Welcome!

Microservices Expo Authors: Pat Romanski, Elizabeth White, Liz McMillan, Karthick Viswanathan, Andy Thurai

Related Topics: Microservices Expo

Microservices Expo: Article

Security in a SOA

Key to achieving the plug-and-play goals of SOA

As the name suggests, a Service Oriented Architecture is one where application functionality is packaged as autonomous services that adhere to industry standard interfaces (WSDL, SOAP), and the services are then deployed in an IT architecture that makes for their most effective use.

 The component services can be rapidly reused and composited, plugged and played as it were, to create new business offerings and they can be individually upgraded for increased business agility. However, to achieve the promise of a SOA it's imperative that critical non-business logic-related functionality, the foremost of which is security, should also be provided and used as a service. And for this to occur it has to be externalized, accessed, and managed independently from the business logic-related services.

This article will address application security, specifically fine-grained application access control or entitlements. The need to externalize and independently manage security is many:

1.  The security context in which a component service will be executed will be a function of the composite service in which it will be invoked. It can't be determined when the code for the component service is developed. If security that pertains to access, or who can use the service, is codified in the component service then this code will have to be modified to use the component service in different environments or in different composite services, defeating the plug-and-play benefits that are a key driver for a SOA.

2.  The owners, administrators, and specialists of an access policy are different from those developing the business logic of the component service. They are often in different organizational domains. Requiring that the access policy management be coded at the same time and in the same package as the business logic requires coordination that is unnecessary and inefficient.

3.  Access policies need to be audited and checked outside of the service for purposes of compliance. Access policy auditing is required for the component service as well as for the composite service or business process in which the component service is invoked. Auditing requirements are important for corporate governance and compliance, but perhaps more importantly because in the pre-SOA world there were only a few, very limited, very controlled ways in which the application functionality could be used. However, in a SOA world the service can be invoked in very diverse and unanticipated ways. Auditing is a key tool to anticipate problems before they occur and locate the root cause of problems when they occur.

In a well-designed SOA, access policy management is itself an important service, sometimes referred to as an infrastructure service. This is in contrast to the component services and composite services that encode the business logic, sometimes referred to as business services.

So what does externalizing access policy management from the component service really mean? The figure below depicts pre-SOA application functionality where security is managed in the business logic, moving to a SOA-compatible service version of the same business logic with access policy administration, resolution, and auditing externalized from the service and manifest as SOA-compatible infrastructure services themselves. In some cases the enforcement of the access policy will also be externalized from the service. Generally this won't be possible and the service can get the access policy decision from the external security service and enforce the decision itself. (Figure 1)

It's less critical that access policy enforcement be manifest as a separate infrastructure service because it's often tied very closely to the business logic and changes with the business logic, unlike access policy administration, auditing, or resolution which change at a different rate, at different times, and are owned by people other than the developers of the business logic.

As an example consider the following:

  • Component service: Order management.
  • Access policy: An order can be entered only by people with the role of "broker." An order can be updated only by the owner of the order or by a manager of the owner of the order. An order can be read by the owner of the order, a manager of the owner of the order, or by a subject with the role "reconcile."
In this case the developers of the order management service can focus purely on implementing the most efficient order management functionality. The access policy has to specify who can access the service and perform the function exposed by the order management service. The policy needs to be administered outside of the order management service, potentially by multiple independent people (more on that later). The access policy resolution needs to access the appropriate contextual information, for example, accessing a central LDAP in which the roles of the users may be stored, or another in which the user-manager relationship may be stored, or a local database in which the order-owner relationship may be stored. The policy resolution will determine if the given request should be permitted or denied, and the policy enforcement will enforce that decision on the request.

The benefit of separating the access policy administration, resolution, and audit from the component service is that the access policy can be changed to comply with changing security or compliance requirements without requiring any change or recoding of the component service. For example, a Patriot Act rule might require that an order from a user with a certain attribute, say if he belongs to a set of identified organizations, with a value over a certain amount shouldn't be permitted. Or a Sarbanes-Oxley rule might require that the duties between a broker and an administrator be segregated. Or a business situation such as M&A may require that the access policy be modified to permit access to users who have the role of broker in one system or account manager in another system. These changes, which are independent of the business logic of the order management service can be effected by simply configuring a new or modified access policy and without requiring a change in the order management service itself.

