CHAPTER 11

SOA Security

If you think technology can solve your security problems, then you don’t understand the problems, and you don’t understand the technology.

– Bruce Schneier

In the very brief history of SOA architecture and design, security is one aspect that is sometimes overlooked. A vital piece of the SOA puzzle, security consists of a series of requirements that demands a well-thought-out plan, design, and implementation. No specific technology is a silver bullet — a successful SOA security solution can only be accomplished by understanding the foundational principles of information security and mastering SOA architecture and design. Anyone who has such knowledge can understand that it is essential to adopt a security strategy for SOA and a security architecture roadmap early on. A smart SOA security strategy allows business applications to meet the needs of organizations and their business partners by incorporating the classic security goals of authentication, authorization, integrity, confidentiality, non-repudiation, auditing, and availability.

The security challenges in SOA are complicated by the state of today’s business practices. This is the age of dynamic business partners, whereby organizations share information on a short-and long-term basis with other enterprises, and as a result, networks have become porous, blurring the lines of the definition between “internal” and “external” networks. Gone are the days of monolithic applications protected only by corporate ...