Welcome!

Microservices Expo Authors: Yeshim Deniz, Pat Romanski, Todd Matters, Mark Leake, Stefana Muller

Related Topics: Microservices Expo

Microservices Expo: Article

Is SOA Ready to Move from the Whiteboards and into Production IT?

Identity-based SOA reality check

Is SOA ready to move from the whiteboards and into production IT? As you might have guessed, the answer remains a disappointing sort of. The issue comes down to tools and infrastructure, and the fact that only some SOA components are mature and easy to source. The application server market is largely commoditized and the world is awash with IDEs that automatically generate and deploy SOA components from new or legacy code. Given these two pieces, you can begin deploying services tomorrow.

This is fine until you need to scale, then the missing pieces in the puzzle will become apparent. Security, in particular, remains such an elusive piece. Secure SOA demands that there be a binding between identity and transactions. Thus, identity follows each transaction on its flow through a SOA network. This identity can be validated and authorized anywhere work is required, but it is here where the abstract boxes on the whiteboard face an awkward mapping onto real products.

In a perfect world, the infrastructure hosting a service would have the capability to mine every possible security token out of a SOA message. Unsername/password, x.509 certificates, SAML, Kerberos, REL - all of these can encapsulate an assertion about identity. Secure SOA infrastructure must validate and enforce these claims again continuously changing, centrally managed, trust relationships and entitlements.

Some application servers can do exactly that. However, there is one truism in SOA that stands against widespread adoption of this: SOA is about diversity. We move toward SOA because of the need to integrate. Services will inevitably reside on different infrastructures, which may offer radically differing levels of enforcement capability. A five-year-old Java application server does not have the same capacity to process Kerberos tokens from within a Web services message as does Windows Vista. Technology marches on. You have both, so what do you do?

There are really only two options. First is to attempt to insert a uniform security layer on every application server. This is the agent strategy. The theory is that every system with an agent installed will enforce security in the same way. Each agent retrieves security policies from a central location, so trust relationships and security directives are always up-to-date and consistent. Agents also interface with existing directories or access management systems. This allows the validation of security tokens, the enforcement of entitlements, and the leveraging of these valuable existing assets across the SOA network.

In theory, it sounds great. Central management, delegated enforcement, consistent applications at the service host - all are desirable qualities. In practice, however, it just does not scale well. Once again, diversity across infrastructure is the source of the problem. In a mixed world of Java application servers, Ruby on Rails, .NET systems, and legacy mainframes, agents must adopt a lowest common denominator approach, and their capabilities are necessarily truncated.

Even in a relatively vendor-homogeneous environment, version mismatches between servers and differing patch levels will cause manageability issues with agents. Indeed, there is a point at which agent management becomes a burdensome side effect. Real customers report that once they install around 18 agents, the overhead of administering these instances becomes unwieldy.

If you are still not convinced, ask yourself this question: Is it likely that all of the desktop PCs in your organization have personal firewalls installed and are operational? Does this mean you can drop your external firewalls and simply expose these desktops to the outside world? Of course not. No security officer would trust individual users to configure these adequately and the logistics to manage them centrally, with the assurance that the network as a whole would pass a security audit. Centrally controlled firewalls exist for a very good reason. They assert consistent, organization-wide safeguards that are impractical to enforce on a distributed basis.

Projecting this same practical insight onto the SOA model leads to the alternative approach to identity-based SOA. This architecture still features the centralized management of policies and trust, but does not attempt the baroque logistics of fully distributed enforcement. This second option is the SOA gateway model. Access to services is strictly managed by clusters of security gateways, administered by a central authority and its delegates. These provide a consistent application of policy, leverage existing identity management assets, but scale effectively because they are autonomous units that do not have to co-reside with application servers. Essentially, they become the security gatekeepers to services.

It is important to recognize that this strategy does not advocate that you build simple castle wall architectures. That is only a single line of defense, with nothing guarding individual applications. Instead, this is an opportunity to implement a true, application-oriented defense-in-depth strategy, where zones of trust are finely grained and strictly enforced. In the former, if the wall is breached, pretty much all is lost as there is nothing to protect the individual application. In contrast, if a zone falls in the latter, the damage is contained within that perimeter and leaving the zone is as challenging as entering it.

The point is the perfect world where all SOA applications would be equally secure and centrally manageable may never exist. What we need today is a security model decoupled from applications, but financially and transactionally scalable - an SOA that can be deployed more ubiquitously than a simple front door, and more feasibly than a bodyguard on every application. SOA security gateways offer this balance now, and they are proving to be the pragmatic architect's choice.

