Welcome!

Microservices Expo Authors: Automic Blog, Elizabeth White, Pat Romanski, Jason Bloomberg, Matt Brickey

Related Topics: Microservices Expo

Microservices Expo: Article

Is SOA Ready to Move from the Whiteboards and into Production IT?

Identity-based SOA reality check

Is SOA ready to move from the whiteboards and into production IT? As you might have guessed, the answer remains a disappointing sort of. The issue comes down to tools and infrastructure, and the fact that only some SOA components are mature and easy to source. The application server market is largely commoditized and the world is awash with IDEs that automatically generate and deploy SOA components from new or legacy code. Given these two pieces, you can begin deploying services tomorrow.

This is fine until you need to scale, then the missing pieces in the puzzle will become apparent. Security, in particular, remains such an elusive piece. Secure SOA demands that there be a binding between identity and transactions. Thus, identity follows each transaction on its flow through a SOA network. This identity can be validated and authorized anywhere work is required, but it is here where the abstract boxes on the whiteboard face an awkward mapping onto real products.

In a perfect world, the infrastructure hosting a service would have the capability to mine every possible security token out of a SOA message. Unsername/password, x.509 certificates, SAML, Kerberos, REL - all of these can encapsulate an assertion about identity. Secure SOA infrastructure must validate and enforce these claims again continuously changing, centrally managed, trust relationships and entitlements.

Some application servers can do exactly that. However, there is one truism in SOA that stands against widespread adoption of this: SOA is about diversity. We move toward SOA because of the need to integrate. Services will inevitably reside on different infrastructures, which may offer radically differing levels of enforcement capability. A five-year-old Java application server does not have the same capacity to process Kerberos tokens from within a Web services message as does Windows Vista. Technology marches on. You have both, so what do you do?

There are really only two options. First is to attempt to insert a uniform security layer on every application server. This is the agent strategy. The theory is that every system with an agent installed will enforce security in the same way. Each agent retrieves security policies from a central location, so trust relationships and security directives are always up-to-date and consistent. Agents also interface with existing directories or access management systems. This allows the validation of security tokens, the enforcement of entitlements, and the leveraging of these valuable existing assets across the SOA network.

In theory, it sounds great. Central management, delegated enforcement, consistent applications at the service host - all are desirable qualities. In practice, however, it just does not scale well. Once again, diversity across infrastructure is the source of the problem. In a mixed world of Java application servers, Ruby on Rails, .NET systems, and legacy mainframes, agents must adopt a lowest common denominator approach, and their capabilities are necessarily truncated.

Even in a relatively vendor-homogeneous environment, version mismatches between servers and differing patch levels will cause manageability issues with agents. Indeed, there is a point at which agent management becomes a burdensome side effect. Real customers report that once they install around 18 agents, the overhead of administering these instances becomes unwieldy.

If you are still not convinced, ask yourself this question: Is it likely that all of the desktop PCs in your organization have personal firewalls installed and are operational? Does this mean you can drop your external firewalls and simply expose these desktops to the outside world? Of course not. No security officer would trust individual users to configure these adequately and the logistics to manage them centrally, with the assurance that the network as a whole would pass a security audit. Centrally controlled firewalls exist for a very good reason. They assert consistent, organization-wide safeguards that are impractical to enforce on a distributed basis.

Projecting this same practical insight onto the SOA model leads to the alternative approach to identity-based SOA. This architecture still features the centralized management of policies and trust, but does not attempt the baroque logistics of fully distributed enforcement. This second option is the SOA gateway model. Access to services is strictly managed by clusters of security gateways, administered by a central authority and its delegates. These provide a consistent application of policy, leverage existing identity management assets, but scale effectively because they are autonomous units that do not have to co-reside with application servers. Essentially, they become the security gatekeepers to services.

