Featured White Papers

• Measuring Risk to Improve Java Software Quality
• Do You Really Get Classloaders?
• Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
• Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
• Coding with JRebel, Java Forever Changed
• 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data

Sponsored Links

• Graph databases are 1000x faster than relational.

  Learn More!

• Career opportunities at Harman- Careers That'll Rock Your Socks Off.

  Learn More!

• Developer-friendly Java PDF libraries by Qoppa Software

  Live Demos

• Stop blaming your app! Diagnose Java performance issues.

  Free tool >

• UrbanCode: Go From Continuous Integration to
  Continuous Delivery

  Learn More!

Sponsored Links

Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs

Secure your SOA

Enterprise-grade SOAs require a plan for addressing diverse security needs

By Ash Parikh, Anthony Sangha and Murty Gurajada, JavaWorld.com, 04/10/06

Service-oriented architecture (SOA) is rapidly gaining adoption in enterprises world wide. Data and applications that were once silos are now being exposed as services across departments and organizations. This poses unique challenges of securing and governing data exchange. While security has traditionally been an IT domain, SOA governance encompasses the business domain by extending security to include organizational policies and practices. How do you mature your SOA to account for security and governance? What are the standards and specifications in XML security today, and how do they work with each other? What are the important considerations for SOA governance? How do you implement these in a scalable way without sacrificing performance and maintainability? This article attempts to answer these questions.

Let's examine a few applications of SOA. Consider supply chain management. You have scenarios of manufacturers, retailers, and consumers interacting with each other using numerous systems and applications, mostly over the Internet. An SOA is an ideal enabler of such loosely coupled interactions. An integral part of an enterprise-grade SOA is the application of security services and governance policies in the various layers of communication between trading partners.

When a customer places an order at a retailer's Website, it is readily apparent that the order transaction must be secure. However, there is more to it than meets the eye. The retailer's order fulfillment applications should involve interactions with inventory management systems. Once the order is ready to be shipped, the retailer interacts with a shipping trading partner, and the customer should be provided with services to monitor the order's status. Each of these interactions would need security implementation at the application layers and, generally, the transport protocol layer as well. Moreover, organizations must set up and manage various policies: Who owns the data? Who is responsible for its veracity? How do departments and trading partners share their data? This is what SOA governance is all about.

These interactions bring up requirements similar to a customer placing an order on a Website. Security must be enforced in several layers during the message exchanges between these two trading partners, and policies must be established to govern the services.

Another use-case is a manufacturer's product development lifecycle. This process may or may not involve external trading partners, but typically, a large manufacturer has several departments participating in the production of a single finished product. SOA delivers the benefits of reuse and agile development even in scenarios where the manufacturer is not involved with external partners; and, you guessed it, the same security and policy requirements manifest themselves here.

The security requirements common to these scenarios include:

• Authentication: How do I know your identity is true?
• Authorization: Are you allowed to perform this transaction?
• Integrity: Is the data you sent the same as the data I received?
• Signature: Create and verify an electronic signature analogous to a handwritten signature.
• Confidentiality: Are we sure that nobody read the data you sent me?
• Auditing: Record all transactions for verification after the fact.
• Nonrepudiation: Both sender and receiver can legally prove to a third party (e.g., a judge) that the same data was sent and received in a transaction.

Other security requirements such as single sign-on (SSO) have become important due to the proliferation of silos of identity information across applications. Threat prevention has also evolved as another important security requirement for excluding bad data (spyware, malware, etc.).