Web services and service-oriented architecture (SOA) will grow by up to 25% worldwide by 2013, according to analyst house IDC, but security and deployment challenges remain.
According to Dominique dHotman, enterprise architecture manager at Ooba, the difficulty with distributed security, in particular, is significantly compounded when a company aggregates services across organisations, or has to federate identities in order to complete a transaction.
DHotman will speak at ITWeb's upcoming Security Summit on the SOA deployment undertaken by Ooba (previously MortgageSA), with practical advice on building WS compliant software and the application of a consistent security model.
The fundamental issue at play, according to dHotman, is the data model with which Web services interact. “It is critical that security is considered at every point of the modelling process and not just from an access point of view. In other words, the data model that supports the transactions must be designed in such a way that the actual identity is embedded and available for use throughout the transaction.”
This approach, he maintains, will ensure that access to transaction data can be secured at the lowest level, and in turn acted upon at every point.
DHotman also points out it is imperative for the identity of an individual to be carried throughout the entire transaction process - from authentication though authorisation, processing and finally to actually persisting the transaction records.
“Application processes, regardless of whether or not they are orchestrated in a SOA, should ensure that this identity determines what the individual can see and do.”
The key challenge, he believes, is to think holistically about the implementation and make sure the entire process is secured, “not just tack on a flimsy user access routine in the beginning of a transaction process and hope that it will keep your data safe”.
In the case of Ooba's deployment of Web services and SOA, the organisation focused on open standards to make 100% sure it didn't have problems when engaging other platforms.
DHotman elaborates: “We opted for the WS-Security specification (developed by the Oasis group), which describes enhancements to SOAP 1.1 that increases the protection and confidentiality of messages. These enhancements include functionality to secure SOAP messages through XML digital signatures, confidentiality through XML encryption, and credential propagation through security tokens.
The WS-Security standards provide this protection by defining mechanisms for associating tokens with messages. It is completely extensible in that it can support multiple token formats.”
In fact, dHotman believes open standards is one of the single most important requirements for successful deployment of Web services.
“Too many 'specialists' have developed Web services that are actually nothing more than the same old, same old. Standards exist for a reason and if they are not strictly adhered to, we are definitely going to end up making the same mistakes over and over again,” he concludes.
At ITWeb's Security Summit 2010, which takes place from 11 to 13 May, Dominique dHotman, enterprise architecture manager at Ooba, will deliver a talk on the work done at Ooba (previously MortgageSA), focusing on the organisation's SOA deployment across many different business lines and application types. He will present practical advice on building WS-* compliant software across the board, as well as the application of a consistent security model aimed at ensuring connections with clients and business partners in a simple, secure and standards-based fashion.
To get practical advice on secure SOA and Web services deployment, go online to www.securitysummit.co.za and secure your place at Security Summit 2010.
Share