SOA application gateways can serve several functions. Perhaps most notably, they allow organizations to open their applications to other departments, partners, and customers when the appliance sits in the demilitarized zone.
How do you ensure proper access, especially when third parties connect to your applications over a public network? That's where the security layer of functionality, where decisions are made about programs making a call into the organization's environment, comes into play.
"The big issue nowadays is that everybody thinks it's really cool that with SOA you can make the applications that you use in your company available to others," said Lustratus Research Limited director Steve Craggs. "It's all about opening up your corporate applications to a wider audience."
Security is a prime concern because the original applications didn't have security baked in.
Jaime Ryan, Layer 7
Security becomes even more important with the larger audience, according to Layer 7 partner solutions architect Jaime Ryan.
"Once we start to expose this data that has previously been stored in mainframes or deep in databases, security is a prime concern because the original applications didn't have security baked in," said Ryan. "It was very point-to-point. Now you're exposing this in a more generic fashion."
Craggs concurs, noting users should only be granted access to services they need. "Because we're opening it all up, it's all very well to say, 'People can use my services, but you better make sure they're not going to do anything naughty,'" he said.
Forrester vice president Randy Heffner also highlights SOA application gateways and security considerations.
"How do I make sure I know who is making the call, log the call [and] make a record of it -- those are the kinds of questions that I'm asking in terms of how I configure each of my individual services in the gateway, and that's where I'm asking about functionality and capabilities the gateway has for doing security in a variety of ways," he said.
Implementing secure applications
Companies can implement several types of security functions, such as authentication of endpoints, authorization, digital signature processing and encryption.
For example, for authentication and authorization, they can access various types of third-party repositories such as LDAP and Active Directory. Most ship with security token capabilities and can access certificate authorities.
In addition to these security functions, the appliances have "ways of allowing you to define sets of policies to create a cascading structure of policies and subpolicies," said Gartner research vice president Ross Altman.
Security doesn't stop there. "In many ways, when you're dealing with security in this kind of Web services, it's not just what you're doing to the payload, but also the platform in which you're doing it in," said Adolfo Rodriguez, Ph.D., IBM distinguished engineer, Data Power chief architect. "It's as much about how you build it as it is what it does."
Virtually all SOA and XML appliances come with Linux, only required OS features and set passwords, according to Altman. Furthermore, the appliances "are typically delivered as hardened rack-mountable units. Often they have certain fasteners so that you can't open the box with ordinary tools," he said. "They're also hardened on a software basis."
In addition, some vendors have their appliances certified to validate their security properties. These are especially important to organizations that require strong security, such as government agencies and financial organizations. "[They] want security and the highest level of security certifications, some of which can only be achieved with hardware," said Ryan.
Organizations that do not require the highest levels of security have the option of running a virtual, instead of a hardware, appliance. According to Ryan, such appliances combine the entire stack.
"It's the OS stripped down and secured. It's the runtime engine that enforces all the policies you've defined, it's all the connectors and adaptors -- all in one tight secure bundle so when you turn on the appliance or boot up the VMware image, all you have to do is configure the networking and you're ready," said Ryan.
SOA application gateway functionality beyond security
Altman said that over time -- particularly within the past three years -- the aforementioned products have been looked at as more than security products.
"While you could use it to do security, you still need something for data transformation, routing, content-based routing, so people have begun to realize they can use the product for both ESB [enterprise service bus ]-type functionality and access control functionality," said Altman. "Sometimes they do it in the same box, sometimes in separate nodes."
There was a time when things were very concrete. Either it was or was not a security box, said Rodriguez. Customers are now benefiting from the convergence. "That middleware tier that understands content and transactions will do routing, disaster recovery and optimize traffic -additional capabilities that customers will leverage that for, and they're converging that on the same technology," he said.
About the author