Service orientation is about agility. Without a resulting agility, there is
no point of doing SOA. Unfortunately, enterprise SOA infrastructure
initiatives sometimes fail in part because its security mechanisms and
processes demolish any agility that was built into the SOA itself. This
happens when security is an afterthought. Simple barriers are good for
security but they can easily become preventers of agility.
When security fails to maintain agility, one of following two possible
consequences seems to emerge. The first is a failure of the corporate SOA
initiative – without agility, the SOA fails to provide value. The second is
when users of the SOA infrastructure work around the security mechanisms and
processes to restore the needed agility. Holes are poked in the barriers
themselves to accomplish what is needed – this is obviously dangerous and
non productive.... (more)
Imagine a fresh business relationship between ACME Corporation and Partner.
As a result of this relationship, ACME wants to grant Partner limited access
to one of its core internal applications. They do this, naturally, by
exposing a Web service.
Why Identity Federation?
Boris (an employee at Partner) sends a SOAP request to the ACME Web service
along with some password or proof-of-possession type credentials. Because
Boris's identity is managed outside of ACME, those credentials cannot be
authenticated using ACME's authentication infrastructure.
To circumvent this issue, one cou... (more)
The WS Secure Conversation specification describes a mechanism letting
multiple parties establish a context (using the WS Trust Request Security
Token standard) and secure subsequent SOAP exchanges. Each WS Secure
Conversation session has an associated shared secret. Instead of using this
shared secret directly to sign and encrypt the conversation's messages,
symmetric keys are derived from the secret itself. Deriving new keys for each
message and different keys for signature and encryption limits the amount of
data that an attacker can analyze in attempting to compromise the con... (more)
In the article "The importance of threat protection for restful web
services", I presented a number of content-based threats for XML. When
protecting an endpoint from XML based attacks, not only are payloads scanned
for code injections, malicious entity declarations and parser attacks, XML
documents are actually validated against strict schemas that clearly describe
expected document structures. Enforcing this type of compliance at the edge,
in a SOA gateway for example, minimizes the risk of attacks of the Web
service endpoint. Structure definition languages such as XML Schema ... (more)
It has been fascinating to witness how the use for SOA gateways evolved over
time. In 2010, we saw an explosion of market demand for our gateway appliance
product. Here are my thoughts for what I expect to see this year and beyond.
Recent use cases for these types of devices largely focused on B2B
interactions and internal enterprise integration. Many enterprise architects
realized the benefits of using the lightweight ESB-in-a-box deployment model
and gateway-based integration. I don’t think we’ve hit the peak of this
type of use case. I expect the demand for quickly deployed int... (more)