by
Mehmet Akyüz , Senior Architect , Software AG Australia
Hi Dana,
There are several aspects to SOA Security:
- Traditional IT security, basically information and system security: Systems exposing SOA services must be properly secured (located behind DMZ, Reverse HTTP Gateways, solid authentication and authorization etc.)
- Vulnerabilities brought to the table by SOA: SOA is based on the idea of business and IT capabilities exposed as services. That means a fraudulent app or person who has access to the service also has access to the information provided by the back end systems. I.e. services can be exploited as back doors to back end systems. This is essentially critical with services exposed to extranet/intranet. To avert such situations, there are some standards for service encryption, access and secure messaging (E.g. WS-Security, OAuth, SAML, WS-Trust). Also, it is common practice to have a SOA gateway which acts as a central watchdog for services exposed to internal & external consumers.
Hope that helps,
Mehmet.
