> As Anil indicated, security should not be implemented just using a
> framework. An organization should implement a comprehensive security
> infrastructure, which comprises frameworks, mediation systems, shared
> services, and policy-oriented management and control. (I recommend using
> a combination of XML gateways and a SOA management system. I don't
> recommend using the built-in WSS frameworks in web services platforms.)
>
But before doing any of that, they should be doing threat analysis to
determine just what kind of security they need and where which will then
drive what they decide to do.
> An organization should provide training to all folks involved on how to
> effectively use the security infrastructure, and it should institute
> governance processes to ensure that security is properly implemented and
> configured in every application or service before it is promoted to
> production. I also agree with Andrew that security must be considered at
> every step in the SDLC -- starting at the requirements stage.
>
> If you leave security to the whim of the developer, then security is
> going to be a significant challenge. But security for web services is no
So I agree re: developers but can you explain more of your thinking
behind that statement? Where do you think this knowledge is held? Which
people would you expect to have the necessary skills and influence to
make this work?
> more difficult than security for any distributed computing environment.
> In fact, it might be easier, because products like XML gateways and SOA
> management can simplify and externalize most of the effort. They even
> make it relatively simple to integrate with legacy systems that
> implement proprietary authN and authZ schemes.
>
I may be misunderstanding but I've yet to see a successful security
infrastructure that worked through centralization/externalization into a
set of products save for a few trivial cases. For example, these
products don't really help much with issues such as trojan horses or
back doors - of course that's not a concern for all establishments.
As I said, real security is a cross-cutting issue that can't be
centralized. It requires across the board work on OS configuration,
hardware access, software implementation etc. It's typically achieved
through a set of inter-locking behaviours (human and computer) that in
combination provide security.
For example, authentication is fine as a mechanism but if you're passing
the information in plain-text you're wasting your time.
Dan.
SPONSORED LINKS
| Computer software | Computer aided design software | Computer job |
| Soa | Service-oriented architecture |
YAHOO! GROUPS LINKS
- Visit your group "service-orientated-architecture" on the web.
- To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
- Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
