Q&A
SOA Security: How a Lil' Irish Luck Went a Long Way
David Yeates, IT Head for EBS Building Society, gives an overview of the Irish financial firm's approach to securing its service oriented architecture (SOA)
By Bill Brenner, Senior Editor
We recognized we needed a loosely coupled SOA which addressed areas such as the reality of long-running transactions with complex routing and transformation; the notion of compensating transactions for transaction integrity; service choreography; the need to integrate with human workflows systems; and the potential for process-driven development. We also needed to address data semantics, data modelling and operational data stores and needed a comprehensive security architecture to underpin the future operational environment.
Dive deeper into how you reached the conclusion that the security architecture was needed.
Yeates: Service-oriented applications are fundamentally different from traditional monolithic applications. Web services are dynamic, they look up, discover and bind to each other at run time. This means that the internal network has also to be considered a dirty environment. A process-driven development creates dynamic applications where business processes can be easily created and changed. This presents major change management, service management and compliance challenges for an organization. Transactional security becomes very complex, very fast.
What did you ultimately decide to do about it?
Yeates: We found the ideal solution was to abstract the security, auditing and control functionality away from individual applications and into the network fabric itself. The strongest approach was to embed security within the services infrastructure itself, provide consistent security policy enforcement and to protect all endpoints, not just the perimeter.
Editor's note: To achieve the security he was looking for, Yeates went with XML network management company Vordel's product line for such security functions as identity management, policy control, and monitoring of the environment for suspicious activity. Other SOA vendors to be considered in this area include Parasoft, Oracle, IBM, Layer 7 and Bloombase.
Other stories by Bill Brenner
SOA
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
