SOA Made Easier

SOA made easier? In fact, it's possible with the right approach to managing policies for SOA security and compliance. While these areas do not contribute to the bottom line, they are not optional.

Gaps in coverage in security or compliance can cause substantial losses, for example, from intellectual property theft, financial penalties, and litigation. As a result, it's essential to be able to control the costs while minimizing the risks. With the wrong approach, this is a challenge.

Obstacles to SOA Made Easier: SOA Security and Compliance Risks and Costs

In many SOA deployments, appropriate security and compliance experts create a "big book" of policies and deliver these policies to the service developers to create and enforce them for their specific services. This situation creates two problems.

First, security and compliance are not the core competency of service developers. Consequently, the opportunity for inconsistencies in policy interpretation and, therefore, enforcement across an SOA and its different services increases with the number of different individuals responsible for applying policy. So there is considerable risk.

Second, when policies are created and enforced on a service-by-service level, there is an explosion of policy. The appropriate policy must be coded into each service—and when those services or policies change, the impacted services and policies need to be updated. In other words, this approach requires a significant amount of time and effort to be spent creating and maintaining policies, adding to SOA costs. The result is the worst of both worlds: cost and risk.

There is another challenge as well: ensuring last-mile security. Theoretically, SOA consumers can access secured information only through points where security controls including such as authorization and authentication can be enforced. But sometimes, because of accidental, unexpected usage or intentionally malicious hacking, SOA consumers manage to access services with sensitive information without going through the appropriate security enforcement point. This is called a "last-mile security breach"—added to the typical SOA risk of inconsistent policy enforcement or security gaps.

SOA Made Easier—with Central Policy Management, Distributed Enforcement

Managing policy in an SOA can be made easier, minimizing both risks and costs. The key is to separate the policy lifecycle from the service lifecycle: to allow the appropriate experts to create and control security and compliance policies centrally—and then deploy the policies at appropriate points of enforcement on the SOA network.

In the Actional architecture, experts, such as security and compliance staff, centrally create and manage policy enforcement, and apply it for enforcement on appropriate service endpoints on the network (see red circles).

This is, in fact, the approach available with Progress® Actional® for Active Policy Enforcement. By putting policy into the hands of experts and centralizing it at the Actional management server level, Actional ensures that policy is applied consistently.

In addition, this approach reduces IT costs. Service developers no longer code policy service-by-service. Experts create a policy with easy-to-use wizards and apply them at a high level (in a one-to-many fashion): to a business process (such as auditing all financial processes relevant to Sarbanes-Oxley compliance), to specified information (such as personal identities for European Union privacy laws), or by content or context in the SOA message (such as shipping destination in industries with restrictions on countries to which they can export certain equipment).

Because policies are independent of services, they can be changed, when necessary, independent of services and re-deployed on the network—without making changes to any of the services subject to those policies. Similarly, services can be changed without impact to the policies that govern them. That means that policies can be created and applied consistently and cost-effectively, both initially, and when policies and services change, cost-effectively.

Also Made Easier: Preventing Last-mile Security Breaches

Actional for Active Policy Management can also prevent last-mile security breaches with its trust zone capability. This ensures that SOA consumers attempting to access a security- or compliance-sensitive service without going through a policy enforcement point that has all the appropriate security controls will be rejected when they try to use those services.

For More Information on Making SOA Policy Enforcement Easier

For more information on the issues of enforcing SOA security and compliance policy—and how Actional for Active Policy Enforcement's architecture and capabilities make these key aspects of SOA runtime governance simpler, listen to "SOA Security and Compliance: How to Avoid the Risks."