Conversely, a new more efficient order management service won't require a recertification of the existing access policies. As the SOA deployment in an organization matures, the component services will be invoked in composite services that will determine part of the security context in which the invocation of the component service will have to be checked. In the figure below the order management component service may be invoked in a "reconcile all day orders" composite service or in a new "compute commission" composite service.

The access policy can take into account the context of the composite service from which the component service is being invoked, who is initiating the composite service, etc. The order management component service can now be used in ways unanticipated at the time the service was developed, and the appropriate access policy can be administered, resolved, and audited without losing security or compliance and without requiring any reworking of the component service. (Figure 2)

More Stories By Rajiv Gupta

Rajiv Gupta is widely known as the father of Web Services and SOA. He is the founder and CEO of Securent, and has more than 17 years of successful enterprise software and security experience. Prior to Securent, he was the Founder and CEO of Confluent Software, where he led efforts for the successful development and growth of its policy-based web-services management product, before Confluent was acquired by Oblix in 2004. Before founding Confluent, Gupta spent 11 years at Hewlett-Packard, most recently as the General Manager of the E-speak Division, a division he started in 1998 to bring to market the E-speak technology that he and his team developed at HP Labs. E-speak is the precursor to the Web Service offerings from many major IT companies, and has been inducted into the Smithsonian National Museum. Gupta is the inventor or co-inventor of some of the seminal concepts that underpin Web Services, and has more than 45 patents to his name. He earned his Master's degree and PhD in Computer Science from the California Institute of Technology, and his Bachelor's degree in Computer Science from the Indian Institute of Technology, Kharagpur.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Microservices Articles
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In their Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, and Mark Lav...
The Software Defined Data Center (SDDC), which enables organizations to seamlessly run in a hybrid cloud model (public + private cloud), is here to stay. IDC estimates that the software-defined networking market will be valued at $3.7 billion by 2016. Security is a key component and benefit of the SDDC, and offers an opportunity to build security 'from the ground up' and weave it into the environment from day one. In his session at 16th Cloud Expo, Reuven Harrison, CTO and Co-Founder of Tufin, ...
"NetApp's vision is how we help organizations manage data - delivering the right data in the right place, in the right time, to the people who need it, and doing it agnostic to what the platform is," explained Josh Atwell, Developer Advocate for NetApp, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Gone are the days when application development was the daunting task of the highly skilled developers backed with strong IT skills, low code application development has democratized app development and empowered a new generation of citizen developers. There was a time when app development was in the domain of people with complex coding and technical skills. We called these people by various names like programmers, coders, techies, and they usually worked in a world oblivious of the everyday pri...
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...
Kin Lane recently wrote a couple of blogs about why copyrighting an API is not common. I couldn’t agree more that copyrighting APIs is uncommon. First of all, the API definition is just an interface (It is the implementation detail … Continue reading →
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, compared the Jevons Paradox to modern-day enterprise IT, examin...
DevOps tends to focus on the relationship between Dev and Ops, putting an emphasis on the ops and application infrastructure. But that’s changing with microservices architectures. In her session at DevOps Summit, Lori MacVittie, Evangelist for F5 Networks, will focus on how microservices are changing the underlying architectures needed to scale, secure and deliver applications based on highly distributed (micro) services and why that means an expansion into “the network” for DevOps.
Many organizations are now looking to DevOps maturity models to gauge their DevOps adoption and compare their maturity to their peers. However, as enterprise organizations rush to adopt DevOps, moving past experimentation to embrace it at scale, they are in danger of falling into the trap that they have fallen into time and time again. Unfortunately, we've seen this movie before, and we know how it ends: badly.
Kubernetes is a new and revolutionary open-sourced system for managing containers across multiple hosts in a cluster. Ansible is a simple IT automation tool for just about any requirement for reproducible environments. In his session at @DevOpsSummit at 18th Cloud Expo, Patrick Galbraith, a principal engineer at HPE, discussed how to build a fully functional Kubernetes cluster on a number of virtual machines or bare-metal hosts. Also included will be a brief demonstration of running a Galera MyS...