More Stories By Scott Morrison

K. Scott Morrison is the Chief Technology Officer and Chief Architect at Layer 7 Technologies, where he is leading a team developing the next generation of security infrastructure for cloud computing and SOA. An architect and developer of highly scalable, enterprise systems for over 20 years, Scott has extensive experience across industry sectors as diverse as health, travel and transportation, and financial services. He has been a Director of Architecture and Technology at Infowave Software, a leading maker of wireless security and acceleration software for mobile devices, and was a senior architect at IBM. Before shifting to the private sector, Scott was with the world-renowned medical research program of the University of British Columbia, studying neurodegenerative disorders using medical imaging technology.

Scott is a dynamic, entertaining and highly sought-after speaker. His quotes appear regularly in the media, from the New York Times, to the Huffington Post and the Register. Scott has published over 50 book chapters, magazine articles, and papers in medical, physics, and engineering journals. His work has been acknowledged in the New England Journal of Medicine, and he has published in journals as diverse as the IEEE Transactions on Nuclear Science, the Journal of Cerebral Blood Flow, and Neurology. He is the co-author of the graduate text Cloud Computing, Principles, Systems and Applications published by Springer, and is on the editorial board of Springer’s new Journal of Cloud Computing Advances, Systems and Applications (JoCCASA). He co-authored both Java Web Services Unleashed and Professional JMS. Scott is an editor of the WS-I Basic Security Profile (BSP), and is co-author of the original WS-Federation specification. He is a recent co-author of the Cloud Security Alliance’s Security Guidance for Critical Areas of Focus in Cloud Computing, and an author of that organization’s Top Threats to Cloud Computing research. Scott was recently a featured speaker for the Privacy Commission of Canada’s public consultation into the privacy implications of cloud computing. He has even lent his expertise to the film and television industry, consulting on a number of features including the X-Files. Scott’s current interests are in cloud computing, Web services security, enterprise architecture and secure mobile computing—and of course, his wife and two great kids.

Layer 7 Technologies: http://www.layer7tech.com
Scott's linkedIn profile.
Twitter: @KScottMorrison
Syscon blog: http://scottmorrison.sys-con.com

Comments (1) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
Alan Karp 08/25/07 07:31:33 PM EDT

Another approach is to get away from using identity to make access decisions and use explicit authorizations instead. You can read about it in our tech report at http://www.hpl.hp.com/techreports/2007/HPL-2007-105.html.

