Microservices Expo Authors: Elizabeth White, John Katrick, Pat Romanski, Gordon Haff, Liz McMillan

Related Topics: Microservices Expo

Microservices Expo: Article

Is SOA Ready to Move from the Whiteboards and into Production IT?

Identity-based SOA reality check

Is SOA ready to move from the whiteboards and into production IT? As you might have guessed, the answer remains a disappointing sort of. The issue comes down to tools and infrastructure, and the fact that only some SOA components are mature and easy to source. The application server market is largely commoditized and the world is awash with IDEs that automatically generate and deploy SOA components from new or legacy code. Given these two pieces, you can begin deploying services tomorrow.

This is fine until you need to scale, then the missing pieces in the puzzle will become apparent. Security, in particular, remains such an elusive piece. Secure SOA demands that there be a binding between identity and transactions. Thus, identity follows each transaction on its flow through a SOA network. This identity can be validated and authorized anywhere work is required, but it is here where the abstract boxes on the whiteboard face an awkward mapping onto real products.

In a perfect world, the infrastructure hosting a service would have the capability to mine every possible security token out of a SOA message. Unsername/password, x.509 certificates, SAML, Kerberos, REL - all of these can encapsulate an assertion about identity. Secure SOA infrastructure must validate and enforce these claims again continuously changing, centrally managed, trust relationships and entitlements.

Some application servers can do exactly that. However, there is one truism in SOA that stands against widespread adoption of this: SOA is about diversity. We move toward SOA because of the need to integrate. Services will inevitably reside on different infrastructures, which may offer radically differing levels of enforcement capability. A five-year-old Java application server does not have the same capacity to process Kerberos tokens from within a Web services message as does Windows Vista. Technology marches on. You have both, so what do you do?

There are really only two options. First is to attempt to insert a uniform security layer on every application server. This is the agent strategy. The theory is that every system with an agent installed will enforce security in the same way. Each agent retrieves security policies from a central location, so trust relationships and security directives are always up-to-date and consistent. Agents also interface with existing directories or access management systems. This allows the validation of security tokens, the enforcement of entitlements, and the leveraging of these valuable existing assets across the SOA network.

In theory, it sounds great. Central management, delegated enforcement, consistent applications at the service host - all are desirable qualities. In practice, however, it just does not scale well. Once again, diversity across infrastructure is the source of the problem. In a mixed world of Java application servers, Ruby on Rails, .NET systems, and legacy mainframes, agents must adopt a lowest common denominator approach, and their capabilities are necessarily truncated.

Even in a relatively vendor-homogeneous environment, version mismatches between servers and differing patch levels will cause manageability issues with agents. Indeed, there is a point at which agent management becomes a burdensome side effect. Real customers report that once they install around 18 agents, the overhead of administering these instances becomes unwieldy.

If you are still not convinced, ask yourself this question: Is it likely that all of the desktop PCs in your organization have personal firewalls installed and are operational? Does this mean you can drop your external firewalls and simply expose these desktops to the outside world? Of course not. No security officer would trust individual users to configure these adequately and the logistics to manage them centrally, with the assurance that the network as a whole would pass a security audit. Centrally controlled firewalls exist for a very good reason. They assert consistent, organization-wide safeguards that are impractical to enforce on a distributed basis.

Projecting this same practical insight onto the SOA model leads to the alternative approach to identity-based SOA. This architecture still features the centralized management of policies and trust, but does not attempt the baroque logistics of fully distributed enforcement. This second option is the SOA gateway model. Access to services is strictly managed by clusters of security gateways, administered by a central authority and its delegates. These provide a consistent application of policy, leverage existing identity management assets, but scale effectively because they are autonomous units that do not have to co-reside with application servers. Essentially, they become the security gatekeepers to services.

It is important to recognize that this strategy does not advocate that you build simple castle wall architectures. That is only a single line of defense, with nothing guarding individual applications. Instead, this is an opportunity to implement a true, application-oriented defense-in-depth strategy, where zones of trust are finely grained and strictly enforced. In the former, if the wall is breached, pretty much all is lost as there is nothing to protect the individual application. In contrast, if a zone falls in the latter, the damage is contained within that perimeter and leaving the zone is as challenging as entering it.

