SOA Framework for Security, Policy and Compliance

Ideally, the SOA framework encompasses critical elements such as security, policy and compliance. This tutorial will begin by examining some of the problems that face IT organizations that are integrating "stovepipe" applications and data -- and that are attempting to secure shared services in a service-oriented architecture environment.

The SOA Framework and the Legacy Environment

Forward-thinking IT organizations must avoid engaging in hard coding (to facilitate integration and security, for example) within their legacy stovepipe environments. Manual changes must be made a thing of the past. And, instead of voiding the legacy environment, components ought to be leveraged for the SOA. A "leveraged" approach is essential in the majority of scenarios today in which taking down systems to do coding and redeployment is not an option. Because the information environments of today require non-stop, 24/7 operation; IT shops must be able to respond to this reality.

SOA Framework for Compliance

In the policy arena, there are many regulatory and certification requirements that organizations must comply with: regulations including Sarbanes-Oxley and the privacy rules associated with HIPAA. So how can we approach the challenge of this kind of compliance?

Within the traditional BEA Systems product set, there have always been very robust security mechanisms. But the challenge today is to secure heterogeneous environments. Merely securing the BEA environment is not enough. So how can we secure a disparate SOA environment as it comes together? Traditional answers to this question may have taken the form of single sign-on capability. But as BEA looked at the problem, it became clear that single sign-on provides only a piece of the solution.

SOA Framework for Security

The first step to solving this SOA security problem is having a robust security framework that is "pluggable" in all directions. Thus, BEA products offer a robust security framework that provides core services: things like authentication and authorization, auditing, role entitlement, credential mapping, key source, etc. This SOA framework can be leveraged, horizontally and vertically, to meet the mission of the program or the implementation. This means that we can plug in different, one-to-many authentication, auditing or authorization providers.

Leveraging the SOA Framework

Finally, let us consider the idea of leveraging the stores and the providers that reside in an environment. If one the systems is currently using LDAP and the other using Active Directory, it's important to be able to bring those in to leverage the environment and then have robust adjudication rules that take in multiple conditions from each of the many engines which are providers. This framework can also be horizontally leveraged, so it is possible to add additional services -- not just additional providers -- to it as security needs change.

For More Information

Learn how to secure and protect your SOA. Make sure your SOA framework is complete: download the free webinar, How Enterprises Can Leverage SOA to Share Information Securely.