SOA Security: Centralize & Integrate
Written by Tony Baer, Associate Analyst, ZapThink.
SOA adds a new dimension to information technology (IT) security challenges. Usage is dynamic and conditional. At design time, Service providers may not know how users may eventually consume the Services. Making trust explicit, therefore, is a key requirement for SOA, while establishing a dual-level of coarse and fine-grained entitlements is critical for efficiently supporting the security needs of large groups of Services from diverse application sources.
SAIC, a systems integrator with over 37 years of serving public and private sector clients with some of the world’s most demanding security requirements, is applying its expertise and investing heavily in SOA. As a result of their extensive research involving multiple technologies and vendors covering client application authentication, XML Security Appliances, and application server platforms across a variety of SOA scenarios, SAIC has developed a general architecture for SOA Security which provides centralized coarse-grained authorization and access control, while implementing fine-grained authorization at the service level.
Recently applying that experience to a pioneering installation serving a multinational oil and gas company, SAIC has implemented a scalable SOA solution and SOA security architecture for B2B collaboration that interoperates across a diverse internal environment with multiple standards for enforcing security.