Depending on who you ask, Service-Oriented Architecture (SOA) security is either a pressing problem the industry still must come to grips with or something that’s been fixed since the client/server era.
With client/server computing, the mainframe was seen as the giant server providing server functionality to myriad distributed clients. If you use the same analogy, the mainframe today is poised to play the role of the giant services provider to various flavors of distributed systems consuming those services.
Still, many mainframe data center managers were never comfortable with client/server computing. They were reluctant to open their core mainframe systems to all these clients distributed throughout the enterprise and beyond.
Attitudes haven’t changed much with the advent of SOA. Services, at least the reusable ones, take on a life of their own. In theory, people who may not be disciplined IT professionals can create composite applications by reusing various combinations of services. The customer shipping address service initially created for use with the distribution center system, for instance, could suddenly be re-combined with other ser vices to make a completely new application that has nothing to do with the distribution center. Who are these people and what are they doing with my precious service and data? It quickly becomes apparent why mainframe managers are nervous about SOA.
“Security always comes up when we talk about SOA,” says Robert Morris, senior vice president, GT Software, Inc. “There isn’t a customer who doesn’t have concerns.”
The industry recognizes security as an essential ingredient in the SOA mix. Already, SOA planners can take advantage of well-tested, standardized security protocols and more granular security protocols are in the works. Similarly, tools from vendors such as GT Software, SOA Software, Forum Systems, Infravio, and others help companies expose pieces of mainframe functionality as reusable services while incorporating the latest Web Services and SOA security protocols as they interface with IBM’s RACF, CA-Top Secret, and other mainframe security tools.
As a result, SOA might even be considered more secure.
“You end up creating an additional layer of security,” says Walid Negm, vice president, Forum Systems Inc. That layer of security typically takes the form of XML firewalls and SOA gateways, which inspect messages passing to and from the mainframe and enforce policy so only appropriate, policy-compliant traffic gets through.
A Question of Trust
Security is a concern with anything having to do with information systems. No one wants to be liable for the theft of thousands of customer identities or the loss of confidential employee data or any of the other headline-grabbing events resulting from an IT systems security failure. Understandably, the urge to tightly lock down the mainframe is powerful.