Leveraging Web Expertise for Secure SOA

A growing number of security experts say many of your current Best Practices from web applications architecture will work just fine -- with just a tweak or two -- for your SOA or composite apps. See why a coalition of long-time security vendors agree, and suggest a 3-tier SOA security blueprint.

Tags: Security, SOA, Management, Blueprint, Protection, Secure, Architects,

A coalition of enterprise security vendors are proposing a three-tier blueprint for helping architects and devs secure their building inventory of SOA applications.

The group -- comprised of Forum Systems, nCipher and Oblix -- is among the first to collaborate on defining a real-world, deployable and manageable "SOA security blueprint" for securely accessing backend J2EE application servers -- from either inside an enterprise or between partners.

The "blueprint," in fact, ties together all the infrastructure components an enterprise would need to secure the entire SOA pipeline: from the perimeter, across multiple firewalls, into the back office and finally into the application. The technologies addressed include: protocol protection, identity management, access control, threat protection, security management and key management cryptography. The "blueprint" also addresses the performance impact that widespread use of encryption and digital signatures can have efficient use of SOA systems. [The work was debuted at Oracle's Open World last month in San Francisco.]

[Forum Systems is the provider of XML data and web services security hardware and software. nCipher provides a range of cryptographic security for hardware and software assets. Oblix is a provider of identity and policy management options to web and SOA environments, including multi-platform single-sign on solutions.]

"Basically, our blueprint for end-to-end SOA security brings together three (3) different layers of security, which individually contribute a specialized security protection," Wynn White, an Oblix marketing manager told IDN. Those three different layers include:

  • Perimeter -- protecting the outer most layer, and providing firewall-caliber protection of protocols and the communication links;
  • Interior -- protecting the access to data, documents, rules, and other sensitive business information via contextual-based ID management, authentication, authorization, etc.; and
  • Service Management -- protecting your security systems against failure or breech, and being able to monitor and manage their effectiveness.

    "An analogy which I find always helpful when talking about pervasive security is [to think about] security for a castle. Perimeter security is the moat and its drawbridge and the stone walls of the castle. Inner security is the locked doors and guards within. Having just one is insufficient; you've really got to have both to ensure the overall security of the castle," White added. And, then there is the ability to keep an eye on all that security.

    Reusing Web Apps Best Practices for SOA

    "What we're finding is that many of the Best Practices that have emerged around web application security over the past several years can be used as a basis for strong SOA security," White said.

    "We hope this blueprint for SOA security can serve as a bridge between the application architects and the security teams, giving both more power in the decision making at the design and implementation stages," he told IDN. "The good news for these [IT] professionals, is that looking at these blueprints they'll find they can leverage what they've already got -- both in technology and in learning. If they've already cut their teeth on identity management for letting employees access documents or applications, we'll show them it's not a big deal to apply those same concepts to objects and services [in an SOA environment]."

    "So, the issues [for architects and devs] are to use an approach which will let you continuously apply strong security across domains, and across different technologies," White said. As an example, White pointed to an SOA-based application for applying for auto insurance, where the app server might kick off some a variety of local database look-ups, as well as a variety of offsite communications (to a DMV, or credit bureau, for instance).