discussions with clients, I have found the following three conceptual categories to be quite helpful in sorting out the major challenges in securing an SOA. If you engage in a discussion of security with a vendor, partner, or colleague, you may hear security issues referred to in this framework. Before we look at actual SOA security solutions, let's go over security policy, message level security, and governance.

Security policy and provisioning

Security policy refers to the issues that arise around authentication and authorization. In general terms, any SOA security discussion is going to have a component of security policy. Who is allowed to use the web service, and who is not? How can you establish the identity of a user (or a machine that functions as a user)? How can you systematically manage the policies that you have created for security? For example, you might set a policy that all users with the role of VP can use a specific web service. How do you enforce that policy? Another way you may hear this question is in terms of "provisioning"- that is, who will be provided with a specific web service. Many vendors and analysts talk about provisioning issues and systemic provisioning capabilities.

Message-level security

Message-level security is a group of technology issues that relate to the integrity of the actual web service that is traveling across the network. Message-level security is the necessary other half of security policy. Think about it: It's all well and good to ensure that only authorized and authenticated users are accessing web services. However, you also want to be able to ensure that the web services they are using provide accurate information that has been neither tampered with nor eavesdropped on without authorization. Not only is this good business, it's also becoming part of the law in such areas as privacy and regulatory compliance. Message-level security, which involves such technological functions as encryption, keys, certificates, and signatures tackles the challenges of securing the specific web service interaction from meddling and eavesdropping.


At a high level, we have governance. Governance addresses how enterprise IT systems are run by people who report to corporate boards and answer to auditors. Governance refers to the broad combination of security policy, provisioning, message-level security, corporate IT policies, human resources (HR) policies, compliance, and other administrative aspects of managing enterprise IT. Governance affects many areas of IT, and with SOA, governance has particular relevance for security. In the age of Sarbanes- Oxley, corporate boards and auditors are quite interested in knowing that the information they use to run the company is drawn from IT systems of high integrity. The goal of SOA security in the context of governance is to provide assurance that the SOA can deliver verifiable data that will stand the test of an audit.

Moving forward

Part two of this series will appear on this site on Friday, May 19th. It will offer information on

  • Solutions to SOA security
  • The savvy manager cautions: don't let security paralyze you

About the Authors

Eric Pulier is a pioneer in the software and digital interactive industries. A frequent public speaker at technology conferences around the world, Eric has helped establish cutting-edge technology companies in media management, professional services, voice systems, and peer-to-peer networking.

Hugh Taylor is an SOA marketing executive who writes, teaches, and promotes the business value of SOA and web services to major companies. The authors live in Los Angeles, California.

About the Book

Understanding Enterprise SOA
By Eric Pulier and Hugh Taylor

Published: November, 2005, Paperback: 280 pages
Published by Manning Publications
ISBN: 1932394591
Retail price: $39.95
This material is from Chapter 9 of the book.

Page 3 of 3

Comment and Contribute


(Maximum characters: 1200). You have characters left.



Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date