SOA Security (and Governance)
5th Oct 2016
SOA Security (and Governance)
Big Issues facing tech-savvy businesses
At the heart of any operation involving (or rather, relying on) SOA (service oriented architecture) technology, security is an overwhelming concern. There are many reasons as to why maintaining ones defenses is not only preferable, but absolutely necessary. In recent years, the number of laws regarding data security and infringement has proliferated greatly. This is especially true if you are offering services or use of applications in a framework to individual clients or other organizations; they will often require that certain contractual obligations are met. Naturally, those that fail to meet the proposed security demands laid out may be subject to stringent fines; not something you want to worry about as a business owner or operator is it? In fact, many emerging laws may find service providers in violation of some offense, even in lieu of a formal contract.
What's the bottom line? When dealing with multi-access networking frameworks (like SOA, for example), it's best to find out as much as you can about security and implement it in the best possible manner.
When you pull SOA apart and examine it, what you will see are a collection of individual services; also referred to as applications or components. The rules governing how these components work and interface with one another is also another part of an SOA system.
Previously Implemented Security Measures for Applications
Application security has traditionally been handled on an independent basis. This essentially means that security measures were basically written into the code of the application itself The problem of course is that integrating security code directly into an application can create a logistical nightmare for those trying to connect it to a larger subsystem. Just think of all the rules and exceptions that have to be written and then tested for every possible scenario; then realize that this process must be carried out for each and every application. Add to that the fact that having security code written into an app can seriously hinders its ability to integrate with other apps and you're dealing with a totally inflexible situation. Not only is this expensive and time consuming, but it is also extremely likely that it might provide attackers with an entry method since programmers are literally facing a tangled mess and can easily overlook something critical.
Next, as part of the continuing solution, someone decided to start relegating security to the application containers instead. This was an improvement, but still posed developers with a hefty challenge in trying terms of configuration. Then a shift occurred which sought to hand the 'security troubles' torch off to another group entirely, leaving developers free to concentrate on their work more fully. This marked the establishment of security gateways which control all access from one specific point between hardware and networking resources.
Network-based Security Measures & Governance
The modern trend in computing and infrastructure(s) is to keep everything as 'networked' as possible. This not only allows security measures to function in a more dynamic manner, but it also gives them the more power through the use of specific hardware. The current security systems in play operate like network gateways, ushering data and users from place to place, and they do this through the assistance of established policies.
What are policies? There are established policies like those governing certain languages or platforms like Java that dictate what types of actions can be performed. But there are also policies that determine which users / types of users may access certain applications as well. This requires creating a sort of control system which is capable of accommodating and managing the total number of accounts (each with their own rules and policies) so that everything is highly visible and segregated. To ensure that the system is operational, it may be set up so that continuous feedback must be exchanged between the control system and critical service points; failure to meet this requirement is registered as a breach of security.
This is an extension of the idea of 'governance'; which seeks to provide SOA with the rules and tools needed to maintain security standards as well as the ability to record and compile logs of all activities (for review, if needed).
The ultimate purpose of governance
In order for anything to evolve it must be able to establish standards. It is through creating standards that a preferable method or methods can be ascertained and implemented in nearly every instance. Over time, as more and more breakthroughs and innovations are unveiled, the standards can be adapted to include these superior ideas, tools, methods, concepts and/or regulations. SOA in particular, is a somewhat daunting area for developers to dabble in, and this is certainly in part due to the overwhelming complexity surrounding security. Governance of course, is just a container for the further development of security standards in SOA; through it, a more stabilized security methodology is certain to arise.
Big Issues facing tech-savvy businesses
At the heart of any operation involving (or rather, relying on) SOA (service oriented architecture) technology, security is an overwhelming concern. There are many reasons as to why maintaining ones defenses is not only preferable, but absolutely necessary. In recent years, the number of laws regarding data security and infringement has proliferated greatly. This is especially true if you are offering services or use of applications in a framework to individual clients or other organizations; they will often require that certain contractual obligations are met. Naturally, those that fail to meet the proposed security demands laid out may be subject to stringent fines; not something you want to worry about as a business owner or operator is it? In fact, many emerging laws may find service providers in violation of some offense, even in lieu of a formal contract.
What's the bottom line? When dealing with multi-access networking frameworks (like SOA, for example), it's best to find out as much as you can about security and implement it in the best possible manner.
When you pull SOA apart and examine it, what you will see are a collection of individual services; also referred to as applications or components. The rules governing how these components work and interface with one another is also another part of an SOA system.
Previously Implemented Security Measures for Applications
Application security has traditionally been handled on an independent basis. This essentially means that security measures were basically written into the code of the application itself The problem of course is that integrating security code directly into an application can create a logistical nightmare for those trying to connect it to a larger subsystem. Just think of all the rules and exceptions that have to be written and then tested for every possible scenario; then realize that this process must be carried out for each and every application. Add to that the fact that having security code written into an app can seriously hinders its ability to integrate with other apps and you're dealing with a totally inflexible situation. Not only is this expensive and time consuming, but it is also extremely likely that it might provide attackers with an entry method since programmers are literally facing a tangled mess and can easily overlook something critical.
Next, as part of the continuing solution, someone decided to start relegating security to the application containers instead. This was an improvement, but still posed developers with a hefty challenge in trying terms of configuration. Then a shift occurred which sought to hand the 'security troubles' torch off to another group entirely, leaving developers free to concentrate on their work more fully. This marked the establishment of security gateways which control all access from one specific point between hardware and networking resources.
Network-based Security Measures & Governance
The modern trend in computing and infrastructure(s) is to keep everything as 'networked' as possible. This not only allows security measures to function in a more dynamic manner, but it also gives them the more power through the use of specific hardware. The current security systems in play operate like network gateways, ushering data and users from place to place, and they do this through the assistance of established policies.
What are policies? There are established policies like those governing certain languages or platforms like Java that dictate what types of actions can be performed. But there are also policies that determine which users / types of users may access certain applications as well. This requires creating a sort of control system which is capable of accommodating and managing the total number of accounts (each with their own rules and policies) so that everything is highly visible and segregated. To ensure that the system is operational, it may be set up so that continuous feedback must be exchanged between the control system and critical service points; failure to meet this requirement is registered as a breach of security.
This is an extension of the idea of 'governance'; which seeks to provide SOA with the rules and tools needed to maintain security standards as well as the ability to record and compile logs of all activities (for review, if needed).
The ultimate purpose of governance
In order for anything to evolve it must be able to establish standards. It is through creating standards that a preferable method or methods can be ascertained and implemented in nearly every instance. Over time, as more and more breakthroughs and innovations are unveiled, the standards can be adapted to include these superior ideas, tools, methods, concepts and/or regulations. SOA in particular, is a somewhat daunting area for developers to dabble in, and this is certainly in part due to the overwhelming complexity surrounding security. Governance of course, is just a container for the further development of security standards in SOA; through it, a more stabilized security methodology is certain to arise.
+++
Want to learn more about the business of Cloud Computing and how you can make a difference? Sign up for the Cloud Computing Foundation Program