The point is the perfect world where all SOA applications would be equally secure and centrally manageable may never exist. What we need today is a security model decoupled from applications, but financially and transactionally scalable - an SOA that can be deployed more ubiquitously than a simple front door, and more feasibly than a bodyguard on every application. SOA security gateways offer this balance now, and they are proving to be the pragmatic architect's choice.

More Stories By Scott Morrison

K. Scott Morrison is the Chief Technology Officer and Chief Architect at Layer 7 Technologies, where he is leading a team developing the next generation of security infrastructure for cloud computing and SOA. An architect and developer of highly scalable, enterprise systems for over 20 years, Scott has extensive experience across industry sectors as diverse as health, travel and transportation, and financial services. He has been a Director of Architecture and Technology at Infowave Software, a leading maker of wireless security and acceleration software for mobile devices, and was a senior architect at IBM. Before shifting to the private sector, Scott was with the world-renowned medical research program of the University of British Columbia, studying neurodegenerative disorders using medical imaging technology.

Scott is a dynamic, entertaining and highly sought-after speaker. His quotes appear regularly in the media, from the New York Times, to the Huffington Post and the Register. Scott has published over 50 book chapters, magazine articles, and papers in medical, physics, and engineering journals. His work has been acknowledged in the New England Journal of Medicine, and he has published in journals as diverse as the IEEE Transactions on Nuclear Science, the Journal of Cerebral Blood Flow, and Neurology. He is the co-author of the graduate text Cloud Computing, Principles, Systems and Applications published by Springer, and is on the editorial board of Springer’s new Journal of Cloud Computing Advances, Systems and Applications (JoCCASA). He co-authored both Java Web Services Unleashed and Professional JMS. Scott is an editor of the WS-I Basic Security Profile (BSP), and is co-author of the original WS-Federation specification. He is a recent co-author of the Cloud Security Alliance’s Security Guidance for Critical Areas of Focus in Cloud Computing, and an author of that organization’s Top Threats to Cloud Computing research. Scott was recently a featured speaker for the Privacy Commission of Canada’s public consultation into the privacy implications of cloud computing. He has even lent his expertise to the film and television industry, consulting on a number of features including the X-Files. Scott’s current interests are in cloud computing, Web services security, enterprise architecture and secure mobile computing—and of course, his wife and two great kids.

Layer 7 Technologies: http://www.layer7tech.com
Scott's linkedIn profile.
Twitter: @KScottMorrison
Syscon blog: http://scottmorrison.sys-con.com

Comments (1) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Most Recent Comments
Alan Karp 08/25/07 07:31:33 PM EDT

Another approach is to get away from using identity to make access decisions and use explicit authorizations instead. You can read about it in our tech report at http://www.hpl.hp.com/techreports/2007/HPL-2007-105.html.

