This week I am presenting a session I’ve titled ‘Security in a Service-Oriented Architecture’ at TechEd Europe 2004 in Amsterdam, and what better occasion to start my Blog? It’s scheduled as one of the last sessions on the last day, so if you’re at TechEd and interested in what security might look like in a SOA, then please come along to room 9a at RAI at 16:15 on Friday 2nd July. Session SEC310 combines two hot topics which, for some reason, don’t often seem to be talked about together in any real detail: those of Security and SOA.
As a non-functional requirement, security is usually an implicit necessity of any architecture. To effectively apply security to an architecture, you need to understand that architecture. Since Web Services seem to be a natural fit to implement an SOA, it would seem only appropriate that the Web Services security model be applied. But what does that mean? Is it just using WSE 2.0 to do WS-Security?
No, it’s much, much more than that and I will be exploring some of the key issues in my session. My session is broadly in 4 parts. I start with a recap of SOA and then talk about message security (you know, integrity, confidentiality, tokens etc), followed by service security including auditing, policy and a bit about XML firewalls, and I finish up by gluing services together with Trust, Federation and distributed authorisation.