SOA security issues best addressed by empowered service consumers

Dr. Chris Harding, a thought leader behind The Open Group who I've enjoyed working with from time to time, wonders whether we've been looking at the SOA security problem "the wrong way around." In a guest post over at Dana Gardner's BriefingsDirect site, Chris suggests SOA and the use of shared services may actually solve more security problems than it creates.

SOA solves more security problems than it creates

Certainly, sharing services across domains or between enterprises creates additional layers of security requirements, and it is right to worry about it. But, Chris observes that "these problems are due, not to the use of services, but to the use of distributed software modules with multiple owners."

The best way to address security issues that result from sharing services that cross domains is by being empowered consumers of these services, Chris says. He says service consumers should be asking the right questions, such as the following:

• What services am I using?
• Who provides them?
• What level of security are they contracted to provide?
• How far do I believe that they can and will meet their contractual obligation?

As Chris points out, the beauty of a service-oriented approach is that it provides for common mechanisms -- security services -- that can be developed and tested and applied against many types of applications or scenarios. Individual domain or application owners no longer need to reinvent the wheel, rely on jury-rigged approaches, or cross their fingers if common SOA-based security is available within the enterprise to secure their application and data assets. With such services, we will truly have empowered consumers.