Good high-level security pratices in another free SOA book

Eric points out another free SOA book available for download as an eBook.

At first I was aghast that the authors only devoted about 6% of their material to SOA security, though they did write a good caveat at the end of Chapter two, “Security is a broad and deep topic, and we have only scratched the surface in this section. The important point is that you can extend your current enterprise security strategies to embrace services as well. “, which was a relief as so often security is an after thought buried in the appendix.

Later on in chapter five, the authors provide a reasonable argument for “a runtime governance system that simultaneously offloads security processing and policy enforcement from the applications themselves, while enabling embedded security processing on their behalf.”
Hear, hear, bravo, a separate run-time security and governance solution allows:

  • Developers to focus on writing business logic and not have to write security services that differ across offerings.
  • Security administrators to manage security and policy for the entire service offering using one interface.
  • Auditors to have one place to look for who did what when.

Kudos to the authors for recommending that security be considered early in the design and development stages and externalized from the service offerings!


is SOA dead? Secure it nevertheless!

From Dan Foody at Progress comes a podcast. (Alas, the podcast did not play with a simple click on my Macintosh so I reluctantly spun up my Windows virtual machine. A quick glance at the podcast’s support site does note issues with Firefox & Safari using Quicktime). I would have preferred that my friends at Progress use a universal audio player that just works, without any heavy lifting, across Windows, Mac or Linux; nevertheless I persisted. Take that as a compliment Dan!

Dan’s surmises that “SOA is dead, long live SOA” . He states that the Architecture of SOA is gone but the Services remain in the Cloud and SaaS worlds.
I think it is just semantics. and other SaaS providers don’t call their offering SOA, but rather Software as a Service. Cloud computing is just a paradigm for software offered somewhere in the Internet cloud and accessed using a browser or another service. So, I don’t think SOA is dead, rather it is perhaps a tired term that has recast itself as a SaaS in a Cloud, a cluster of services offered for consumption by people and other services.

Call it SOA, Cloud or SaaS the offering still needs to be secured, as it consist mostly of XML packets destined for a consumer or provide:

  • The XML stream should be properly rendered and parsed to comply with a standard; rejected if it contains nefarious data.
  • Data should only be allowed to pass, like an aeroplane passenger at the security checkpoint, if it is properly authenticated (identified) and authorized (entitled) with an audit trail showing who went where.
  • Provide the option of signing and encrypting the data.

The names for rain clouds in the sky today, stratus, cumulus, cirrus etc, derive from Latin – a language long considered dead. But it lives on for scientists who study meteorology, while the rest of us still need an old fashioned umbrella to keep dry!

Managing the security aspects of SOA

Joe McKendrick reflects on Forbes’ article that SOA turns IT departments into assemblers and managers of services.
Much of the IT department’s load can be lightened by using the Layer7 solution to manage:

  • Authentication
  • Authorization
  • Auditing
  • Encryption
  • Digital Signature

This way developers don’t have to worry about coding the above functionality and can focus on business logic. And IT can administer policies for the the above functions across all WebServices from one console.

Furthermore, application servers are relieved of the CPU and memory intensive functions required by:

  • XML transformation, parsing and validation

so that your XML applications are accelerated.

Does the above require yet more IT headcount? Not at all, since the easy to use GUI makes WebServices security and governance a cinch and the since the solution is available as software, VirtualMachine or an appliance installation is simple too.

Give it a whirl, here