In an era where security breaches are as common as apple pie and backyard baseball, all the talk surrounds keeping networks and systems secure. In an SOA environment, security is just as important, though it looks a little different than security in other architectures. Aside from the obvious purpose of SOA security (keeping systems safe from attack), there is a side benefit: the ability to identify the services that are most and least used, which is truly valuable information in the SOA environment. Here are the best practices to follow when securing your SOA infrastructure.
Determine Your Goals and Strategies
You won’t arrive at the right place if you don’t start on the right road. Sit down and flesh out what your goals and strategies will look like before implementing anything.
The inevitable goal of security has to be broken down into clearly defined parts. That means identifying the threats most likely to affect your infrastructure and setting out specific strategies (including the deployment of tools and products) to thwart these particular threats. Be as specific as possible.
Determine Your Policies and Procedures
With your goals and strategies in mind, develop policies (such as, what traffic will be allowed, what the policies for accessing a specific service will be, etc.) and then set out specific procedures for enabling activities according to sound policy. It is important to note that policies have to be established and followed from the top down. In other words, it’s not okay to have a policy that doesn’t apply equally to executives and to other workers. While some workers may have access to services that others do not, there has to be a clear means of authorizing access that everyone has to follow.
Set Up Governance Mechanisms
What mechanisms will you put into place to assure that security policies are followed? There are good monitoring tools that allow IT to see what is being accessed, by whom, and when. These tools give you great visibility into the environment’s security, but also serve as a means to track high-use and low-use services. This gives IT the opportunity to provide more popular services and to identify why some services are not well utilized. Do they not serve their intended purpose? Is there simply not enough demand for them? Is there another solution that users find easier or more practical to use? All of this is valuable information in addition to providing great security for the environment.
Continue to Analyze and Improve Your Processes
What’s working? What isn’t? What new threat needs to be addressed before it becomes an issue? The key to a secure SOA environment is continual monitoring, adjusting, and improvement.
Unfortunately, SOA security is not a one-and-done deal. It requires adjustments over time as certain policies and procedures need to be tweaked and updated. Establish metrics that can be used to determine what’s working optimally and what needs to be adjusted. Also, keep up with the latest SOA security threats and develop a means to set up and deploy solutions to new threats as they come around. The proactive IT department is the one who won’t spend 2016 auditing SOA security breaches.
These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.