The steady march of service-oriented architecture (SOA) and XML-based Web services into the enterprise is catching up with the security-minded among us. Don't get me wrong. It's not like the security management team hasn't been paying attention. They have been. It's just that many organizations over the past couple of years have only been experimenting with SOA approaches and thus it was a bit premature for the more operational focused portions of IT to get deeply involved. However, as these IT experiments have started to transition to important, business-enabling deployments, it has become time to bring in the people who can address security and management at an enterprise level.
The big challenge with SOA is that a key part of its appeal also happens to be the source of its IT management Achilles heel. SOA by definition is loosely coupled, highly granular, and often widely distributed and multi-step. In addition it can combine both internal and external services, some implementation dependent, some platform independent. Unfortunately, this same "loose coupling" poses a challenge for anyone concerned with security and management at an enterprise level.
New Dog, Old Tricks
Just like predecessor application technologies, with SOA there are many aspects that need to be managed. These include application performance, development, network and operating platforms, data, and of course many aspects of security and identity. While none of these are a new IT management challenge, the very nature of SOA amplifies them with scale and complexity.
Happily, the traditional application "siloed" approach to security and identity management for existing applications, where security functions such as authentication, authorization and audit were developed uniquely for each application silo, is steadily on its way out in most organizations. Unfortunately security silos are at risk of being reestablished and reinvigorated with the steady uptake of XML-based Web services and SOA architectures. Many organizations are pushing forward with SOA without properly considering and planning for the security challenges that they will surely face, especially as the SOA-based approach is scaled to meet the application and data needs of both internal business units as well as external constituencies. History guides us that as particular technology usage mushrooms the security and management challenges mushroom right along with it.
Security, By Default
The fact is that too many organizations leave security decisions explicitly or by default to the application development or networking teams. Often lacking in these teams is a span of control, experience or perspective necessary to consider enterprise IT management in general and security management in particular. They have enough on their plates just building, maintaining and enhancing applications and networks for their different user communities.
I can tell you first hand that we have been in this exact position before, and not too long ago, with the last wave of technology evolution. If you turn back the clock approximately 10 years, the first rollout of applications and data to employees, customers and business partners via the Web was occurring. In most cases application level security was also left up to the application developers or the network engineers. Where did that get us? Sometimes it resulted in effectively no application security at all. If a user could get into the internal network they could get into any resident application if they knew where to find it. In effect, perimeter security was incorrectly considered sufficient security. But what does the perimeter mean in the Web context? This realization has contributed to a boom in the Identity and Access management (IAM) market that we have been experiencing in the last five years.
This very same realization is beginning to take hold for SOA, as IAM is also very much a concern for SOA. Since these new SOA-based applications provide access to critical business processes and sensitive data, the identity and rights of the Web service user (which, in this context, can be a person or an application) matters, just as it does for Web application users. The management of those identities, their credentials and other attributes, as well as controlling their access to the Web services needs to be controlled and managed, and at a potentially massive scale.
Securing the Enterprise
Fortunately those of us in Web security and IT management are very much on the case of Web services and SOA security and management. A solution to these challenges is already emerging. The combination of SOA platforms, XML gateways, application servers and Web services security-enabled IAM solutions can be leveraged to scale the management and security of XML-based Web services and full-fledged SOA architectures as they are rolled out across the enterprise.
So while you come up with your SOA strategies and deploy your Web services, make sure that you at least connect your identity and access management initiatives with the SOA security initiatives. The SOAs are coming and are likely already somewhat deployed in your organization. It's time to manage and secure them the right way.
About the Author
Matthew Gardiner is the senior marketing manager for identity and access management products at CA Inc.