The Catch-22 is that to maximize the benefits of SOA - achieving business flexibility - it is essential that a company, its customers, and its partners willingly share information across their organizational boundaries. This creates a priority around data protection.

With a fully articulated SOA vision, a company's infrastructure will be able to support subtle or dramatic market changes without requiring an expensive rip-and-replace exercise. However, one of the most critical make-or-break factors in the success will continue to be the company's approach to data protection and security.

Acknowledgment of this need is validated by the arrival of many new players in the SOA security space as well as a recent spree of acquisitions in this market by more established vendors.

With more choices on the market, it may seem that selecting an SOA security tool would be easier. In fact, the opposite is true. This is due to the fact that the lines have blurred when it comes to defining the role of an SOA security "offering" and whether it's a snap-on appliance, a suite of software tools, or a platform. Depending on the environment, security measures could include one or all of these scenarios.

SOA Security Appliances
SOA security appliances represent an important element in a company's approach to SOA. SOA appliances are easy-to-install hardware devices that simplify, secure, and accelerate a company's XML and Web services deployments by acting as both an internal and external gateway. They combine SOA management and security functions in a single device.

The rapid growth of SOA security appliances can be attributed to the array of features and benefits they offer. The following is a top 10 list that outlines the potential value of security appliances in an SOA.

1. Time and cost savings: SOA security appliances can be easily and quickly installed, and require minimal maintenance.
2. Supports compliance: Security appliances can help companies to meet mandates, such as the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry (PCI) data security standards, while simplifying the on-going management of the SOA.
3. Address critical XML vulnerabilities: SOA security appliances can help protect against unauthorized access to a Web service; attempts to corrupt the integrity of the data or compromise user confidentiality; attacks on the actual software and systems, and denials of service.
4. Provide centralized Web Service management and monitoring: An appliance can ensure that only authorized users are accessing repositories while reinforcing the overall integrity of the SOA infrastructure.
5. Lower development costs: By shifting the focus for the delivery of SOA services from pure development to an operational capability, you can bring down your development costs.
6. Accelerate SOA deployments: By rapidly exposing secure services to authorized third parties, appliances enable businesses to quickly and easily uncover new opportunities.
7. Proactive identification of potential threats: SOA appliances can quickly inspect all incoming messages and immediately perform authentication and authorization and reject invalid requests before they reach back-end servers.
8. Governance: An appliance supports SOA governance by streamlining and managing requests to the server and access to the Web services repository.
9. Improved performance: An SOA appliance can help improve a number of core processes, including those that generate high Web traffic such as financial transactions, online shopping, inventory optimization, and synchronized multi-channel products.
10. Reduced reliance on IT: The appliance can simplify the infrastructure, improve performance, and ensure higher levels of security throughout the SOA.

The preferred SOA security appliance should facilitate integration with existing applications by exposing them as services; defining and implementing XML security, data transformation, and data validation.

Security Software - Why Identity Management Also Matters
Complementing SOA security appliances, security software can bolster resilience of the SOA-supported business processes. The overarching role in an integrated architecture is to help administrators and support personnel monitor, manage, secure, and control the end-to-end implementations of SOA-based services and application components. This strategy is becoming increasingly important as companies focus on sharing and distributing information to drive business and will soon reach a point where end users will no longer tolerate incongruous integration habits.

Furthermore, businesses need to simply conduct transactions without being halted at every gate requesting further proof of their identity. To this end, identity management software should provide users with policy-based integrated security management that ensures secure access to information and services without replicating identity at both companies, which results in time delays and additional costs. In addition, single sign-on tools for SOA should help integrate security among applications whether they reside onsite or virtually to support a company that may be expanding operations, merging assets, or refining its approach to compliance and governance.

Putting Together a Security Platform - Seven Security Guidelines
Since one of the key drivers to SOA adoption is reuse and the leveraging of a company's existing IT investments, the environment to support and reinforce security in the SOA infrastructure should address the following seven criteria:

1. Centralize and store security data to improve overall security operations and information risk management.
2. Provide a security-enforcement point for Web services.
3. Automatically recognize, investigate, and respond to incidents.
4. Create a centralized platform to manage provisioning, authentication, and authorization.
5. Provide comprehensive reporting including historical reporting, self-auditing, and tracking capabilities.
6. Offer multiple deployment options based on a modular architecture that easily adapts to a company's current and future security infrastructure requirements.
7. Provide an environment to support managed security services that result in reduced operational costs through automation and speedy implementation.

Since security is a critical aspect to a company's success with SOA, it's vital to include both appliances and software in the infrastructure. However, this does not mean that companies need to abandon their existing investments in technology nor should it require an uncomfortable budget discussion with the CIO.

With a standards-based SOA, additional security offerings can be easily integrated without having a negative impact on the company's existing applications or hardware, or requiring significant investments of time and money. What will make a difference, however, is that the SOA strategy should include the company's longer-term goals, and should be designed, built, and deployed using the skills and expertise of a team that spans both the business and IT facets of the company.

Resources

• http://soasecurity.net/SOA_Security_Blogs.html
• http://www.prolifics.com/websphere-datapower.htm
• http://www.ibm.com/soa