It is important to recognize that this strategy does not advocate that you build simple castle wall architectures. That is only a single line of defense, with nothing guarding individual applications. Instead, this is an opportunity to implement a true, application-oriented defense-in-depth strategy, where zones of trust are finely grained and strictly enforced. In the former, if the wall is breached, pretty much all is lost as there is nothing to protect the individual application. In contrast, if a zone falls in the latter, the damage is contained within that perimeter and leaving the zone is as challenging as entering it.

The point is the perfect world where all SOA applications would be equally secure and centrally manageable may never exist. What we need today is a security model decoupled from applications, but financially and transactionally scalable - an SOA that can be deployed more ubiquitously than a simple front door, and more feasibly than a bodyguard on every application. SOA security gateways offer this balance now, and they are proving to be the pragmatic architect's choice.

More Stories By Scott Morrison

K. Scott Morrison is the Chief Technology Officer and Chief Architect at Layer 7 Technologies, where he is leading a team developing the next generation of security infrastructure for cloud computing and SOA. An architect and developer of highly scalable, enterprise systems for over 20 years, Scott has extensive experience across industry sectors as diverse as health, travel and transportation, and financial services. He has been a Director of Architecture and Technology at Infowave Software, a leading maker of wireless security and acceleration software for mobile devices, and was a senior architect at IBM. Before shifting to the private sector, Scott was with the world-renowned medical research program of the University of British Columbia, studying neurodegenerative disorders using medical imaging technology.

Scott is a dynamic, entertaining and highly sought-after speaker. His quotes appear regularly in the media, from the New York Times, to the Huffington Post and the Register. Scott has published over 50 book chapters, magazine articles, and papers in medical, physics, and engineering journals. His work has been acknowledged in the New England Journal of Medicine, and he has published in journals as diverse as the IEEE Transactions on Nuclear Science, the Journal of Cerebral Blood Flow, and Neurology. He is the co-author of the graduate text Cloud Computing, Principles, Systems and Applications published by Springer, and is on the editorial board of Springer’s new Journal of Cloud Computing Advances, Systems and Applications (JoCCASA). He co-authored both Java Web Services Unleashed and Professional JMS. Scott is an editor of the WS-I Basic Security Profile (BSP), and is co-author of the original WS-Federation specification. He is a recent co-author of the Cloud Security Alliance’s Security Guidance for Critical Areas of Focus in Cloud Computing, and an author of that organization’s Top Threats to Cloud Computing research. Scott was recently a featured speaker for the Privacy Commission of Canada’s public consultation into the privacy implications of cloud computing. He has even lent his expertise to the film and television industry, consulting on a number of features including the X-Files. Scott’s current interests are in cloud computing, Web services security, enterprise architecture and secure mobile computing—and of course, his wife and two great kids.

Layer 7 Technologies: http://www.layer7tech.com
Scott's linkedIn profile.
Twitter: @KScottMorrison
Syscon blog: http://scottmorrison.sys-con.com

Comments (1) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
Alan Karp 08/25/07 07:31:33 PM EDT

Another approach is to get away from using identity to make access decisions and use explicit authorizations instead. You can read about it in our tech report at http://www.hpl.hp.com/techreports/2007/HPL-2007-105.html.

