Which comes first in an SOA strategy — security or management?

	express delivery
	• print  • comment
	Early adopters who deploy web services monitoring and management want to see it closely integrated with effective identity management and perimeter security: Recent vendor takeovers and alliances are a response to this market reality Customers must bridge the organizational divide between security and management A more holistic approach impacts how security is implemented and managed It becomes easier to implement more flexible policy management Demand for monitoring and management capabilities will grow as a result
	Glossary terms: services management, SOA, digital identity, lookup tool Sponsored links: your text link here

Whichever you choose to prioritize, there's no getting away from what SOA management vendors have been finding in their early engagements with customers: the delivery of web services monitoring and management is closely knitted to effective identity management and perimeter security.

That realization has fueled much of the merger and acquisition activity among SOA management vendors in recent months, most notably the acquisition of Confluent Software by identity management provider Oblix, and last month's merger of leading management supplier Actional with XML firewall vendor Westbridge Technology. Others have scrambled to seal partnerships between management and security specialists.

Inevitably, these new alliances have spawned conflicting assessments of how customers should move forward, dictated in part by vendors' own development heritages, and in part by customers' organizational structures and perceived needs. Customers need to understand what the issues really are, and which responses by the IT vendor community to heed.

It’s somewhat discouraging — if not surprising — that many organizations continue to treat security and management as separate, if loosely connected, issues. In part, that's because security and systems management have traditionally been the responsibility of separate IT functions. John Lilly, co-founder and CTO of security vendor Reactivity, points out that web services management tends to be the domain of application developers and enterprise architects, while operational staff — such as the VP operations or VP network operations — take responsibility for security.

That divide between application development and operational security has worked so long as security could be embedded in a network hardware appliance, but when it runs across both hardware and software solutions, the implications aren’t confined to the operational domain.

Across the divide

Some organizations are beginning to think across the divide. Ian Goldsmith, VP product marketing at SOA management and security vendor Digital Evolution, argues that customers are increasingly taking a broader perspective in the procurement and planning processes. Rick Caccia, senior director of product management at Oblix, sees similar evidence that customers are beginning to look at the different components of their project holistically. And among early adopters, there's hard evidence of this broader approach: Thomson Prometric, one of the first adopters of web services management capability, tested its prospective management suite alongside a new security system prior to purchase.

This holistic approach signals several significant shifts in the market. There are important implications for how customers deploy security-specific elements such as authentication (who is the sender of the message?) and authorization (what are the sender's access rights?). Broader architectural aspects of identity management and policy enforcement are also affected, such as how identity information and security policies get passed between domains.

The final impact of taking a more holistic approach is that it becomes possible to enforce other identity-specific characteristics such as quality of service alongside the essential security permissions.

Digital Evolution, for example, sketches an architecture with a common policy definition point containing policy manager, registry, alert manager and a console. The policy management process is separated from multiple enforcement points at the web server, application server and elsewhere. This is part of a richer services framework that it describes as the SOA Fabric, incorporating security (based on integration with Netegrity and IBM Tivoli), registry, development, workflow and orchestration, and management, built on top of a transportation and governance platform.

This converged approach — also targeted by Actional after its merger with Westbridge — makes it possible, for example, to define different service levels for different categories of user, and change these from a single policy control point, rather than having to manually configure each individual combination of application and user.

Such fine-grained control of operational policy across the enterprise may for now seem a somewhat remote prospect, but it's one that, if it comes to fruition, will bring in its wake a new justification for the services management and monitoring capabilities that SOA management specialists started out by developing.

This is an abridged extract from a four-page feature article published in this month's Loosely Coupled monthly digest. To read specific recommendations from early adopters and gain insights into the web services management and security strategies of the vendors who work with them, subscribe here today.

More on this topic