SOA security: isn't SOA itself a security solution?

SOA needs to be secured, but also enables security services

Mark O'Neill picked up on my recent post on SOA security and asks a very logical question: Why aren't we looking at SOA as an enabler of security, versus worrying about the security of SOA approaches?

We're asking the wrong question about SOA security

A very good question indeed. Mark calls this the "neglected flipside of SOA security," observing that "SOA Security" is two separate things, solving two separate problems -- securing SOA-based infrastructures, and applying SOA principles to security. "I think that too many SOA Security articles focus only on the first meaning of SOA Security (making SOA more secure) than on the second (applying SOA principles to security to make it more easy to deploy and manage)," Mark says.

He explains:

"'SOA-flavored Security' means making security more management and easy to deploy by isolating re-usable components of security and providing them as managed services. For example, the OASIS DSS standard explains how digital signature services can be used in order to provide signing and signature validation services over the network, accessed using a Web Services interface. This solves a knotty problem, and provides a good framework for key management. Similarly, specifications such as XKMS, XACML, and WS-Trust are really all about applying SOA to security, to solve interoperability problems, not about 'making SOA secure.'"

A few weeks back, I quoted Open Group's Dr. Chris Harding, who also pondered whether we've been looking at the SOA security problem "the wrong way around." Chris suggests SOA and the use of shared services may actually solve more security problems than it creates.

The beauty of a service-oriented approach is that it provides for common mechanisms -- security services -- that can be developed and tested and applied against many types of applications or scenarios. Individual domain or application owners no longer need to reinvent the wheel, rely on jury-rigged approaches, or cross their fingers if common SOA-based security is available within the enterprise to secure their application and data assets.

Again, SOA may solve more security issues than it creates.