Planning_and_Impleme.. - didier beck weblog
Planning_and_Impleme.. - didier beck weblog
Planning_and_Impleme.. - didier beck weblog
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
www.butlergroup.com<br />
<strong>Planning</strong> <strong>and</strong> <strong>Impleme</strong>nting SOA<br />
POLICY AND SECURITY IN A SOA ENVIRONMENT<br />
CATALYST<br />
As the concept of services becomes more widely accepted, it will become increasingly important to<br />
consider some of the security requirements surrounding them – especially to gain wider acceptance of<br />
SOA. Simply restricting access to authorised personnel via st<strong>and</strong>ard access control mechanisms becomes<br />
impossible in a service-oriented environment, <strong>and</strong> new st<strong>and</strong>ards are starting to evolve here.<br />
SUMMARY<br />
The use of policies allows abstraction of concepts to a higher level, simplifying<br />
creation <strong>and</strong> maintenance.<br />
Security issues for SOA are more complex than in older architectures.<br />
St<strong>and</strong>ards for SOA security <strong>and</strong> policy are starting to mature, <strong>and</strong> interoperability is<br />
improving.<br />
ANALYSIS<br />
In static architectures <strong>and</strong> application development, one of the key aspects is that it is possible to hard-wire<br />
the security. In creating a SOA with loosely-coupled components, it will be necessary to look at how security<br />
needs to be defined <strong>and</strong> managed for that type of architecture. The same applies for other policies – in the<br />
older architectural styles, there is the ability to implement policy at the design level. That ability is not there<br />
within a SOA. Here it will be necessary to ensure that the message flows that pass through those<br />
architectures actually access <strong>and</strong> interact with the declared policies at the right points within the<br />
architecture. This is a far more complex management infrastructure, but one that is balanced by a far more<br />
usable <strong>and</strong> far more relevant application infrastructure.<br />
The use of policies allows abstraction of concepts such as security to a<br />
higher level, simplifying creation <strong>and</strong> maintenance.<br />
Policies help to ensure compliance with organisational objectives; at the highest level these are likely to be<br />
highly business-related, <strong>and</strong> tend to cover people-related issues such as “projects must comply with internal<br />
design <strong>and</strong> architecture guidelines”, or generically, that all IT projects are subject to reviews for security <strong>and</strong><br />
regulatory compliance.<br />
Today, policies are already there in most computing infrastructures, it is just<br />
that, where relevant, they tend to be hard coded <strong>and</strong> explicitly defined. An<br />
example of a security-related policy is ‘passwords must be eight characters<br />
long’ – this implies that there must be code embedded in each application to<br />
check that this is the case. This is not practical in SOA – policies must be<br />
specified <strong>and</strong> managed at the infrastructure level. Policies can relate to other<br />
areas including management <strong>and</strong> monitoring.<br />
Policies could represent more specific regulatory compliance issues; for<br />
example, in the healthcare industry patient’s personal identifiable information<br />
must be communicated <strong>and</strong> stored securely (in order to comply with the US<br />
Health Insurance Portability <strong>and</strong> Accountability Act (HIPAA) legislation). In the<br />
business sector, all financial transactions must provide traceability <strong>and</strong><br />
tamper-proof mechanisms for m<strong>and</strong>atory audit records (to meet with<br />
Sarbanes-Oxley <strong>and</strong> Basel II regulations).<br />
Policies could<br />
represent more<br />
specific regulatory<br />
compliance issues; for<br />
example, in the<br />
healthcare industry<br />
patient’s personal<br />
identifiable<br />
information must be<br />
communicated <strong>and</strong><br />
stored securely...<br />
December 2006 Section 1: SOA Deployment 19