@MicroservicesExpo Stories
"Grape Up leverages Cloud Native technologies and helps companies build software using microservices, and work the DevOps agile way. We've been doing digital innovation for the last 12 years," explained Daniel Heckman, of Grape Up in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
The general concepts of DevOps have played a central role advancing the modern software delivery industry. With the library of DevOps best practices, tips and guides expanding quickly, it can be difficult to track down the best and most accurate resources and information. In order to help the software development community, and to further our own learning, we reached out to leading industry analysts and asked them about an increasingly popular tenet of a DevOps transformation: collaboration.
"We are an integrator of carrier ethernet and bandwidth to get people to connect to the cloud, to the SaaS providers, and the IaaS providers all on ethernet," explained Paul Mako, CEO & CTO of Massive Networks, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
We call it DevOps but much of the time there’s a lot more discussion about the needs and concerns of developers than there is about other groups. There’s a focus on improved and less isolated developer workflows. There are many discussions around collaboration, continuous integration and delivery, issue tracking, source code control, code review, IDEs, and xPaaS – and all the tools that enable those things. Changes in developer practices may come up – such as developers taking ownership of code ...
"CA has been doing a lot of things in the area of DevOps. Now we have a complete set of tool sets in order to enable customers to go all the way from planning to development to testing down to release into the operations," explained Aruna Ravichandran, Vice President of Global Marketing and Strategy at CA Technologies, in this SYS-CON.tv interview at DevOps Summit at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"NetApp's vision is how we help organizations manage data - delivering the right data in the right place, in the right time, to the people who need it, and doing it agnostic to what the platform is," explained Josh Atwell, Developer Advocate for NetApp, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"Outscale was founded in 2010, is based in France, is a strategic partner to Dassault Systémes and has done quite a bit of work with divisions of Dassault," explained Jackie Funk, Digital Marketing exec at Outscale, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis tool. It is an extremely lightweight tool that can integrate with pretty much any build process right now," explained Andrew Siegmund, Application Migration Specialist for CAST, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Let's do a visualization exercise. Imagine it's December 31, 2018, and you're ringing in the New Year with your friends and family. You think back on everything that you accomplished in the last year: your company's revenue is through the roof thanks to the success of your product, and you were promoted to Lead Developer. 2019 is poised to be an even bigger year for your company because you have the tools and insight to scale as quickly as demand requires. You're a happy human, and it's not just...
The enterprise data storage marketplace is poised to become a battlefield. No longer the quiet backwater of cloud computing services, the focus of this global transition is now going from compute to storage. An overview of recent storage market history is needed to understand why this transition is important. Before 2007 and the birth of the cloud computing market we are witnessing today, the on-premise model hosted in large local data centers dominated enterprise storage. Key marketplace play...
How is DevOps going within your organization? If you need some help measuring just how well it is going, we have prepared a list of some key DevOps metrics to track. These metrics can help you understand how your team is doing over time. The word DevOps means different things to different people. Some say it a culture and every vendor in the industry claims that their tools help with DevOps. Depending on how you define DevOps, some of these metrics may matter more or less to you and your team.
Cavirin Systems has just announced C2, a SaaS offering designed to bring continuous security assessment and remediation to hybrid environments, containers, and data centers. Cavirin C2 is deployed within Amazon Web Services (AWS) and features a flexible licensing model for easy scalability and clear pay-as-you-go pricing. Although native to AWS, it also supports assessment and remediation of virtual or container instances within Microsoft Azure, Google Cloud Platform (GCP), or on-premise. By dr...
With continuous delivery (CD) almost always in the spotlight, continuous integration (CI) is often left out in the cold. Indeed, it's been in use for so long and so widely, we often take the model for granted. So what is CI and how can you make the most of it? This blog is intended to answer those questions. Before we step into examining CI, we need to look back. Software developers often work in small teams and modularity, and need to integrate their changes with the rest of the project code b...
Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. Kubernetes was originally built by Google, leveraging years of experience with managing container workloads, and is now a Cloud Native Compute Foundation (CNCF) project. Kubernetes has been widely adopted by the community, supported on all major public and private cloud providers, and is gaining rapid adoption in enterprises. However, Kubernetes may seem intimidating and complex ...
Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations? In his session at @DevOpsSummit at 21st Cloud Expo, Oleg Chunikhin, CTO at Kublr, answered these questions and demonstrated techniques for implementing advanced scheduling. For example, using spot instances and co...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In their Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, and Mark Lav...
Enterprises are adopting Kubernetes to accelerate the development and the delivery of cloud-native applications. However, sharing a Kubernetes cluster between members of the same team can be challenging. And, sharing clusters across multiple teams is even harder. Kubernetes offers several constructs to help implement segmentation and isolation. However, these primitives can be complex to understand and apply. As a result, it’s becoming common for enterprises to end up with several clusters. Thi...
Gone are the days when application development was the daunting task of the highly skilled developers backed with strong IT skills, low code application development has democratized app development and empowered a new generation of citizen developers. There was a time when app development was in the domain of people with complex coding and technical skills. We called these people by various names like programmers, coders, techies, and they usually worked in a world oblivious of the everyday pri...
"Cloud4U builds software services that help people build DevOps platforms for cloud-based software and using our platform people can draw a picture of the system, network, software," explained Kihyeon Kim, CEO and Head of R&D at Cloud4U, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
How often is an environment unavailable due to factors within your project's control? How often is an environment unavailable due to external factors? Is the software and hardware in the environment up to date with the target production systems? How often do you have to resort to manual workarounds due to an environment? These are all questions that you should ask yourself if testing environments are consistently unavailable and affected by outages. Here are three key metrics that you can tra...