Toolbox for IT
Share and compare information with 1.4 million professionals
Ask Question / Find People / Invite Peers / Make Connections
 
 

Eric Roch
The Service Oriented Architecture (SOA) Blog
by Eric Roch  (Chief Technologist)
 

SOA Security

Eric Roch  (Chief Technologist) posted 8/1/2007 | Comments (0)
Using SSL (TLS) for Web Services Security

The attached article points out the complexities of implementing SOA security using web services standards. It is however important to note that since externally facing web services typically use the HTTP(S) transport, one can implement Transport Layer Security (TLS) for transport level encryption and authentication - Secure Sockets Layer (SSL) is the predecessor to TLS.

With TLS only the server is typically authenticated. However, with mutual authentication both ends of the conversation are authenticated. This mutual authentication requires the Public Key Infrastructure (PKI). If you have few trading partners this is not much of a hurdle (you can have your partners buy a digital certificate by a recognized Certificate Authority (CA) like VeriSign) if you have many (hundreds) you should consider setting up your own CA.

You can also pass more granular credentials (like a user id and password) in the encrypted messages that can be used to integrate with your internal security system.

This roll-your-own security is fairly simple, but you do give up the long-term benefits of standardization and cannot use more advanced features such as federated security.

If you go the standards route the security appliances (like IBM's DataPower) are elegant solutions that support the layered security concept - a new security layer for web services and XML with a single secure path through the firewall. These devices also have threat protection from malicious XML. This is a good route if you have many unpredicted users of your web services.

SOA SECURITY: ONE TREACHEROUS JOURNEY … Web services have always been sold as a way to share data among organizations: An enterprise can selectively open internal systems to customers, partners, and suppliers, automating transactions that once required human intervention. While most businesses have so far steered clear, keeping Web services tucked safely behind the firewall, the growth of service-oriented architecture and the emergence of Web 2.0 look set to change that.

Will the rewards be worth the risks of exposing internal services to the Web? It's not helping that interoperability woes are exacerbated by the immaturity of SOA security standards. To lock down a large Web services network involving multiple enterprises, everyone must agree on technologies, even security policies: There's no use demanding that your employees use biometrics and physical tokens if a partner's staff accesses the system with weak passwords.



As Chief Technologist and National Practice Director for SOA with Perficient, Inc., I get the opportunity to work with a lot of customers implementing SOA. See my bio page for my contact information or just post a comment if you want to talk about your SOA projects.
    • View Eric Roch's profile on LinkedIn

    Related White Papers

    Related Jobs

    Comments (0)  
    RSS for Comments
    You are not logged in. Sign in to post unmoderated comments or join the community to create your free profile today!
    Name: (Will display on the site)
    E-mail: (Not displayed. No Spam)
    BoldUnderlineItalicStrikeLinkCodeBlockQuote
    Lines break automatically. Please preview your message before posting.

    If not logged-in your post will not appear until approved by a community moderator. To uphold community standards, comments that are inflammatory, offensive, or contain profanity or advertisements may be removed by the author or a community moderator.

    Related Blogs

    Related Groups

    More from this author

    Keyword Tags

    web services, web services security, soa, service oriented architecture
    Disclaimer: Blog contents express the viewpoints of their independent authors and are not reviewed for correctness or accuracy by Toolbox for IT. Any opinions, comments, solutions or other commentary expressed by blog authors are not endorsed or recommended by Toolbox for IT or any vendor. If you feel a blog entry is inappropriate, click here to notify Toolbox for IT.
    Browse all IT Blogs
     

    About This Blog

    With the SOA Blog Eric Roch brings over 25 years of IT experience including systems development, architecture, consulting, and...more
    Enter your email address to be notified of new posts.
      
    No Spam (Privacy Policy)
     
     
     
    About  /  Contact us  /  Privacy  /  Terms of Use  /  Work at Toolbox.com  /  Advertise with Toolbox for IT  /  Provide Feedback
    Communities:  Business Intelligence  /  C Languages  /  CIO  /  CRM  /  Database  /  Data Warehouse  /  EAI  /  Emerging Technologies  /  ERP  /  Hardware  /  Knowledge Management  /  Networking  /  Project Management  /  SCM  /  Security  /  Storage  /  Web Design  /  Wireless  /  Baan  /  Java  /  Linux  /  Oracle  /  Oracle Database  /  PeopleSoft  /  SAP  /  Siebel  /  UNIX  /  Visual Basic  /  Windows
    Also at Toolbox for IT: Blogs /  Groups /  Wiki /  Events & Webcasts /  Job Center /  Vendor Research Directory
     
    Copyright 1998-2008 Toolbox.com. All rights reserved. All product names are trademarks of their respective companies. Toolbox.com is not affiliated with or endorsed by any company listed at this site. Toolbox.com is a subsidiary of the Corporate Executive Board.