Securing business operations in an SOA

Service-oriented infrastructures pose new challenges in a number of areas, notably with regard to security and dependability. BT has developed a combination of innovative security solutions and governance frameworks that can address these challenges. They include advances in identity federation; distributed usage and access management; context-aware secure messaging, routing and transformation; and (security) policy governance for service-oriented architectures. This paper discusses these developments and the steps being taken to validate their functionality and performance. IT and communication service providers and their corporate customers are increasingly introducing Service-Oriented Architectures (SOAs) to cut costs, enhance their agility and reduce time-to-market. Service-Oriented Infrastructures (SOIs) amplify such benefits. In contrast to traditional infrastructures, in which resources that were scaled to meet peak demand were dedicated to particular applications on a permanent basis, SOIs exploit virtualisation to the full, allocating resources to applications in a way that constantly matches supply with demand. Simultaneously, the ways in which organisations manage their affairs are changing. Their workforces are much more mobile, for example, and suppliers and outsourcing partners play much bigger roles in the delivery of their products and services. Increasingly, organisations also want customers to be able to serve themselves, interacting directly with corporate IT systems to make purchases, report faults and so on. To support such new ways of doing business, organisations must make their IT systems available beyond their corporate networks. It isn't just a matter of allowing customers, suppliers and partners to log on and use whichever IT systems they need to complete their tasks. Increasingly, those who work together will also want to integrate their infrastructures and applications so that policies and data relevant to their relationships can flow securely between them in accordance with their agreements. Together, these developments pose new challenges in the areas of security and compliance. On the one hand, the incidence of attacks that exploit networked computing power and collaboration technology to gain access to corporate IT systems, steal information and cause damage has been increasing. It is reasonable to expect the problem to grow further as the use of distributed SOIs becomes commonplace. On the other hand, factors such as distributed ownership can make attacks particularly difficult to detect and address: as noted in [1], malicious intent is often only recognisable as an emerging property of the network. This is an issue that clearly needs to be addressed. Once threats have been identified, an immediate and …