Wednesday, December 27, 2006
Service Oriented Architectures and Security
At a recent conference, folks from Sonic Software indicated that support for XACML was on their roadmap, yet their Chief Technology Evangelist: David A. Chappell never talks about it. I wonder why? I also searched the blog of Annrai O'Toole looking for similar insights into SOA and security and came up blank. Ignoring for a moment, he is of the belief that research reports are complete but later on acknowledges that many open source players are missing yet doesn't believe that anything is wrong with them being left out. I wonder if this is because open source ESBs such as ServiceMix may have better security postures than closed source ESBs. Maybe he will not only demand but amplify the need for industry analysts to include both closed source proprietary and open source product offerings in their research reports. Maybe not...
Likewise, I understand how Appliances help ease integration in SOA Integration is more than just a problem of moving around data to support business processes, security is also crucial. Every enterprise going down this path should ask themselves the following questions:
- How should integration appliances play within my common security realm? Should they support SAML and/or WS-Federation along with identity propagation?
- As a business process involves multiple tiers and architectures, how do I ensure that authorization is consistently applied? Should the appliance support XACML policy?
- If integration involves sensitive data, how do I protect data as it travels over the wire? Can it leverage standards-based PKI approaches?
- Auditing is crucial in terms of a business processes and may even be part of your enterprise SoX controls. Should appliance support a common logging standard? How should they play with vendors such as LogLogic?
- Identity is the key to SOA. Shouldn't ESBs in general and SOA in specific incorporate the notion of identity as a pervasive goal?
I wonder what Dana Blankenhorn, Denise Howell, Mitch Ratcliffe, Phil Becker, Joe McKendrick, Ronan Bradley's perspective are on SOA and Security?