We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Business Transformation in Action

Joe McKendrick

Golden Rules of SOA Security: Stick to Standards

Vote 0 Votes

Web services security standards have been proliferating in recent years, but SOA security is still a murky area. Among standards, the brightest light is WS-Security. However, the most recent Evans Data Web services survey finds that only seven percent of companies have fully embraced WS-Security.

A new article in AjaxWorld Magazine describes the factors that should be considered in SOA security, pointing out that current integration tools are built for ease of use, but are disconnected from the nitty-gritty of security. As a result, "it's easy to develop a security solution that is over-engineered, complex, poor-performing, and possibly even insecure."

AjaxWorld makes these recommendations:

Plan ahead: : Determine security requirements early in the process, not at the last minute. "From the beginning, you will need to determine what requirements may exist for authentication, authorization, integrity, non-repudiation, auditing, and confidentiality. Talk to your customers and end users and find out who will be levying security requirements."

Know your enterprise Infrastructure: "Never architect in a vacuum or assume anything about the existing enterprise security infrastructure. Security-wise, there will undoubtedly be systems such as LDAP directory servers, policy servers, and Public Key Infrastructure (PKI), with which you will have to integrate."

Stick to standards: "Now that there are accepted standards - such as WS-Security and its associated token profiles used for identity propagation (WS-Security SAML Token Profile, WS-Security X.509 Token Profile, WS-Security Username Token Profile) - as well as emerging specifications in standards bodies (WS-SecureConversation, etc.), there should no longer be any reason to create a home-grown security messaging syntax."

Emphasize the flexibility of Web services: Web services will often "be called and used together in ways we may not always anticipate. ...focus on Web services transaction management, centralized auditing, and detailed, descriptive error handling."

1 Comment

That's funny - I wrote that article for SOA/Web Services Journal - but it doesn't mention the author on AjaxWorld. I guess since SYS-CON owns both of them, but still - I figured they would list the author!

In this blog (formerly known as "SOA in Action"), Joe McKendrick examines how BPM and related business and IT approaches can promote business transformation.

Joe McKendrick

Joe McKendrick is an author and independent analyst who tracks the impact of information technology on management and markets. View more


Subscribe in Bloglines
Subscribe in NewsGator Online
Add ebizQ's SOA in Action Blog to Newsburst from CNET News.com
Add to Google

Recently Commented On

Monthly Archives