Managing Web Services Policies

Managing Web services policies—especially in the areas of security and compliance—is difficult. Security and compliance are inherently complex, and that complexity is increased in defining and applying them consistently in an SOA.

Difficulties of Managing Web Services Policies for Security and Compliance

There are many kinds of security including authorization, authentication, encryption, and digital signature. Similarly, there are many differing regulations, many of which leave no room for deviation without penalties. For example, Sarbanes-Oxley requires that all steps in certain financial processes be audited.

On top of these inherent difficulties, in an SOA business process, different services executing on heterogeneous platforms, may have different security requirements, requiring mediation, and a service may be subject to even more differing requirements if it is reused in more than one business processes. What's more, security and compliance may apply to processes or specific information (such as personal identities) or depend on context, such as denying shipments to restricted countries.

Managing Web Services Policies for Security and Compliance: Costs and Risks

Yet in many SOA deployments, the developers or service owners in charge of creating the various services in the SOA environment are also responsible for coding the security and compliance policies related to their services. Security or compliance expertise is, obviously, far from their core competency—adding time and costs and preventing an SOA from realizing its optimal agility.

Just as important, with these non-experts responsible for interpreting security and compliance policies related to their own specific services, the risk of inconsistency in the way policies are interpreted and enforced throughout the entire SOA arises—as well as the risk of something falling through the cracks.

In addition, when policies are enforced on a service-by-service level, the result is a large number of policies to worry about. And when policies or services change, developers must go back and recode each of the services individually—further increasing time and costs. In other words, defining and applying security and compliance policies at the service level results in the worst of both worlds: increased risk—of policy inconsistencies or gaps—and high IT costs.

Since strict, consistent enforcement of SOA security and SOA compliance policies is a critical component of SOA governance in runtime, what is the solution?

The Key to Consistent—and Cost-Effective—Web Services Policy Management

The key to thorough—and cost-effective—SOA security and SOA compliance management is to separate the policy lifecycle from the service lifecycle—centralizing policy management and putting it into the hands of the appropriate experts. These specialists can then apply policy to the relevant distributed points on the SOA network where it needs to be enforced without having to know all the details of individual services. This means that they can change policy independently from the services—and redeploy them on the network without having to change the services. And services can be changed (for example, for versioning) without having to re-code or re-apply policy.

Actional for Active Policy Enforcement enables experts to centrally manage security and compliance policies and enforce them on the network.

In addition to reducing security and compliance risks, this solution also reduces costs. It decreases the amount of service and policy coding and re-coding exponentially and removes the burden of this work on service developers, allowing them to be more productive in development work, their core competency.

In fact, this is the solution offered in Progress® Actional® for Active Policy Enforcement. This product enables security and compliance officers to create policy and apply it at key SOA network endpoints both to overall business processes or types of information (such as personal identities)—to ensure complete, consistent enforcement of security and compliance policy throughout the SOA.

For More Information on Effectively Managing Web Services Policy

For an in-depth understanding of the challenges of applying security and compliance to Web services or an SOA, listen to "SOA Security and Compliance: How to Avoid the Risks."