SOA Security

The evolution towards service-oriented architecture as the main application development and integration model for large enterprises promises great rewards in agility and cost saving, but along with these rewards come increased security risks in several areas:

Message Security – Standards-based service interactions are one of the main benefit drivers in SOA.  They also introduce increased risk, because a well architected system will have no room for “security by obscurity”.  The standards community has made great strides in producing specifications to ensure sender and provider authenticity and authorization, and message privacy and non-repudiation.  It is now up to service platform providers and service and consumer developers to take advantage of these standards to ensure the security of their applications and data.

Interface Security – One of the goals of SOA is to create reusable business services.  These services are often created by take data or business logic from existing applications and exposing it as a service.  This means taking data or logic that was buried within an application and making it accessible, and in this process exposing it to potential threats.

Security Infrastructure – The move towards enterprise SOA involves the deployment of new infrastructure solutions including registry/repository, policy management, and service management, amongst others.  Each of these solutions must comply with existing enterprise security policies, or the solutions designed to ensure the security of enterprise applications can themselves become potential attack points.

SOA Software’s Service Manager provides a platform-independent, policy-driven SOA security solution to ensure that all service providers enforce uniform, appropriate policies, that are implemented by all service consumers across all distributed and mainframe platforms throughout the enterprise.  It provides fully featured agents to ensure last-mile security, a standalone intermediary for network-based policy enforcement and virtualization, and a client-side delegate for first-mile policy implementation.

  • Authentication – Service Manager provides comprehensive message, consumer and end user authentication with support for all common token types including Basic Auth, SAML, X.509, Kerberos, XML-Signature, and HTTPS.  It provides a security token server for Identity Federation and token exchange, offering a SAML authority as part of this capability.
  • Authorization – Service Manager offers powerful service authorization capabilities support XACML as well as native integrations with most common enterprise security policy management solutions.
  • Privacy – Service Manager has full support for XML-Encryption in both raw XML and WS-Security forms supporting both encryption and decryption to ensure the privacy of messages.
  • Non-repudiation – Service Manager offers full support for raw XML and WS-Security compliance XML-Signature and signature verification to ensure message authenticity and non-repudiation.
  • PKI – Policy Manager provides comprehensive public and private key pair management, CRL checking, and certificate management.
  • /ul> SOA Software’s products implement all of the latest standards including comprehensive support for WS-Security, XML-Signature, XML-Encryption, SAML, XACML, and many others.  For a list of supported standards please click here. Service Manager integrates seamlessly with most common enterprise security solutions to maximize investment in existing systems and ensure consistent application of existing enterprise security policies.  It supports:
    • Identity and Access Management Systems – Service Manager integrates with most common IDM solutions to federate their authentication and authorization policies and processes throughout an SOA.
    • Enterprise Directories – Service Manager integrates with common enterprise directories including Microsoft Active Directory and other LDAPv3 compliant solutions.  It acts as a security token and policy server, delegating authentication decisions to the directories and using existing group memberships to drive role-based authorization decisions.
    • Security Appliances – Service Manager can provide policies for services security by common appliances (such as IBM DataPower) and monitor service usage and performance for these services.
    • PKI – Service Manager provides its own built-in PKI solution with a fully featured Certificate Authority.  It also integrates with existing PKI solutions providing key distribution and verification.

    For more information about SOA Software’s market-leading products, click here.