Tuesday, May 24, 2005

SOA Security

Service-orientation affects security in (at least) four key ways.

Increased automation and decreased latency. By making computer to computer automation the de facto method of business transaction, there is great potential for finding and exploiting loopholes before they are closed. When processes are automated, business processes can fail for unforeseen reasons that automation actually exacerbates. Web services take the level of automation much further, and consequently the potential risk.

Self-service business design. With web services, consumers and providers need to be treated asymmetrically, the provider needs to identify users - the consumer needs to identify providers and each party to the exchange needs to operate on highly defensive principles. And as web services consumers and providers are implemented as automated exchanges between computers the principles of defensive components is highly relevant. A technical viewpoint might be that providing consumers are authorized, the service may be provided.

In this litigious age, we also need to be acutely aware of corporate liability. Does a consumer have the authority to enter into a specific transaction? Are there complementary business transactions in place that take authentication beyond simple identification?

Dynamic policy-driven operation. Run time behavioral change driven by business rules allows dynamic change and potentially much more flexibility of business process. Collaborations with third party web services introduce elements that are not completely under the control of the primary transacting organization.

Federated security. The essence of an SOA is composition and orchestration of multiple services, which requires security context to be shared between collaborating services, rather than independently organized.

Technorati Tags:

No comments: