Building Security into a Service-Oriented Architecture
Service-oriented architectures (SOAs) based upon Web Services are an evolutionary improvement upon existing IT architectures, primarily because these SOAs offer loose coupling between Service producers and consumers. Loose coupling refers to a level of independence between the participants in a Web Services interaction that allows them to interact on their own terms, without requiring substantial changes on one system when the other changes. Such loose coupling enables an enterprise’s IT infrastructure to be agile in the face of change.
Loose coupling, however, while simple to understand, is complex to implement. There are many requirements facing an enterprise’s IT infrastructure that threaten the loose coupling of its architecture, and the most significant of these is security. Because fundamental security principles require a Service to authenticate a consumer, the Service and its consumer run the risk of being tightly coupled, unless the security itself can be handled in a loosely coupled fashion.
Such Service-oriented approaches to security require a management solution that both supports and enables the SOA as well as its security infrastructure. Such a management solution must enable and support loose coupling, so that the security infrastructure in an SOA can itself be Service-oriented.