The ability to build trust into SOA-based transactions – and therefore, security – was the subject of a recent podcast discussion I had with Dr. Raj Nagaratnam, IBM distinguished engineer and chief architect for Identity and SOA Security, posted over at the ebizQ site. SOA security is a hot topic these days, and companies are just starting to kind of get their arms around exactly how they can secure their emerging SOA implementations.
In my discussion with Raj, we talked about the emerging security issues he sees developing as SOA becomes a mainstream part of IT and the business.
A couple of themes emerged. First, that trust matters more than anything in SOA. Not only do consumers of services need to trust that these services are stable and secure, and second, because both users and applications will be either be providing, or accessing and consuming services to other applications and users far from their original domains.
The second theme of the discussion was how pervasive identity management needs to be. Not only do end-users need to be authenticated and validated in a global way for transactions, but since SOA is all about application-to-application or service-to-service interactions, services need identities as well.
While SOA surfaces many of the same security issues enterprises have become familiar with in recent years, it adds a new dimension to these concerns. While traditional approaches required locking down a single application, database, or network, SOA’s loose coupling of services and application across many domains make security a little more complicated.
“Given SOA enables loosely coupled approach to services and reuse, what happens is when you interact with partners, consumers, and providers, any exemptions you had about the control are about to change,” Raj explains. “Most importantly, trust in the environment changes dramatically. So trust-based identification and identity management is key.”
Raj outlined five key areas that need to be addressed in the realm of SOA security:
- Trust and identity: “Enterprise boundaries are expanding, therefore managing trust becomes important. Applications are no longer within a firewall. So in that context, identities need to be trusted, mediated, and managed.”
- Services have identities, too: “In an SOA environment, identities are not limited to user alone but service themselves. Services start to have or need to take on identities themselves because services in a composite application environment; one service may invoke another service. A shipping service may be invoked by an order processing system. So in this context, services take on identities so the life cycle of services as well as users need to be taken into account when considering identity."
- Data itself needs greater protection: “There’s greater focus on application and information assets, because information such as medical records or financial information, could potentially be exposed outside. Protection measures need to apply to manage and enforce the data, whether its data in transit or data at rest.”
- Compliance: “Compliance needs to be a key driver that for the ability to know who accessed what, and who has access to what, and things like that to provide audit reports such as with compliance. This is important in an SOA environment. The challenge is around these audit reports and logs are not the systems you control but it could be in other systems. Effort becomes more important."
- Policies: “In the adoption of SOA, people are thinking about individual services how to reuse them but they’re moving to where it’s a model where multiple services could be composed to traditionally security measures that oriented towards a single application or a service. But then, we compose these multiple technology services into business services and policies need to be managed at a very high level and not just at technology like a web service level but holistic business service level. The policy driven approach is going to become more important and there’s lot more work to be done in this area.”
Full transcript of the discussion available here.