Identity’s role in SOA

“Identity and Web services are closely related,” says Jamie Lewis, Burton Group’s CEO and research chair. “It’s almost a yin and yang.”

As to whether SOA (service-oriented architecture) leads to identity or whether enterprise adoption of identity fosters greater acceptance of SOA, Lewis sees it as a chicken-and-egg problem. Each encourages the other. Although much discussion has addressed the potential security problems of Web services, Lewis believes that SOA will ultimately lead to better security across the enterprise.

The problem, Lewis says, is that when it comes to security, developers have historically been forced to repeatedly reinvent the wheel. Whereas modern programming languages such as C#, Java, and Python incorporate levels of abstraction that free developers from thinking about low-level tasks such as memory management, there are no such standard facilities for the basic functions of user authentication and authorization.

By building standard security mechanisms and exposing them as Web services, network administrators not only enforce more consistent security policies, but application developers are freed from the low-level drudgery of building explicit security controls into their software.

“It’s an opportunity to begin the process of getting application architecture to understand infrastructure architecture,” Lewis explains.

Identity-based security controls are the natural choice for SOA because they are not dependent on any single application design or technology. Any number of tools could be used to authenticate a user to a given identity, for example, ranging from simple passwords, to digital certificates, to Kerberos, to biometrics. Individual services need not know anything about the underlying authentication system so long as they are satisfied with the validity of the user’s digital identity.

As SOAs evolve, Lewis says, the role of identity will continue to expand, moving beyond its current associations with user accounts and permissions to include the identities of the services themselves. Particularly, as services begin to connect to one another without direct human intervention, the need to validate the source of service requests will become ever more pressing.

According to Chris O’Connor, director of security strategy at IBM, Big Blue’s Tivoli division is working to establish the same standards for the identities of machines as for the identities of individuals. Picture a server, for example, capable of testing its current operating status against a set of well-known, static properties to determine whether its OS has changed or a hard drive has been removed — in a sense, validating its own identity. Such a system would go a long way toward establishing levels of trust among automated, distributed Web services.

“Most of the work that has been done has been on the identity of people,” Lewis says. “But in the long run, the identity of things will be more important.”