Menu
SOA security: good enough and getting better

SOA security: good enough and getting better

Forrester Research SOA expert Randy Heffner discusses how to establish an iterative design process for evolving your SOA security architecture that considers your current and future security requirements.

3.Select the Products that will Provide Your Core SOA Security Functions. Many functions within an SOA security solution, such as performing authentication using WS-Security headers, can be performed by multiple product types in different product categories. Your design process will have to consider each option, assess the trade-offs, and select one product (or a coordinated set of products) to provide the core functions for SOA security. Key product categories that might contribute to your SOA security solution include: SOA appliances, SOA management solutions, enterprise service buses, SOA security servers, application servers, security token servers, entitlements management servers, and identity and access management solutions.

4.Configure and Integrate Products to Work Together. It's likely that you will have multiple products that perform a given SOA security function, and the products will have to be integrated to work coherently together. Much of this integration may be done with product configuration options (e.g., configuring an SOA appliance to delegate authentication to a particular single sign-on product), but it may require building integration components using product programming interfaces.

5.Fill in the Holes with Frameworks. After the product integration is done, it may be useful to build helper frameworks for application developers so that they will not have to write security code within their SOA-based applications.

Forrester recommends using an iterative process for two primary reasons. First, typically not all applications need all of your security requirements; initial applications may be able to do with a lighter-weight pass on building your SOA security solution, while later applications require you to fill in your solution with additional features. Second, each time you make a pass through, you will learn more about how to build the most effective SOA security solution with the pieces that you have.

SOA leaders are still paving the road for the rest to follow. For some organizations, there may be a business scenario where advanced security has a high value. Such organizations can justify the cost of building advanced SOA security solutions. These leaders will, along the way, help solidify industry specifications and help vendors mature their products. If your organization is one with immediate needs for advanced SOA security, there are many available products and standards to build on, but proceed with caution: You should build extra time into project plans for prototyping, product debugging, and performance and scalability testing.

Randy Heffner is a Vice President at Forrester Research, serving Enterprise Architecture professionals. He is a leading expert on architectures and design approaches for building enterprise applications that are secure and resilient in the face of continuous business and technology change.

Do you Tweet? Follow everything from CIO.com on Twitter @CIOonline.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags SOA

More about etworkForrester Research

Show Comments
[]