JM: Hello, this is Joe McKendrick contributor to ebizQ and the SOA in Action website. I’m pleased to be joined today by Dr. Raj Nagaratnam, IBM distinguished engineer and chief architect, Identity and SOA Security. SOA security is a hot topic these days and companies are just starting to kind of get their arms around exactly how they can secure their emerging SOA implementations and Raj is going to talk about what he’s seeing out there in the field and some of the steps we can take to better secure our SOA implementations. Welcome Raj.
RN: Thanks Joe.
JM: Okay. Well, start off with can you tell us a bit about your role with IBM? What types of work you do with your customers?
RN: Sure. I’m the chief architect for SOA Security and Identity Management. And as part of the role, I lead IBM technical strategy in SOA security and identity so this includes product directions, technical architecture, open standards, as well as working with customers on developing solutions. So as part of this, I frequently work with our customers in enabling them to succeed in their business.
This could be about how they protect their business information, efficiently manage identity, or maintain compliance objectives. So I work with them from a technical architecture level, as well as to educate them, and help them design their solutions using, for example, IBM products and technologies.
JM: It sounds like you’re one busy guy and you certainly have an increasingly important role to play in securing our organizations and our SOAs. From what you see, are organizations paying enough attention to SOA security? I mean there’s a perception out there that we’re really in the early stages of SOA and that the security is something that is important but really isn’t something that needs to be focused on until things get rolling. What kind of attention do you see being paid to SOA security?
RN: Sure. So before I get into specifically about SOA security, one general trend I see is organizations are starting to pay more attention to security, partly driven by their need to address compliance, or protect data information assets, or to help their business transformation. So whether it is enough, it depends on their risk assessment and measures they put in place.
And in the context of SOA-based approaches, what they realize is that some of the security challenges become more prominent. They may be existing security challenges but become prominent. For example ...they had some control over that applications or infrastructure and identity. But given SOA enables loosely coupled approach to services and reuse, what happens is when they interact with partners, consumers, and providers, any exemptions they had about the control are about to change. So most importantly, trust in the environment changes dramatically. So trust base identification and identity management is key. So the question on whether the perception that particularly something they worry about after getting SOA going.
Actually, I find a little different because, given SOA’s about this loose coupling, they immediately understand, and the fact that it could be exposed to people or other organizations outside the company, they start to worry about security compared to other applications approaches that they’ve done. So they actually start to look at security implementation and ask for solutions so there seem to be more proactive about it especially given the compliance needs and information protection needs.
JM: What you’re saying, then, is that the challenges around security that we’ve become familiar with over the past one or two decades have grown a little bit more complex. There’s more complexity, there’s more systems, there’s more, as you said, partners and outside factors that play in. Are the security solutions that we’re familiar with for traditional, I’ll call it traditional IT, enough for SOA or does SOA require something different?
RN: SOA security challenges are similar but SOA-based approaches provide more emphasis, underlines more emphasis on security. So for example, SOA can be erupted both from intra enterprise scenarios perspective as well as inter enterprise scenarios. So much of these services ultimately end up providing access to business information like financial records, medical information, or [0:02:48].
So in this context, some of the security challenges are the same, but the emphasis has become more so the main threats are to the information assets. I would say characterizing either talking about how they are the same or different, I would characterize like five areas that has been significant emphasis change in the patterns in which customers think about.
Number one, about trust and identity, I talked about how the assumptions around the controlled environment is changing. So the boundaries are expanding therefore managing trust becomes important. Applications are no longer within a firewall. So in that context, identities need to be trusted, mediated, and managed. For example, IBM Tivoli Federated Identity Manager helps manage, trust, and identities across organizational boundaries, that’s one.
Two, typically the part of identities to synonymous to user. But in an SOA environment, its not limited to user alone but service themselves. Services start to have or need to take on an identities themselves because services in a composite application environment, one service may invoke another service. So [0:06:00] shipping service may be invoked by an order processing system. So in this context, services take on identities so the life cycle of services as well as users need to be taken into account when considering identity.
Third, there’s greater focus on application and information assets because now with the information that’s provided, like I said about medical records, or financial information, outside could potentially be exposed outside. Protection measures need to apply to manage and enforce the data. But at transit, data in transit, as well as data at rest, so this could be about like protecting messages that goes back and forth between the services or access to the data itself, like data entitlements.
