Thursday, March 15, 2007
SOA and Enterprise Security
Industry analysts at the high-level talk about how SOA can help an enterprise security agenda but haven't provided much detail as to what security services (other than high level classification) should be provided...
Many industry analysts connect SOA with security with a lack of detail. SOA is really an approach that allows IT resources to be delivered in a more consumable fashion, something that we dont look to do with security. Many folks believe the connection between the two is at a lower level.
In order to be able to deploy a SOA an enterprise needs to have an infrastructure that is open standards based with a consistent infrastructure and IT applications that are removed from that infrastructure and accessable via web services among other things. When this is accomplished, enterprises receive a benefit of being able to establish consistent and uniform policies and procedures across their IT organization. It is here where the connection to Security comes into play. If you create an IT environment in which you can use a SOA approach that same environement can be used to improve Security. Things like user-centric identity, single signon, on and off boarding employees, asset management, etc.. become easier.
It would be interesting though if industry analysts started providing more detail in terms of what others are thinking instead of keeping it at a high level. Noted Industry Analyst James Governor of Redmonk talked about the notion of a Compliance-Oriented Architecture which describes the concept at a level consumable by managers. Wouldn't it be interesting if him and others took it down a level by exposing what the WSDL should contain?
I wonder if bloggers such as Pat Patterson, Gunnar Peterson, Todd Biske, JP Morgenthal, Shekhar Jha, Sameer Tyagi, Bob Blakely, James Kobielus, Eric Newcomer, Mark O'Neill or Michael Howard have any thoughts on the details that they would be willing to share?
| | View blog reactionsMany industry analysts connect SOA with security with a lack of detail. SOA is really an approach that allows IT resources to be delivered in a more consumable fashion, something that we dont look to do with security. Many folks believe the connection between the two is at a lower level.
In order to be able to deploy a SOA an enterprise needs to have an infrastructure that is open standards based with a consistent infrastructure and IT applications that are removed from that infrastructure and accessable via web services among other things. When this is accomplished, enterprises receive a benefit of being able to establish consistent and uniform policies and procedures across their IT organization. It is here where the connection to Security comes into play. If you create an IT environment in which you can use a SOA approach that same environement can be used to improve Security. Things like user-centric identity, single signon, on and off boarding employees, asset management, etc.. become easier.
It would be interesting though if industry analysts started providing more detail in terms of what others are thinking instead of keeping it at a high level. Noted Industry Analyst James Governor of Redmonk talked about the notion of a Compliance-Oriented Architecture which describes the concept at a level consumable by managers. Wouldn't it be interesting if him and others took it down a level by exposing what the WSDL should contain?
I wonder if bloggers such as Pat Patterson, Gunnar Peterson, Todd Biske, JP Morgenthal, Shekhar Jha, Sameer Tyagi, Bob Blakely, James Kobielus, Eric Newcomer, Mark O'Neill or Michael Howard have any thoughts on the details that they would be willing to share?