@MicroservicesExpo Stories
Cloud Expo, Inc. has announced today that Andi Mann and Aruna Ravichandran have been named Co-Chairs of @DevOpsSummit at Cloud Expo Silicon Valley which will take place Oct. 31-Nov. 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. "DevOps is at the intersection of technology and business-optimizing tools, organizations and processes to bring measurable improvements in productivity and profitability," said Aruna Ravichandran, vice president, DevOps product and solutions marketing...
"When we talk about cloud without compromise what we're talking about is that when people think about 'I need the flexibility of the cloud' - it's the ability to create applications and run them in a cloud environment that's far more flexible,” explained Matthew Finnie, CTO of Interoute, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
For most organizations, the move to hybrid cloud is now a question of when, not if. Fully 82% of enterprises plan to have a hybrid cloud strategy this year, according to Infoholic Research. The worldwide hybrid cloud computing market is expected to grow about 34% annually over the next five years, reaching $241.13 billion by 2022. Companies are embracing hybrid cloud because of the many advantages it offers compared to relying on a single provider for all of their cloud needs. Hybrid offers bala...
A common misconception about the cloud is that one size fits all. Companies expecting to run all of their operations using one cloud solution or service must realize that doing so is akin to forcing the totality of their business functionality into a straightjacket. Unlocking the full potential of the cloud means embracing the multi-cloud future where businesses use their own cloud, and/or clouds from different vendors, to support separate functions or product groups. There is no single cloud so...
Containers, microservices and DevOps are all the rage lately. You can read about how great they are and how they’ll change your life and the industry everywhere. So naturally when we started a new company and were deciding how to architect our app, we went with microservices, containers and DevOps. About now you’re expecting a story of how everything went so smoothly, we’re now pushing out code ten times a day, but the reality is quite different.
"We are a monitoring company. We work with Salesforce, BBC, and quite a few other big logos. We basically provide monitoring for them, structure for their cloud services and we fit into the DevOps world" explained David Gildeh, Co-founder and CEO of Outlyer, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
If you cannot explicitly articulate how investing in a new technology, changing the approach or re-engineering the business process will help you achieve your customer-centric vision of the future in direct and measurable ways, you probably shouldn’t be doing it. At Intellyx, we spend a lot of time talking to technology vendors. In our conversations, we explore emerging new technologies that are either disrupting the way enterprise organizations work or that help enable those organizations to ...
In 2014, Amazon announced a new form of compute called Lambda. We didn't know it at the time, but this represented a fundamental shift in what we expect from cloud computing. Now, all of the major cloud computing vendors want to take part in this disruptive technology. In his session at 20th Cloud Expo, Doug Vanderweide, an instructor at Linux Academy, discussed why major players like AWS, Microsoft Azure, IBM Bluemix, and Google Cloud Platform are all trying to sidestep VMs and containers wit...
The taxi industry never saw Uber coming. Startups are a threat to incumbents like never before, and a major enabler for startups is that they are instantly “cloud ready.” If innovation moves at the pace of IT, then your company is in trouble. Why? Because your data center will not keep up with frenetic pace AWS, Microsoft and Google are rolling out new capabilities. In his session at 20th Cloud Expo, Don Browning, VP of Cloud Architecture at Turner, posited that disruption is inevitable for comp...
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
There's a lot to gain from cloud computing, but success requires a thoughtful and enterprise focused approach. Cloud computing decouples data and information from the infrastructure on which it lies. A process that is a LOT more involved than dragging some folders from your desktop to a shared drive. Cloud computing as a mission transformation activity, not a technological one. As an organization moves from local information hosting to the cloud, one of the most important challenges is addressi...
What's the role of an IT self-service portal when you get to continuous delivery and Infrastructure as Code? This general session showed how to create the continuous delivery culture and eight accelerators for leading the change. Don Demcsak is a DevOps and Cloud Native Modernization Principal for Dell EMC based out of New Jersey. He is a former, long time, Microsoft Most Valuable Professional, specializing in building and architecting Application Delivery Pipelines for hybrid legacy, and cloud ...
Companies have always been concerned that traditional enterprise software is slow and complex to install, often disrupting critical and time-sensitive operations during roll-out. With the growing need to integrate new digital technologies into the enterprise to transform business processes, this concern has become even more pressing. A 2016 Panorama Consulting Solutions study revealed that enterprise resource planning (ERP) projects took an average of 21 months to install, with 57 percent of t...
Microservices are increasingly used in the development world as developers work to create larger, more complex applications that are better developed and managed as a combination of smaller services that work cohesively together for larger, application-wide functionality. Tools such as Service Fabric are rising to meet the need to think about and build apps using a piece-by-piece methodology that is, frankly, less mind-boggling than considering the whole of the application at once. Today, we'll ...
In his session at Cloud Expo, Alan Winters, an entertainment executive/TV producer turned serial entrepreneur, presented a success story of an entrepreneur who has both suffered through and benefited from offshore development across multiple businesses: The smart choice, or how to select the right offshore development partner Warning signs, or how to minimize chances of making the wrong choice Collaboration, or how to establish the most effective work processes Budget control, or how to ma...
Hybrid IT is today’s reality, and while its implementation may seem daunting at times, more and more organizations are migrating to the cloud. In fact, according to SolarWinds 2017 IT Trends Index: Portrait of a Hybrid IT Organization 95 percent of organizations have migrated crucial applications to the cloud in the past year. As such, it’s in every IT professional’s best interest to know what to expect.
Both SaaS vendors and SaaS buyers are going “all-in” to hyperscale IaaS platforms such as AWS, which is disrupting the SaaS value proposition. Why should the enterprise SaaS consumer pay for the SaaS service if their data is resident in adjacent AWS S3 buckets? If both SaaS sellers and buyers are using the same cloud tools, automation and pay-per-transaction model offered by IaaS platforms, then why not host the “shrink-wrapped” software in the customers’ cloud? Further, serverless computing, cl...
In the decade following his article, cloud computing further cemented Carr’s perspective. Compute, storage, and network resources have become simple utilities, available at the proverbial turn of the faucet. The value they provide is immense, but the cloud playing field is amazingly level. Carr’s quote above presaged the cloud to a T. Today, however, we’re in the digital era. Mark Andreesen’s ‘software is eating the world’ prognostication is coming to pass, as enterprises realize they must be...
Colocation is a central pillar of modern enterprise infrastructure planning because it provides greater control, insight, and performance than managed platforms. In spite of the inexorable rise of the cloud, most businesses with extensive IT hardware requirements choose to host their infrastructure in colocation data centers. According to a recent IDC survey, more than half of the businesses questioned use colocation services, and the number is even higher among established businesses and busin...