SOA is often thought to introduce new challenges for security. But at the same time, it offers new ways of solving some old security problems.
This is one of a series of lenses (in preparation) on Service Engineering.
This is one of a series of lenses (in preparation) on Service Engineering.
How SOA affects security
Service-orientation affects security in (at least) four key ways.
Increased automation and decreased latency By making computer to computer automation the de facto method of business transaction, there is great potential for finding and exploiting loopholes before they are closed. When processes are automated, business processes can fail for unforeseen reasons that automation actually exacerbates. Web services take the level of automation much further, and consequently the potential risk.
Self-service business design With web services, consumers and providers need to be treated asymmetrically, the provider needs to identify users - the consumer needs to identify providers and each party to the exchange needs to operate on highly defensive principles. And as web services consumers and providers are implemented as automated exchanges between computers the principles of defensive components is highly relevant. A technical viewpoint might be that providing consumers are authorized, the service may be provided.
In this litigious age, we also need to be acutely aware of corporate liability. Does a consumer have the authority to enter into a specific transaction? Are there complementary business transactions in place that take authentication beyond simple identification?
Dynamic policy-driven operation Run time behavioral change driven by business rules allows dynamic change and potentially much more flexibility of business process. Collaborations with third party web services introduce elements that are not completely under the control of the primary transacting organization.
Federated security The essence of an SOA is composition and orchestration of multiple services, which requires security context to be shared between collaborating services, rather than independently organized.
Self-service business design With web services, consumers and providers need to be treated asymmetrically, the provider needs to identify users - the consumer needs to identify providers and each party to the exchange needs to operate on highly defensive principles. And as web services consumers and providers are implemented as automated exchanges between computers the principles of defensive components is highly relevant. A technical viewpoint might be that providing consumers are authorized, the service may be provided.
In this litigious age, we also need to be acutely aware of corporate liability. Does a consumer have the authority to enter into a specific transaction? Are there complementary business transactions in place that take authentication beyond simple identification?
Dynamic policy-driven operation Run time behavioral change driven by business rules allows dynamic change and potentially much more flexibility of business process. Collaborations with third party web services introduce elements that are not completely under the control of the primary transacting organization.
Federated security The essence of an SOA is composition and orchestration of multiple services, which requires security context to be shared between collaborating services, rather than independently organized.
SOA Security Blogroll
- SOAPbox
- Selected posts on Service-Oriented Security by Richard Veryard
- 1 Raindrop
- Gunnar Peterson's loosely coupled thoughts on distributed systems, security, and software that runs on them.
- Mark O'Neill's Radio Weblog
- Blog by Mark O'Neill of Vordel, author of Web Services Security
- Trust and Security
- Trust and Security (formerly TrustBlog) Analysing trust and security in business relationships and systems. How people work and collaborate in an environment of trust and uncertainty.
Books on SOA Security
You choose !!!
Initial order was random - hopefully your votes will put these books into a useful ranking.
Securing Web Services with WS-Security
Demystifying WS-Security, WS-Policy, SAML, XML Sig more...0 points
Web Services Security and E-business
Many techniques, algorithms, protocols, and tools more...0 points
Secure E-Government Web Services
As e-government applications are coming of age, se more...0 points
Mobility, Security and Web Services
Technologies and Service-oriented Architectures fo more...0 points
Blog Posts from Google
- Security: A Major Imperative For A Service-Oriented Architecture ...
- The openness of a service-oriented architecture (SOA) creates unique security challenges. Learn how...
- PDF CHM Books: Security for Web Services and Service-Oriented ...
- Web services based on the eXtensible Markup Language (XML), the Simple Object Access Protocol (SOAP)...
- SOA helps Coast Guard navigate new tides of homeland security ...
- Did you know the movement of any ship headed toward US waters is tracked by an SOA-aware service run...
- The Ebooks Nest : Free Ebooks Download: Service-Oriented Software ...
- Some of those perspectives include: service-based concepts, modeling and documentation, service disc...
SOA Security
from Richard Veryard's SOA blog
Fetching RSS feed... please stand byTrust and Security Blog
Fetching RSS feed... please stand byTwitter Search
search "SOA security"
-
- WashDCTech_Jobs
- New #job: Java Engineer - SOA, XML, C++, Security Clearance #jobs #tech http://bit.ly/7OaVEU
-
- WashDCTech_Jobs
- New #job: SOA Security Specialist - TS/SCI with Full Scope Poly #jobs #tech http://bit.ly/7cYx2W
-
- WashDCHealthJob
- New #job: SOA Security Specialist - TS/SCI with Full Scope Poly #health #jobs #medical http://bit.ly/4JRmWL
-
- beet
- Conroy's filter just the beginning: http://www.zdnet.com.au/insight/security/soa/Conroy-s-filter-just-the-beginning #openinternet
-
- Cleared_Jobs_VA
- Security Clearance | SOA Architect - Raytheon - Arlington, Virginia http://bit.ly/5wNpMg #jobs #virginia
-
- internetcrimes
- internetcrimes.net Connecting SOA to the Cloud: Information Security... what? http://bit.ly/8c24ED computer forensics
-
- WebSphere_Edu
- New course: Advanced Configuration, Security, & Integration of DataPower SOA Appliances. Online course, no travel. http://ow.ly/Nxo8
-
- OnSoftware
- SOA developers are sometimes challenged by WAS security. Check WebSphere Application Server security zone: http://bit.ly/7vRmvx
-
-
-
- thesoanetwork
- #SOA Sun Microsystems Unveils Advanced Cloud Security Tools - Stockhouse http://bit.ly/66h5Pq
-
- Cleared_Jobs_MD
- Security Clearance | Java Engineer - SOA, XML, C++, Security Clearance - Cy.. http://bit.ly/7ENMYa #jobs #maryland
-
- Cleared_Jobs_DC
- Security Clearance | Senior Enterprise Architect, SOA Architect, SOA Developer, T.. http://bit.ly/7wBlIX #dc #jobs
-
- axway
- RT @ebizq: All About Trust: Achieving Identity Security Within SOA http://bit.ly/4DnQYD
-
- sftweetifier
- SOA Security Specialist #tweetifier #cl #sfbay #job #software http://bit.ly/5NLbim
-
- SanFran_TechJob
- New #job: SOA Security Specialist (Los Angeles) #jobs #tech http://bit.ly/5PNXsZ
-
- patentesquire
- soa: All About Trust: Achieving Identity Security Within SOA http://bit.ly/5mOQEf
-
- CloudBlogs
- #Cloud #CloudComputing All About Trust: Achieving Identity Security Within SOA http://url4.eu/wD8t
-
- ebizq
- All About Trust: Achieving Identity Security Within SOA http://bit.ly/4DnQYD
-
- WashDCTech_Jobs
- New #job: Java Engineer - SOA, XML, C++, Security Clearance #jobs #tech http://bit.ly/8dGIpY
automatically generated by Twitter
Explore related pages
Service Engineering- Service Engineering is the overall discipline of producing, consuming and managi...
- Service-Oriented Business Intelligence
- Service Engineering
- Service Engineering is the overall discipline of producing, consuming and managi...
