Security

Is SOA ready to move from the whiteboards and into production IT? As you might have guessed, the answer remains a disappointing sort of. The issue comes down to tools and infrastructure, and the fact that only some SOA components are mature and easy to source. The application server market is largely commoditized and the world is awash with IDEs that automatically generate and deploy SOA components from new or legacy code. Given these two pieces, you can begin deploying services tomorrow.

This is fine until you need to scale, then the missing pieces in the puzzle will become apparent. Security, in particular, remains such an elusive piece. Secure SOA demands that there be a binding between identity and transactions. Thus, identity follows each transaction on its flow through a SOA network. This identity can be validated and authorized anywhere work is required, but it is here where the abstract boxes on the whiteboard face an awkward mapping onto real products.

In a perfect world, the infrastructure hosting a service would have the capability to mine every possible security token out of a SOA message. Unsername/password, x.509 certificates, SAML, Kerberos, REL - all of these can encapsulate an assertion about identity. Secure SOA infrastructure must validate and enforce these claims again continuously changing, centrally managed, trust relationships and entitlements.

Some application servers can do exactly that. However, there is one truism in SOA that stands against widespread adoption of this: SOA is about diversity. We move toward SOA because of the need to integrate. Services will inevitably reside on different infrastructures, which may offer radically differing levels of enforcement capability. A five-year-old Java application server does not have the same capacity to process Kerberos tokens from within a Web services message as does Windows Vista. Technology marches on. You have both, so what do you do?

There are really only two options. First is to attempt to insert a uniform security layer on every application server. This is the agent strategy. The theory is that every system with an agent installed will enforce security in the same way. Each agent retrieves security policies from a central location, so trust relationships and security directives are always up-to-date and consistent. Agents also interface with existing directories or access management systems. This allows the validation of security tokens, the enforcement of entitlements, and the leveraging of these valuable existing assets across the SOA network.

In theory, it sounds great. Central management, delegated enforcement, consistent applications at the service host - all are desirable qualities. In practice, however, it just does not scale well. Once again, diversity across infrastructure is the source of the problem. In a mixed world of Java application servers, Ruby on Rails, .NET systems, and legacy mainframes, agents must adopt a lowest common denominator approach, and their capabilities are necessarily truncated.

Even in a relatively vendor-homogeneous environment, version mismatches between servers and differing patch levels will cause manageability issues with agents. Indeed, there is a point at which agent management becomes a burdensome side effect. Real customers report that once they install around 18 agents, the overhead of administering these instances becomes unwieldy.

If you are still not convinced, ask yourself this question: Is it likely that all of the desktop PCs in your organization have personal firewalls installed and are operational? Does this mean you can drop your external firewalls and simply expose these desktops to the outside world? Of course not. No security officer would trust individual users to configure these adequately and the logistics to manage them centrally, with the assurance that the network as a whole would pass a security audit. Centrally controlled firewalls exist for a very good reason. They assert consistent, organization-wide safeguards that are impractical to enforce on a distributed basis.

Projecting this same practical insight onto the SOA model leads to the alternative approach to identity-based SOA. This architecture still features the centralized management of policies and trust, but does not attempt the baroque logistics of fully distributed enforcement. This second option is the SOA gateway model. Access to services is strictly managed by clusters of security gateways, administered by a central authority and its delegates. These provide a consistent application of policy, leverage existing identity management assets, but scale effectively because they are autonomous units that do not have to co-reside with application servers. Essentially, they become the security gatekeepers to services.

It is important to recognize that this strategy does not advocate that you build simple castle wall architectures. That is only a single line of defense, with nothing guarding individual applications. Instead, this is an opportunity to implement a true, application-oriented defense-in-depth strategy, where zones of trust are finely grained and strictly enforced. In the former, if the wall is breached, pretty much all is lost as there is nothing to protect the individual application. In contrast, if a zone falls in the latter, the damage is contained within that perimeter and leaving the zone is as challenging as entering it.

The point is the perfect world where all SOA applications would be equally secure and centrally manageable may never exist. What we need today is a security model decoupled from applications, but financially and transactionally scalable - an SOA that can be deployed more ubiquitously than a simple front door, and more feasibly than a bodyguard on every application. SOA security gateways offer this balance now, and they are proving to be the pragmatic architect's choice.