Aujas US

An IDG Ventures Company

Service Oriented Architecture (SOA) Security in the Cloud

Privacy and security in the CloudAccording to Gartner, cloud computing is “a style of computing where massively scalable IT-related capabilities are provided ‘as a service’ across the Internet to multiple external customers”. Service-oriented architecture (SOA), on the other hand, is a collection of services that communicate with each other. Says David Linthicum, a widely acknowledged SOA expert, “SOA is an architectural pattern, while cloud computing is a set of enabling technologies as a potential target platform or technological approach for that architecture.” Therefore, SOA and cloud computing are complementary and not mutually exclusive.

For a while now, companies and business leaders have been interested in moving to a cloud environment to enable growth at lower costs. By combining SOA and cloud computing, it becomes possible to reduce the time taken to implement technology, enhance business performance and expose the existing legacy application over the Internet.

Clouds enable outsourcing of many or all IT functions, making regulatory, operational and baseline compliance difficult. Moreover, the complexity involved in combining data, applications and infrastructure with the cloud requires securing the underlying architecture.

The role of SOA in cloud computing is important because a successful cloud solution requires an in-depth understanding of the architecture, the services offered and how to leverage them. Finally, cloud computing becomes part of the architectural arsenal to create a successful SOA.

Security Considerations for SOA

The most common security considerations involving cloud-based services include the following:

Governance control – In a governance-free environment, coordinated cloud service planning and monitoring mechanisms, which are needed to meet security standards, become difficult. In addition, rogue cloud services could wreak havoc on the delicate trust between providers and businesses. Concerns here include not knowing where data resides, what happens to the data if a decision is made to change services, and how the service provider guards customer privacy. Contracts must outline the service provider responsibility in case of a breach. The cloud is still evolving and as a result, processes do not yet have a standard format. Quality-of-service terms, mechanisms for security and privacy are developing, business continuity issues around failed providers are not well established and regulatory issues raise many questions. 

Infrastructure Security – As the cloud’s infrastructure and resource pool are shared among multiple users, unified monitoring and control has become almost impossible. Relying on the host’s security controls might compromise data, especially as the service provider cannot separate data. The data and the service provider’s hosting process are executed and managed in shared environments. This requires extending trust to external services and permitting secure data residing on company servers to be moved into a less-secure environment. With a heterogeneous infrastructure, the more individual technologies and processes in play, the harder it gets to ensure control and consistency. If the service is hosted on a heterogeneous cloud-based platform, managing security or even changing vendors becomes difficult.

Communication Security – As the cloud inherently provides an elastic platform for providing services, there is a need for these services to communicate with each other to perform various tasks. SOA is moving us from User-to-Business communication to Business-to-Business communication. This new way of communicating brings in many decoupled software components to interact with each other in a standard format. The lack of trusted authorities and lack of security in communication protocols could create havoc for the services.

Software Security – Most of the services today are enabled as stateless machines providing optimized solutions for B2B interactions. This has inherent security issues that have to be addressed through the entire software life cycle, starting from specification through to the release stage.

Service Integration – In an SOA, services integration is often overlooked. “Silo” services have to interact with each other to provide end user solutions. Hence there is high need for security in the SOA integration stage. 

Summary

Contrary to the popular notion that cloud computing will make SOA redundant, they actually complement each other. In fact, having a strong SOA can make the transfer to cloud-based services easier, less complicated and more secure. Cloud-based SOA is all about delivering services with increased agility and efficiency keeping companies competitive and contemporary. To keep up with the new technology, improved security measures, a strong understanding of the cloud plus selection of the right vendor are critical.

January 11, 2011 Posted by | Cloud Security, Service oriented architecture | , , , , | Leave a comment