SOAs promise flexibility in creating business processes, but what about security?
by Staff -- Manufacturing Business Technology, 1/1/2006 7:00:00 AM
A service-oriented architecture (SOA) offers a fast and flexible means of creating business processes both within and between companies. But the technology is still maturing, and properly securing SOA-based business processes—which often involves exchanging sensitive financial information or intellectual property—is proving complicated.
An SOA is an infrastructure wherein software applications are broken into modular components—called services—and placed in a repository where they can be accessed either by users or other services. When this is done properly, a company can implement new business processes almost at will by writing procedures that call for sets of services to interact with one another.
Interest in SOAs has increased with the advent of Web services. These are software components wrapped in communications protocols that facilitate sharing them with other companies via the Internet. Web services also present the greatest challenge to IT professionals seeking to embed security into an SOA because Web services are most likely to be deployed in business processes that reach beyond a company's firewall.
"There is tension between flexibility and security," says Richard Mackey, principal at network security consultancy SystemExperts. "The mechanisms out there to impose security are all point-to-point. Each service authenticates to all the others."
Since these services frequently consist of minute tasks, such as each step in filling an online purchase order, thousands of services can be checking on each other at one time, possibly affecting overall system performance.
"We will have to come up with a new way of securing these services," Mackey asserts. "The next big thing is securing the SOA without damaging flexibility."
Current solutions comprise a number of tactics:
-
Developing services with security standards such as WS-Security from the OASIS standards consortium;
-
Using Security Assertions Markup Language; and
-
Restricting Web services to protected servers.
Mackey says some companies forgo securing SOAs altogether rather than sacrifice business process flexibility. "This works fine," he says, "as long as [the services] are sufficiently isolated from external and internal threats by means of firewalls.
"In the traditional model, you open a file and build the security around it," Mackey adds. "The user and that individual resource are the only things in play. In an SOA, all these services want to take advantage of all the other services. What is the security model that allows this to work?"
Security requirements for SOAs and Web services—that is, authentication, authorization, audit control, and privacy protection—are no different than those of other architectures, and, in spite of the technical complexity, their security is still too important to be left to IT alone, says Dan Finerty, a director at mainframe system integrator NEON Systems.
Line-of-business managers must have input, suggests Finerty. He recommends they become part of the group charged with implementing SOAs or Web services so they can ask the important security questions and ensure appropriate business controls are in place.
