Too many companies burden developers with SOA security

Security was tough enough before SOA came along, and now its gotten even tougher. SOA takes that individual system you were worrying about, and adds multiple systems and dependencies from across and outside the enterprise into the mix.

However, all too often, SOA security gets left to individual developers, who may try to do everything they can to build in security features, but are not in a position to address the complexities wrought by SOA.

That's what makes good SOA governance critical. On the road to trustworthy SOA, organizations need to rely on automated, policy-driven governance, rather than hoping individual developers or operations managers get it right.

"If you’ve had any experience with SOA, you realize that it adds a new dimension to the security landscape, and that’s mostly because you’ve got a set of loosely coupled connections which contain a lot of dependencies," says Anne Thomas Manes, analyst with Burton Group. This past week, I had the opportunity to moderate an ebizQ Webcast featuring Anne Thomas Manes of Burton Group and Andrew Brown of AmberPoint, who addressed this topic.

As Anne so appropriately put it:

"Security threats and the requirements are very complex, and you have to assume that the average developer is not fully cognizant of all these threats and challenges that exist out there. And it’s really not appropriate to assume that the developer is going to capable of managing security all on his own."

Security is "really hard stuff, and you can’t expect a business developer to understand it all," Anne pointed out. "Even if you have really highly trained business developers who understand security more than the average business developer does, I still wouldn't want to rely on them to make sure they’re implementing the proper security according to corporate policy, and actually writing all this security directly into their application code."

The key to instilling security is through effective enterprise-wide SOA governance. "Governance is about visbility, control, and validation," said Andrew Brown. "Security needs to be an integral part of a governance solution."

"It’s really important that you have good governance processes in place that ensure that proper security can be applied to each of your services," Anne agreed. Centralization of security functions is the key. Organizations need to "adopt a policy-driven enforcement model which allows the security office to actually make decisions about what needs to be secured, and how things need to be secured, and allows them to externalize security as much as possible."

Organizations need to move away from the "traditional approach to building systems," which involves re-implementing security capabilities within each siloed application, Anne pointed out.

Instead, the best approach in the SOA era is to establish "a managed communications infrastructure in the center, Anne advocated. "The infrastructure itself will make sure that the communications are done properly and in accordance with appropaite sets and policies. So when the retail customer service application invokes the profile management service, you know that it is properly authenticated, that the appropriate logging and auditing is going on, and the information is properly protected, and all the other things that are necessary. That’s because you rely on the infrastructure itself to make sure that this is done right."