Eric points out another free SOA book available for download as an eBook.
At first I was aghast that the authors only devoted about 6% of their material to SOA security, though they did write a good caveat at the end of Chapter two, “Security is a broad and deep topic, and we have only scratched the surface in this section. The important point is that you can extend your current enterprise security strategies to embrace services as well. “, which was a relief as so often security is an after thought buried in the appendix.
Later on in chapter five, the authors provide a reasonable argument for “a runtime governance system that simultaneously offloads security processing and policy enforcement from the applications themselves, while enabling embedded security processing on their behalf.”
Hear, hear, bravo, a separate run-time security and governance solution allows:
- Developers to focus on writing business logic and not have to write security services that differ across offerings.
- Security administrators to manage security and policy for the entire service offering using one interface.
- Auditors to have one place to look for who did what when.
Kudos to the authors for recommending that security be considered early in the design and development stages and externalized from the service offerings!