Strategies for Heterogeneous Environments
Endpoints are where applications consume or provide a service, or, more simply, where they need to share data. The issue of security is further complicated when various policy and configuration mechanisms are in place, when multiple security and trust domains are employed, and when identity versus role-based authorization is used, Newcomer said. These widespread scenarios often occur in broad, heterogeneous environments. "When hosted services, software as a service and cloud computing come into the picture and services are both inside and outside the company and you have to access external services, the situations get more complex because services can be anywhere on the Internet, running on any platform, hosted by anyone," Newcomer said."You want to set up something that recognizes various formats" such as user name tokens, he said. A key strategy Iona recommends is the use of EISPs (Enterprise Integration Security Patterns). An EISP is a collection of patterns for security integration between disparate middleware technologies. There are three basic patterns: Message Protection, Token Propagation and Token Mediation. The Message Protection pattern is where an intermediate forms a trusted point for protocol bridging, Newcomer said. In this scenario, all messages sent to and from the intermediate are cryptographically protected and can use a variety of technologies including TLS (Transport Layer Security), WS-Security and GSS (Generic Security Services) Kerberos. However, no client identity information is propagated. To mitigate this, developers can build identity information into their applications. The Token Propagation pattern involves the replication of credential information, such as user names and passwords, across tiers, Newcomer said, while the Token Mediation pattern involves enabling an intermediate to exchange inbound security tokens via a Security Token Service such as Web Services-Trust. Newcomer said all three patterns enhance security in heterogeneous SOA environments and are more or less useful depending on the situation. Iona offers its own Iona Security Framework, which is a stand-alone application supporting single sign-on in distributed, heterogeneous environments and delivering distributed access control.
So enterprises need a good strategy for handling multiple security credentials in a heterogeneous SOA environment, he said.