SOA developers need to externalize authorization management, while ensuring local enforcement of access policies to meet new security and governance requirements.
Authorization for well-orchestrated services
SOA governance is becoming increasingly important to avoid the chaos that emerges out of uncoordinated initiatives. XACML addresses essential SOA security requirements by introducing authorization as a service. In fact, effective SOA governance can hardly be achieved without some kind of shared authorization service as suggested by XACML.
The Open Group, for instance, with its Service Integration Maturity Model (OSIMM), suggests service security policies should be "dynamic and managed in real-time" if a maturity level of 7 is to be achieved. In many enterprises, the SOA reality represents a patchwork where access control configurations are made per service as illustrated below.
Layers of overlapping services are added as needs evolve. These are usually delivering data from a base of legacy information systems to users. The dangers of separate access control mechanisms being implemented in each single service becomes obvious, especially in scenarios where data from multiple services is combined into mash-ups.
The perspective of one single component is simply too narrow for a valid access control decision. Fortunately, the solution lies within the SOA technology itself. Authorizations and access control can be deployed as yet another service. Moreover, the authorization service inherently has the benefits of the SOA concept. This is achieved by consolidating and centralizing administration of authorizations and externalizing real-time access enforcement as opposed to what is commonly provided through proprietary solutions in siloed applications.
Let the walls come tumbling down. The benefits of breaking the wall of silos and providing authorizations as a centralized service to other services and applications are:
- Simplified administration of policies.
- Enterprise-wide access policies through design and enforcement of policies which implement dependencies across applications.
- Efficient compliance and auditing through elimination of inconsistencies between policies in different applications.
- Faster and more cost-efficient adaptation to changing requirements by implementing access control in terms of policies and not as part of the application code.
One of the main drivers of SOA based IT solutions is to make the enterprises agile and ready to adapt to organizational changes and the dynamics of their environment. This puts a lot of pressure on selected security solutions, including authorization management and access control. Information security should not be a bottleneck. Authorization mechanisms need to be as agile as the SOA concept itself, yet handle access policies which can dynamically adapt to a changing context.
In terms of OSIMM, maturity level 7 "Dynamically Re-Configurable Services", implicitly makes an architectural solution corresponding to the XACML standard a necessity. Even with lower maturity levels, the advantage becomes obvious if the selected architecture offers authorization as a centralized service. Entitlement Management and Attribute Based Access Control (ABAC) based on XACML provides an ideal policy based solution for SOA environments. It provides efficient policy enforcement within each service while enabling a transfer of access policy management from IT to the business. Partners of Axiomatics have successfully incorporated XACML based authorization in their models, enabling a high level of maturity in their solutions and providing cost savings through efficient reuse of components.