Joe McKendrick, ebizQ's SOA in Action Blogger, is a nationally published author and consultant
with deep knowledge and insights regarding trends and developments in
the technology industry. He is a contributing editor to a number of
national and international publications and Websites including
Database Trends & Applications, ZDNet, and Webservices.Org. He also
serves as analyst for Evans Data Corp., and is lead analyst for Evans'
Web services and enterprise development management issues surveys.
SOA in Action Blog
|
« Outward-Facing Services: Not Your Father's EDI | Main | Get Your SOA Running... » October 31, 2006Golden Rules of SOA Security: Stick to Standards Web services security standards have been proliferating in recent years, but SOA security is still a murky area. Among standards, the brightest light is WS-Security. However, the most recent Evans Data Web services survey finds that only seven percent of companies have fully embraced WS-Security. A new article in AjaxWorld Magazine describes the factors that should be considered in SOA security, pointing out that current integration tools are built for ease of use, but are disconnected from the nitty-gritty of security. As a result, "it's easy to develop a security solution that is over-engineered, complex, poor-performing, and possibly even insecure." AjaxWorld makes these recommendations: Plan ahead: : Determine security requirements early in the process, not at the last minute. "From the beginning, you will need to determine what requirements may exist for authentication, authorization, integrity, non-repudiation, auditing, and confidentiality. Talk to your customers and end users and find out who will be levying security requirements." Know your enterprise Infrastructure: "Never architect in a vacuum or assume anything about the existing enterprise security infrastructure. Security-wise, there will undoubtedly be systems such as LDAP directory servers, policy servers, and Public Key Infrastructure (PKI), with which you will have to integrate." Stick to standards: "Now that there are accepted standards - such as WS-Security and its associated token profiles used for identity propagation (WS-Security SAML Token Profile, WS-Security X.509 Token Profile, WS-Security Username Token Profile) - as well as emerging specifications in standards bodies (WS-SecureConversation, etc.), there should no longer be any reason to create a home-grown security messaging syntax." Emphasize the flexibility of Web services: Web services will often "be called and used together in ways we may not always anticipate. ...focus on Web services transaction management, centralized auditing, and detailed, descriptive error handling." Posted by joemckendrick in SOA | Digg This | Add to del.icio.us Trackback Pings TrackBack URL for this entry: That's funny - I wrote that article for SOA/Web Services Journal - but it doesn't mention the author on AjaxWorld. I guess since SYS-CON owns both of them, but still - I figured they would list the author! Posted by: Kevin T. Smith at February 14, 2007 08:04 AM Post a comment
|
