IBM distinguished engineer talks SOA security

Transform your app-dev quality by involving the whole community in testing
As the saying goes, the more eyes you have on software, the shallower the bugs. That’...

Build your dev and test labs for less – a lot less – with virtualization
You don’t have the budget to equip developers and software test teams with all the har...

Software Common Hacks and Counterattacks: A Guide to Protecting Software Products against the Top 7 Piracy Threats
Software piracy continues to be a growing epidemic. This white paper examines prevalen...

By David Worthington

August 12, 2008 — In a service-oriented architecture, where boundaries are exposed and services are loosely coupled, identity management, policy enforcement and some automation are required to secure information, says an IBM distinguished engineer.

Raj Nagaratnam, IBM distinguished engineer and chief architect of identity and SOA security, discussed with SD Times the crucial role that he believes identity management plays in SOA security.

Nagaratnam said that federating identity across boundaries is important in a SOA pattern. One method of doing that is to utilize an ID service that acts as an identity medication hub. Different authentication is required along the spectrum of trust, he noted.

For instance, OpenID is suitable for authentication when no critical enterprise data is exposed, whereas SAML (Security Assertion Markup Language) enterprise-level scenarios provide stronger security, he noted.

IBM renders its Tivoli Federated Identity Manger software as a Web service, so it can integrate “into the SOA flow” with a third-party enterprise service bus or mediation appliance, he said. He added that identity information in a SOA context is necessary for providing service level agreements.

“The service can be used as part of a business process to render entitlements and [business] rules,” he explained.

By extension to identity as a service, IBM realized that developers also need a consistent way to enforce policies for compliance in a loosely coupled environment. Not only should users have identities, but services must have identities as well, he explained.

As an example, a claim service may need to access a credit check service on behalf of a company’s claims department. It will have its identity taken into account and be granted access. Policies provide for that capability at enforcement points like ESBs and token services.

Tying identity to policy-driven entitlements is the next level of granularity IBM will offer, Nagaratnam said. Big Blue will be introducing a product called Tivoli Security Policy Manager later this year that will offer policy management with WS-Policy and OASIS’ eXtensible Access Control Markup Language.

Policy management is particularly useful for composite applications, where different services are composed together, he noted. Security Policy Manager will use metadata as context for managing entitlements. Policies factor in metadata about services, the service provider and the environment that is being used to access it, he explained.

Someone who is attempting to access sensitive company records from a mall kiosk might be denied access as a matter of policy, he explained.

However, there is also a human element to compliance: Keeping tabs on who is accessing what with visibility at enforcement points, as well as gathering logs of activities, is becoming more important, he said.

Auditing tools help IT security teams examine activities by correlating logs as needed, he said. To that end, IBM offers Tivoli Compliance Insight Manager, which was released in June.

Due to SOA’s heterogeneous nature, having correlation identifiers within the IBM stack is not good enough, and standards must evolve, Nagaratnam said. “[Auditing] needs to happen in everyone’s stack.”

Likewise, he affirms that security is a shared responsibility. Business and application owners now show interest in security, and oftentimes they have more insight into who should access what information than the IT security team, he said.

“Products need to serve the need for [IT security and domain experts] to collaborate,” he said, suggesting that policies elevate from the security administrator to business users.

Related Search Term(s): identity management, security, SOA & SaaS, Tivoli, IBM

Share this link: http://www.sdtimes.com/link/32695

EMAIL THIS ARTICLE

SEND FEEDBACK