Access, Integrity and Compliance
The inherent openness of an SOA creates security challenges that must be addressed. As the applications are re-purposed and re-used, they may be extended to a new set of users, groups of people not originally envisioned in previous instances, and thereby creating security holes and risks. Thus traditional resource-centric security, while still necessary, is no longer adequate for dynamic SOA environments. SOA security must add a user-focused security layer, called trust management, as well as a message-focused security layer to the environment. And it must ensure that all of this remains auditable. IBM provides products that enable the organization to:
Federate identity and access control across services
IBM Tivoli Federated Identity Manager (TFIM) enables an efficient and effective way to manage and provision users’ identities across the SOA environment. TFIM ensures that each user has access to the applications, data and information based on their security credentials and access-level regardless of which application they are accessing.
In addition, IBM TFIM helps reduce costs of Identity Management by streamlining and federating the identity management processes across the SOA environment. By federating the user identity credential transparently across all required applications it eliminates the need for users to login multiple times to different applications and delivers an improved and simplified single sign-on access experience.
WebSphere DataPower XML Security Gateway XS40 is a powerful security and policy-enforcement point for controlling access to XML Web services, enabling the XS40 to seamlessly integrate with all types of access control architectures, such as IBM Tivoli Access Manager or Tivoli Federated Identity Manager.
Secure services and applications
Message-level security ensures that the body of a message — where the data/request information is located — is protected throughout transit of the message, regardless of its routing, including routing through untrusted points such as routers or switches. While federated identity management supports trusted identities across disparate security domains, including message-layer protection, an additional layer of security is required that can parse, validate schema, encrypt and decrypt messages, and provide digital signatures for XML Web service transactions. This is often provided with a dedicated SOA appliance inside the firewall, ideally one capable of providing the wirespeed performance needed for real-world applications. IBM WebSphere DataPower XML Security Gateway XS40 intercepts, parses, validates, filters and decrypts the Web service request.
Consistently enforce and audit security policy for services
To ensure the integrity of corporate security policies and meet regulatory requirements IBM’s integrated compliance management solution enables organizations to maintain auditability throughout the SOA environment. TFIM offers complete audit and access reports of activities by transactions, by users’ or by access of applications and data. Consul Insight Suite offers a robust dashboard and reporting engine through which to view the TFIM data as well as all other related security data. It stores, correlates and analyzes critical security and privileged user data for audit and compliance.
In addition, WebSphere DataPower XML Security Gateway XS40 is a powerful policy management and enforcement points within an SOA by providing centralized control and view of services to meet compliance requirements. The XS40 policy-enforcement blocks XML Web service threats, ensure secured access, and enforce service levels. These SOA appliances can easily manage and secure multiple Web services and ensure full policy compliance within your IT infrastructure.