BALTIMORE-SOA security gets more complex in the world of hosted services, cloud computing and software as a service. But approaches and specifications like Enterprise Integration Security Patterns, Web Services-Policy and Web Services-Security help alleviate some of the complexity.
In a keynote at the Web Services Security & SOA Conference and Expo here, Eric Newcomer, chief technology officer at Iona Technologies, said SOA is often deployed in heterogeneous environments where services abstract business logic from the underlying technology.
However, security federation is required to overcome the complexity and challenges of emerging heterogeneous systems in order to bridge domains and apply single sign-on opportunities, he said.
Moreover, the WS-Policy specification can be used as a bridge, “but care must be taken in publishing” services under this specification, Newcomer said.
WS-Policy provides a framework for describing the capabilities and requirements of a Web service. It can be used by Web service providers to configure and set requirements, and by Web service consumers to select alternatives that satisfy a producer’s requirements.
However, there are some “gaps” in the WS-Policy specification, Newcomer said. For instance, some security policies-such as the specification of key material-are not defined in the specification. And WS-Policy applications tend to be oriented toward SOAP (Simple Object Access Protocol) and HTTP as opposed to other types of protocols, he said. “Esoteric bindings and protocols require proprietary extensions,” he said.
Hal Lockhart, an engineer who works in the office of the CTO at Oracle’s BEA and is active in various OASIS groups, observed, “My attitude toward WS-Policy is it’s probably good enough to go out and use and get some field experience and see what works and what doesn’t.”
However, he said, “WS-Security provides you with a lot of options and flexibility-more possibilities to protect data and also use it for complex e-commerce scenarios to handle more complexity…”
Newcomer said Iona has some customers that “have been doing SOA for eight years now, starting with CORBA and now doing Web services.”
The company now has more than 1,000 Web services and is beginning to look at opportunities in hosted services, SAAS (software as a service) and cloud computing, and the security requirements involved. “Our business is helping companies with heterogeneous computing environments,” Newcomer said.
But several questions arise when it comes to securing such environments, such as how to best supply security for multiple middleware types in an application technology mixture where services exist at the endpoints.
Strategies for Heterogeneous Environments
Endpoints are where applications consume or provide a service, or, more simply, where they need to share data. The issue of security is further complicated when various policy and configuration mechanisms are in place, when multiple security and trust domains are employed, and when identity versus role-based authorization is used, Newcomer said. These widespread scenarios often occur in broad, heterogeneous environments.
“When hosted services, software as a service and cloud computing come into the picture and services are both inside and outside the company and you have to access external services, the situations get more complex because services can be anywhere on the Internet, running on any platform, hosted by anyone,” Newcomer said.
So enterprises need a good strategy for handling multiple security credentials in a heterogeneous SOA environment, he said.
“You want to set up something that recognizes various formats” such as user name tokens, he said.
A key strategy Iona recommends is the use of EISPs (Enterprise Integration Security Patterns). An EISP is a collection of patterns for security integration between disparate middleware technologies. There are three basic patterns: Message Protection, Token Propagation and Token Mediation.
The Message Protection pattern is where an intermediate forms a trusted point for protocol bridging, Newcomer said. In this scenario, all messages sent to and from the intermediate are cryptographically protected and can use a variety of technologies including TLS (Transport Layer Security), WS-Security and GSS (Generic Security Services) Kerberos. However, no client identity information is propagated. To mitigate this, developers can build identity information into their applications.
The Token Propagation pattern involves the replication of credential information, such as user names and passwords, across tiers, Newcomer said, while the Token Mediation pattern involves enabling an intermediate to exchange inbound security tokens via a Security Token Service such as Web Services-Trust.
Newcomer said all three patterns enhance security in heterogeneous SOA environments and are more or less useful depending on the situation.
Iona offers its own Iona Security Framework, which is a stand-alone application supporting single sign-on in distributed, heterogeneous environments and delivering distributed access control.