SOA is often thought to introduce new challenges for security. But at the same time, it offers new ways of solving some old security problems.
This is one of a series of lenses (in preparation) on Service Engineering.
This is one of a series of lenses (in preparation) on Service Engineering.
How SOA affects security
Service-orientation affects security in (at least) four key ways.
Increased automation and decreased latency By making computer to computer automation the de facto method of business transaction, there is great potential for finding and exploiting loopholes before they are closed. When processes are automated, business processes can fail for unforeseen reasons that automation actually exacerbates. Web services take the level of automation much further, and consequently the potential risk.
Self-service business design With web services, consumers and providers need to be treated asymmetrically, the provider needs to identify users - the consumer needs to identify providers and each party to the exchange needs to operate on highly defensive principles. And as web services consumers and providers are implemented as automated exchanges between computers the principles of defensive components is highly relevant. A technical viewpoint might be that providing consumers are authorized, the service may be provided.
In this litigious age, we also need to be acutely aware of corporate liability. Does a consumer have the authority to enter into a specific transaction? Are there complementary business transactions in place that take authentication beyond simple identification?
Dynamic policy-driven operation Run time behavioral change driven by business rules allows dynamic change and potentially much more flexibility of business process. Collaborations with third party web services introduce elements that are not completely under the control of the primary transacting organization.
Federated security The essence of an SOA is composition and orchestration of multiple services, which requires security context to be shared between collaborating services, rather than independently organized.
Self-service business design With web services, consumers and providers need to be treated asymmetrically, the provider needs to identify users - the consumer needs to identify providers and each party to the exchange needs to operate on highly defensive principles. And as web services consumers and providers are implemented as automated exchanges between computers the principles of defensive components is highly relevant. A technical viewpoint might be that providing consumers are authorized, the service may be provided.
In this litigious age, we also need to be acutely aware of corporate liability. Does a consumer have the authority to enter into a specific transaction? Are there complementary business transactions in place that take authentication beyond simple identification?
Dynamic policy-driven operation Run time behavioral change driven by business rules allows dynamic change and potentially much more flexibility of business process. Collaborations with third party web services introduce elements that are not completely under the control of the primary transacting organization.
Federated security The essence of an SOA is composition and orchestration of multiple services, which requires security context to be shared between collaborating services, rather than independently organized.
SOA Security Blogroll
- SOAPbox
- Selected posts on Service-Oriented Security by Richard Veryard
- 1 Raindrop
- Gunnar Peterson's loosely coupled thoughts on distributed systems, security, and software that runs on them.
- Mark O'Neill's Radio Weblog
- Blog by Mark O'Neill of Vordel, author of Web Services Security
- Trust and Security
- Trust and Security (formerly TrustBlog) Analysing trust and security in business relationships and systems. How people work and collaborate in an environment of trust and uncertainty.
Books on SOA Security
You choose !!!
Initial order was random - hopefully your votes will put these books into a useful ranking.
Securing Web Services with WS-Security
Demystifying WS-Security, WS-Policy, SAML, XML Sig more...0 points
Web Services Security and E-business
Many techniques, algorithms, protocols, and tools more...0 points
Secure E-Government Web Services
As e-government applications are coming of age, se more...0 points
Mobility, Security and Web Services
Technologies and Service-oriented Architectures fo more...0 points
Blog Posts from Google
- What is the best free web mail service on earth? | SOA Governance ...
- 4 Comments on "What is the best free web mail service on earth?" orangesky on Fri, 8th Jan 2010 7:03...
- do any body know any good web or net dectective online services ...
- Subscribe to SOA Governance ? Service Oriented Architecture ? SOA Business ? SOA Design ? SO...
- Best free web hosting service?
- wut is the best free web hosting service?
- Would you agree to unlimited liability just to host your web site ...
- I am looking for a web host that has a terms of service agreement that I can live with. Having spent...
New Guestbook
submit
-
Reply
- boxer888 boxer888 Jan 6, 2010 @ 3:40 am
- Keep up the good work, its not that common to always find information that is useful, but you have done a great job, here's some free information for your readers cold sores remedies
SOA Security
from Richard Veryard's SOA blog
Fetching RSS feed... please stand byTrust and Security Blog
Fetching RSS feed... please stand byTwitter Search
search "SOA security"
-
- jondaly1976
- WSJ.com - Obama Orders Security Fix http://on.wsj.com/8VlWgr. Maybe an SOA platform that connects processes, information and operations?
-
- TonyBaer
- Nat'l #security agencies can't connect dots because of all-too-familiar people, process & integration issues http://bit.ly/7prjRr #SOA #BPM
-
- SpecialAgentOso
- Security Clearance: SAIC looking for SOA Senior Solutions Architect Other http://bit.ly/8KS4Cg
-
- MatrixSystems
- Mainframe updates and predictions for 2010 #CICS #Database #SOA #DoJ #DB2 #Security http://ow.ly/TPAG
-
- Cleared_Jobs_MD
- Security Clearance | Java Engineer - SOA, XML, C++, Security Clearance - Cy.. http://bit.ly/7L13MR #jobs #maryland
-
- WashDCHealthJob
- New #job: SOA Security Specialist - TS/SCI with Full Scope Poly #health #jobs #medical http://bit.ly/5giRAo
-
- proactivedefend
- News Update: SOA Security - SOA is one of the latest technologies enterprises are using to tame their software cost... http://ow.ly/16hDVm
-
- jamescarr
- @aaronfreeman eh, I wouldn't say SOA and ESB themselves are job security, just lots of crappy implementations.
-
- aaronfreeman
- @jamescarr that's the whole point of ESB. It's job security. Just like SOA.
-
- pekkapuhakka
- Soa security and enterprise mashups: http://bit.ly/5b1t9F - Ian Tomlin's Blog / #Soa #mashup
-
- BaltmoreHethJob
- New #job: SOA Security Specialist - TS/SCI with Full Scope Poly #health #jobs #medical http://bit.ly/5KHWfJ
-
- ClearanceJobsVA
- Security Clearance: CACI Internatonal looking for SOA Architect Other http://bit.ly/7zdn8e
-
- researchnetwork
- Why traditional security doesn't work for SOA - http://ow.ly/SyFP
-
- TechOrangeOCJob
- New #job: SOA Security Specialist #jobs #tech http://bit.ly/4zqvTb
-
- Cleared_Jobs_DC
- Security Clearance | SOA Architect - Trilogy Technical Services - Washington, D.C. http://bit.ly/81kQlN #dc #jobs
-
- rohanpinto
- RT @layer7: Why traditional security doesn't work for SOA. (via Chris Clark) http://ow.ly/SFxi
-
- layer7
- Why traditional security doesn't work for SOA. (via Chris Clark) http://ow.ly/SFxi
-
- WashDCTech_Jobs
- New #job: Java Engineer - SOA, XML, C++, Security Clearance #jobs #tech http://bit.ly/88ct2L
-
- meneer
- RT @prabath: Security - A major imperative for a SOA http://twurl.nl/g3v8qu
-
- prabath
- Security - A major imperative for a SOA http://twurl.nl/g3v8qu
automatically generated by Twitter
Explore related pages
Service-Based Business- A business process can be understood as a network of services. A service-based b...
- Service Engineering
- Service Engineering is the overall discipline of producing, consuming and managi...
- SOA Adoption
- This lens is about the adoption of Service-Oriented Architecture (SOA).
- Service-Oriented Business Intelligence
- Service Engineering
- Service Engineering is the overall discipline of producing, consuming and managi...
