HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON ESDC IPHONEDEVCON PRIVACY POLICY CONTACT US

Printable version

HOME >> LATEST NEWS

Most Read Latest News Blog Resources

Mono brings .NET to Android
At Microsoft MIX, Mono will unveil the ability to port .NET applications to the Android op...

Does Windows cost Microsoft opportunities?
Microsoft's decision to focus .NET on Windows is stifling innovation due to the specter of...

Scrum Planning Board adds automation to Axosoft OnTime
Illustrations are also included to assist Scrum-using developers a better view of what the...

Maven Studio for Eclipse gets developers up to speed
Sonatype tool simplifies onboarding by giving developers a way to easily deploy fully conf...

nVidia updates CUDA tools
Latest version helps developers turn desktops and servers with high-end GPUs into more pow...

Scrum Planning Board adds automation to Axosoft OnTime
Illustrations are also included to assist Scrum-using developers a better view of what the...

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.

Overcoming Development Challenges with Open Source Open source software can help you with your application development challenges. It doesn’t...

Accelerate Services and the Cloud Business units, functional groups, and different divisions of companies across industries...

Enterprise Mashup Platforms for Today’s Increasingly Complex and Real-Time Context Enterprise Mashups offer your company a new way to connect data from inside and outside yo...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

IBM distinguished engineer talks SOA security

By David Worthington

August 12, 2008 —

In a service-oriented architecture, where boundaries are exposed and services are loosely coupled, identity management, policy enforcement and some automation are required to secure information, says an IBM distinguished engineer.

Raj Nagaratnam, IBM distinguished engineer and chief architect of identity and SOA security, discussed with SD Times the crucial role that he believes identity management plays in SOA security.

Nagaratnam said that federating identity across boundaries is important in a SOA pattern. One method of doing that is to utilize an ID service that acts as an identity medication hub. Different authentication is required along the spectrum of trust, he noted.

For instance, OpenID is suitable for authentication when no critical enterprise data is exposed, whereas SAML (Security Assertion Markup Language) enterprise-level scenarios provide stronger security, he noted.

IBM renders its Tivoli Federated Identity Manger software as a Web service, so it can integrate “into the SOA flow” with a third-party enterprise service bus or mediation appliance, he said. He added that identity information in a SOA context is necessary for providing service level agreements.

“The service can be used as part of a business process to render entitlements and [business] rules,” he explained.

By extension to identity as a service, IBM realized that developers also need a consistent way to enforce policies for compliance in a loosely coupled environment. Not only should users have identities, but services must have identities as well, he explained.

As an example, a claim service may need to access a credit check service on behalf of a company’s claims department. It will have its identity taken into account and be granted access. Policies provide for that capability at enforcement points like ESBs and token services.

Tying identity to policy-driven entitlements is the next level of granularity IBM will offer, Nagaratnam said. Big Blue will be introducing a product called Tivoli Security Policy Manager later this year that will offer policy management with WS-Policy and OASIS’ eXtensible Access Control Markup Language.

Policy management is particularly useful for composite applications, where different services are composed together, he noted. Security Policy Manager will use metadata as context for managing entitlements. Policies factor in metadata about services, the service provider and the environment that is being used to access it, he explained.

Someone who is attempting to access sensitive company records from a mall kiosk might be denied access as a matter of policy, he explained.

However, there is also a human element to compliance: Keeping tabs on who is accessing what with visibility at enforcement points, as well as gathering logs of activities, is becoming more important, he said.

Auditing tools help IT security teams examine activities by correlating logs as needed, he said. To that end, IBM offers Tivoli Compliance Insight Manager, which was released in June.

Due to SOA’s heterogeneous nature, having correlation identifiers within the IBM stack is not good enough, and standards must evolve, Nagaratnam said. “[Auditing] needs to happen in everyone’s stack.”

Likewise, he affirms that security is a shared responsibility. Business and application owners now show interest in security, and oftentimes they have more insight into who should access what information than the IT security team, he said.

“Products need to serve the need for [IT security and domain experts] to collaborate,” he said, suggesting that policies elevate from the security administrator to business users.

Related Search Term(s): identity management, security, SOA & SaaS, Tivoli, IBM

Share this link: http://www.sdtimes.com/link/32695

News Briefs: January 15, 2009 Cigital and Coverity partner together to improve each other's products, Scio Consulting creates services for SaaS environments and AmberPoint integrates its SOA governance and management precuts with Microsoft the Microsoft platform.

IBM expands WebSphere's framework support WebSphere Application Server 7 also implements runtime provisioning and OSGI-enabled dynamic deployment to lower the number of resources consumed. New management functions for multi-component applications are included in a long list of new features.

Red Hat prepares complex events processing for SOA Updates to JBoss Enterprise SOA Platform and JBoss Operations Network lay the groundwork for enhanced CEP and rules management. Beyond that, new security features have been implemented in Enterprise SOA Platform.

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST