SOA Security

Security remains one of the core cross-cutting concerns in integrated SOA governance.  One of the key roles of any integrated SOA governance solution is to ensure that services are delivered and accessed securely according to enterprise security policies.

SOA Software’s Workbench™ and Service Manager™ offer the most extensive security features and partner integration in the industry today.

• Workbench and Service Manager are the only WS-Security products that offer certified integration with Netegrity and Tivoli
• The products integrate with LDAP, Active Directory and other security solutions
• They deliver authentication and authorization of WS consumer
• The products provide authentication and authorization across multiple domains and assure security for WS consumers from third parties
• The integrate with common PKI solutions including Microsoft Certificate Lifecycle Manager
• They provide extensive key management and automated distribution capabilities
• The products deliver an audit trail for security policy enforcement and implementation actions

This integrated SOA governance solution is managed and monitored through SOA Software’s Console offering a complete and flexible management solution.  The Service Manager also offers powerful integration capabilities allowing it to be managed as part of existing operations and security management frameworks like Tivoli Enterprise Console and HP Openview.

The advent of Web Services and the use of XML to facilitate business transactions across the firewall have re-opened the security holes that firewalls originally closed after the advent of the Internet.  While an essential business driver, Web services also represent the soft underbelly of the enterprise and require new protection approaches and technologies.

Over the last few years many enterprises have implemented strong centralized security policies. The inherently distributed nature of Web services presents a challenge for security policy implementation.  Enterprises need new technology solutions that extend security policy enforcement to Web services networks.  It is critical that enterprises are able to define policy centrally in systems where enforcement and enablement is distributed by definition.

XML and Web services Security Considerations

Integration with existing systems – Most large enterprises have already deployed at least one, and in many cases several, security and identity management solutions.  It is clearly impractical to build yet another security or identity management system, so the Web services network must be able to leverage any existing infrastructures such as LDAP directories, Access Management solutions like Tivoli Access Manager and Netegrity Siteminder, and Public Key Infrastructure solutions.

Firewall Installations – Web services and XML present a threat that is not addressed by traditional firewall solutions.  The Web services management fabric must integrate tightly with the existing firewall solutions to deliver a seamless security solution.

Authentication/authorization – One of the most important aspects of any security solution is its ability to offer a wide variety of different authentication and authorization models.  The emerging mechanism for Web services is SAML, but many existing enterprise Access Management systems either don’t support SAML, or won’t interoperate with the many different Web services platforms available.  It is essential that enterprises implement a Web services management fabric that supports a wide variety of authentication and authorization mechanisms, and can transform messages to act as a gateway between security solutions.

Security across multiple domains – Given that one of the core goals of Web services is to facilitate business transactions across enterprise boundaries, any serious Web services deployment must implement some form of federated identity management solution.  WS-Federation is one of the likely contenders to deliver a standards based framework, but today Web services need to be able to deliver a solid trust infrastructure to allow cross enterprise trusted SAML.

Encryption/PKI/Signatures – Web services and XML have built-in methods for integrity and non-repudiation using XML-encryption and XML-Signature.  Any serious Web services management solution must include a strong XKMS compliant key management system and ideally a way of generating its own public/private key pairs.  The solution must also be able to act as a proxy to sign and encrypt documents and elements on behalf of users, consumers and providers.

Auditing/Regulatory compliance – The last leg of a comprehensive security solution is a powerful auditing solution that facilitates capturing transaction and security information to ensure regulatory compliance.