@MicroservicesExpo Stories
With continuous delivery (CD) almost always in the spotlight, continuous integration (CI) is often left out in the cold. Indeed, it's been in use for so long and so widely, we often take the model for granted. So what is CI and how can you make the most of it? This blog is intended to answer those questions. Before we step into examining CI, we need to look back. Software developers often work in small teams and modularity, and need to integrate their changes with the rest of the project code b...
There is a huge demand for responsive, real-time mobile and web experiences, but current architectural patterns do not easily accommodate applications that respond to events in real time. Common solutions using message queues or HTTP long-polling quickly lead to resiliency, scalability and development velocity challenges. In his session at 21st Cloud Expo, Ryland Degnan, a Senior Software Engineer on the Netflix Edge Platform team, will discuss how by leveraging a reactive stream-based protocol,...
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, discussed how to use Kubernetes to set up a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, deploying, and maintaining server and workstation infrastructure at all scales. He has experience with brick and mortar data centers as well as cloud providers like Digital Ocean, Amazon Web Services, and Rackspace. H...
SYS-CON Events announced today that Calligo has been named “Bronze Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Calligo is an innovative cloud service provider offering mid-sized companies the highest levels of data privacy. Calligo offers unparalleled application performance guarantees, commercial flexibility and a personalized support service from its globally located cloud platfor...
Many organizations are now looking to DevOps maturity models to gauge their DevOps adoption and compare their maturity to their peers. However, as enterprise organizations rush to adopt DevOps, moving past experimentation to embrace it at scale, they are in danger of falling into the trap that they have fallen into time and time again. Unfortunately, we've seen this movie before, and we know how it ends: badly.
"Outscale was founded in 2010, is based in France, is a strategic partner to Dassault Systémes and has done quite a bit of work with divisions of Dassault," explained Jackie Funk, Digital Marketing exec at Outscale, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
From personal care products to groceries and movies on demand, cloud-based subscriptions are fulfilling the needs of consumers across an array of market sectors. Nowhere is this shift to subscription services more evident than in the technology sector. By adopting an Everything-as-a-Service (XaaS) delivery model, companies are able to tailor their computing environments to shape the experiences they want for customers as well as their workforce.
If you read a lot of business and technology publications, you might think public clouds are universally preferred over all other cloud options. To be sure, the numbers posted by Amazon Web Services (AWS) and Microsoft’s Azure platform are nothing short of impressive. Statistics reveal that public clouds are growing faster than private clouds and analysts at IDC predict that public cloud growth will be 3 times that of private clouds by 2019.
"DivvyCloud as a company set out to help customers automate solutions to the most common cloud problems," noted Jeremy Snyder, VP of Business Development at DivvyCloud, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We focus on SAP workloads because they are among the most powerful but somewhat challenging workloads out there to take into public cloud," explained Swen Conrad, CEO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - we've lost control, we've given up cost to a certain extent, and then security, flexibility," explained Steve Conner, VP of Sales at Cloudistics,in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"Peak 10 is a hybrid infrastructure provider across the nation. We are in the thick of things when it comes to hybrid IT," explained , Chief Technology Officer at Peak 10, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I think DevOps is now a rambunctious teenager – it’s starting to get a mind of its own, wanting to get its own things but it still needs some adult supervision," explained Thomas Hooker, VP of marketing at CollabNet, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I will be talking about ChatOps and ChatOps as a way to solve some problems in the DevOps space," explained Himanshu Chhetri, CTO of Addteq, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...
If you are thinking about moving applications off a mainframe and over to open systems and the cloud, consider these guidelines to prioritize what to move and what to eliminate. On the surface, mainframe architecture seems relatively simple: A centrally located computer processes data through an input/output subsystem and stores its computations in memory. At the other end of the mainframe are printers and terminals that communicate with the mainframe through protocols. For all of its apparen...
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...
"At the keynote this morning we spoke about the value proposition of Nutanix, of having a DevOps culture and a mindset, and the business outcomes of achieving agility and scale, which everybody here is trying to accomplish," noted Mark Lavi, DevOps Solution Architect at Nutanix, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
For over a decade, Application Programming Interface or APIs have been used to exchange data between multiple platforms. From social media to news and media sites, most websites depend on APIs to provide a dynamic and real-time digital experience. APIs have made its way into almost every device and service available today and it continues to spur innovations in every field of technology. There are multiple programming languages used to build and run applications in the online world. And just li...
Data reduction delivers compelling cost reduction that substantially improves the business case in every cloud deployment model. No matter which cloud approach you choose, the cost savings benefits from data reduction should not be ignored and must be a component of your cloud strategy. IT professionals are finding that the future of IT infrastructure lies in the cloud. Data reduction technologies enable clouds — public, private, and hybrid — to deliver business agility and elasticity at the lo...