I mean in that context, IBM, we have announce a new beta for a new product named “Tivoli Security Policy Manager”. It helps manage and enforce policies to both secure messages as well as data entitlements across a radius of application environments like WebSphere or DataPower Appliances, Dot Net, and others.
The fourth area is would say, compliance [0:07:06] needs to be a key driver that for the ability to know who accessed what, and who has access to what, and things like that to provide audit reports such as with compliance. [0:07:17] needs to be important in an SOA environment. The challenge is around these audit reports and logs are not [0:07:22] the systems you control but it could be in other systems. Effort becomes more important.
So Tivoli has an offering, IBM has an offering in our Tivoli Security Event and Information Manager, which handles and provides audits of reports across [0:07:38] applications and information efforts. Then the fifth area I would say is around -- this is going to be becoming more important and more prominent over time, is the notion around composite applications.
Now, in the adoption of SOA, people are thinking about individual services how to reuse them but they’re moving to where it’s a model where multiple services could be composed to traditionally security measures that oriented towards a single application or a service. But then, we compose these multiple technology services into business services and policies need to be managed at a very high level and not just at technology like a web service level but holistic business service level. The policy driven approach is going to become more important and there’s lot more work to be done in this area.
JM: And what do you see as the main security threats? Do you see it as the well-known threat of hacking from outsiders, or is it more of an internal threat, unauthorized access by internal users, or perhaps even simple errors by internal users, or there an issue with the applications themselves a threat to potentially bring down applications? What do you see as the main concern organizations should have?
RN: That’s a good question. Traditional threats like you mentioned, like affecting business operations, like bringing down systems, affecting the IT infrastructure, like malicious code of the authorized access to information and applications will continue, I means the sense of security always trade off [0:9:08] against how to manage risk.
But in the context of SOA, I think what’s going to be a main threat in the context of which gets more emphasized is going to be around information assets. Because information can range from like [0:09:21] information all the way to information about users, like employees, or consumers. So it ranging from business critical information like data loss all the way to privacy concerns.
So then such SOA has adopted intra enterprise and inter enterprise, much of these services ultimately end up providing access to business information. Therefore, I think the information security is definitely important and in an SOA environment that is going to continue to have prominence while the traditional threats will continue.
And measures need to be put in place because in an SOA environment from a concept perspective, you’re trying to link business to IT in the context of technology like web services, messages, XML, that are threats that need to be handled at XML level [0:10:10] Cross-site scripting, and other threats like HTTP at a protocol level but that are going to be more emphasis on XML security that need to be handled.
So there are definitely technology driven, technology oriented threat that will show up more with respect to vulnerabilities but histolytically speaking, from a business perspective, the threat to business is in the context of information assets.
JM: And a very important point you made there throughout is the issue of trust, the fact that applications will be talking to applications as well as users addressing applications. Trust seems to be the keyword in all of this.
RN: Having trust is very important because in a SOA environment, the intent is to build services so that it could be reused without any assumptions about whether its reused within an organization, outside an organization, or outside a company.
So the flexibility need to be there. So the importance is to [0:11:11] any security logic of these applications so that trust and policies could be managed outside of application logic that will help manage trust in establishing like trusted relationships and identity who have access to a services and then have appropriate measures to ensure access to information and applications.
So, yeah, trust is going to play big part. This way, trust could vary -- you may trust more within a company, saying it’s a controlled environment, its behind my firewall; therefore, the level of authentication and how I trust the credentials could be kind of more flexible and low assurance maybe. But moment you expose it to outside, you may have additional measures that you put in place. It depends on what service and the risk associated with that assurance need to be taken into account and appropriate trust measures and trust enforcement is put in place.
JM: Very important topics and we’ll be increasingly important as we move forward with integrating our systems with both internally and with outside partners. I want to thank Dr. Raj Nagaratnam, IBM distinguished engineer and chief architect, Identity and SOA Security for IBM. Thank you very much, Raj for joining us today.
RN: Thanks Joe. Thanks for the opportunity to talk to you.
JM: Absolutely. And this was Joe McKendrick for ebizQ. Thank you very much for joining us today in this podcast.
Listen to or download the 12-minute podcast below:
____________________________________________________________________
Leave a comment