BALTIMORE-SOA security gets more complex in the world of hosted services, cloud computing and software as a service. But approaches and specifications like Enterprise Integration Security Patterns, Web Services-Policy and Web Services-Security help alleviate some of the complexity.
In a keynote at the Web Services Security & SOA Conference and Expo here, Eric Newcomer, chief technology officer at Iona Technologies, said SOA is often deployed in heterogeneous environments where services abstract business logic from the underlying technology.
However, security federation is required to overcome the complexity and challenges of emerging heterogeneous systems in order to bridge domains and apply single sign-on opportunities, he said.
Moreover, the WS-Policy specification can be used as a bridge, "but care must be taken in publishing" services under this specification, Newcomer said.
WS-Policy provides a framework for describing the capabilities and requirements of a Web service. It can be used by Web service providers to configure and set requirements, and by Web service consumers to select alternatives that satisfy a producer's requirements.
However, there are some "gaps" in the WS-Policy specification, Newcomer said. For instance, some security policies-such as the specification of key material-are not defined in the specification. And WS-Policy applications tend to be oriented toward SOAP (Simple Object Access Protocol) and HTTP as opposed to other types of protocols, he said. "Esoteric bindings and protocols require proprietary extensions," he said.
Hal Lockhart, an engineer who works in the office of the CTO at Oracle's BEA and is active in various OASIS groups, observed, "My attitude toward WS-Policy is it's probably good enough to go out and use and get some field experience and see what works and what doesn't."
However, he said, "WS-Security provides you with a lot of options and flexibility-more possibilities to protect data and also use it for complex e-commerce scenarios to handle more complexity..."
Newcomer said Iona has some customers that "have been doing SOA for eight years now, starting with CORBA and now doing Web services."
The company now has more than 1,000 Web services and is beginning to look at opportunities in hosted services, SAAS (software as a service) and cloud computing, and the security requirements involved. "Our business is helping companies with heterogeneous computing environments," Newcomer said.
But several questions arise when it comes to securing such environments, such as how to best supply security for multiple middleware types in an application technology mixture where services exist at the endpoints.