Hide Notes 

Slide 1: Identity-Enabled SOA Governance Ross Altman - CTO, SOA and BI, Sun Microsystems Adam Vincent – Federal Technical Director, Layer7 Technologies Page 1
Slide 2: What is SOA Governance? • Corporate governance is the set of processes, customs, policies, laws and institutions affecting the way in which a corporation is directed, administered or controlled. • IT Governance, a subset of corporate governance, focuses on the control, performance and risk of IT systems. • SOA Governance is a structured approach to managing the development and delivery of services throughout their lifecycle in order to provide high levels of control and visibility. • Anne Thomas Manes (Burton Group) defines governance as “. . . the processes that an enterprise puts in place to ensure that things are done . . . in accordance with best practices, architectural principles, government regulations, laws, and other determining factors. SOA governance refers to the processes used to govern adoption and implementation of SOA.” Page 2
Slide 3: What’s included in SOA Governance? • SOA Governance is an overlay on general IT Governance • Both forms of Governance must address: > Investment Management – What applications are we going to build? Who will pay the costs of building, deploying, managing and maintaining those applications? > System Development Lifecycle Management – Who defines the specific functionality that is to be delivered by the application? Who approves changes to those requirements? > Runtime Management – How will we deliver and manage runtime “technical services” like Security, Logging, Versioning, Throttling, Metering and Billing? – How will we deliver and manage runtime business decisions like “if this purchase is from a Platinum Subscriber, provide it with priority service”? Page 3
Slide 4: Why is SOA Governance important? • Strong IT Governance is necessitated by the new regulatory environment that requires much more stringent oversight, monitoring and enforcement of corporate governance policies – SOX, HIPAA, Basel II > This applies across industries: financial, health, etc. > Non-compliance is expensive; non-compliance can also involve personal responsibility for executives. • The very nature of many SOA links – fostering connections to third parties – increases the need for SOA Governance. > Message privacy and integrity > Non-repudiation of both sender and receiver Page 4
Slide 5: Why is SOA Governance important? • The combination of reuse, loose coupling and distributed resources – all fundamental SOA tenets – are a double edged sword. > Along with the potential for greater IT flexibility and business agility, they bring the potential for more difficult oversight. • Reuse compounds the challenge of Governance > If the same service is used in different applications: – Who pays for it? – How do you manage variations in required functionality? – How do you deliver varying Qualities of Service? • With hundreds of services, each potentially reused dozens of times, manual compliance monitoring is not sustainable. > Automation of policy enforcement and compliance monitoring is key. > Business performance impact requires end-to-end business process monitoring and analysis. Page 5
Slide 6: An SOA Governance Scenario • An organization needs to secure services. > To begin, they decorate the WSDL service facade with WS- Security. > Next, they realize the service needs logging and alerting. • Soon scalability is a problem... > So, they define a set of shared technical services, connect them to the ESB and allow the business services to leverage these technical services. > Once a few dozen business services begin talking to a few dozen governance services over the ESB, any required changes to these services create a state of chaos. • The need for a well designed SOA Governance solution to successfully implement SOA quickly becomes clear. Page 6
Slide 7: Benefits of SOA Governance Business Benefits • IT Benefits • Manage legal exposure and ensure compliance Align technology with business requirements while maintaining separation of concerns Manage liabilities and dependencies Ensure continuity of business operations Reduce cost of operations Control service proliferation within the enterprise Manage service lifecycle, dependencies and interdependencies Facilitate incorporation of evolving standards Simplify infrastructure Promote interoperability • • • • • • • • Page 7
Slide 8: Policy-Centric Governance • Reduce Complexity via Separation of Concerns > A Policy-centric approach to governance allows policy to be managed independently of the service runtime – reducing cost and disruption while increasing control and flexibility. • Promotes Responsible Reuse > The ability to govern service usage is essential for promoting re-use of business assets in a way that protects the interests of the service provider and the service consumer. • Ensures Regulatory Compliance > Dynamic, conditional, multi-jurisdictional regulations for privacy and accountability pose additional challenges for architects of complex, heterogeneous multi-domain service networks. Page 8
Slide 9: Run Time SOA Governance Enforces Governance Service Rules - Policies • Enforce operational service contracts SLAs • Support the separation functional and non-functional characteristics of a service • Enforce policies: Security, Throttling, SLA control, Monitoring, charge back etc., • Consistent service deployment and runtime policy enforcement • Enforce Interoperable Standards • Support service lifecycle - the evolution of policy enforcement capabilities -- e.g. Throttling or Charge back Page 9
Slide 10: Runtime Policy Framework Corporate Policy Drivers (Inputs) -Governance -Compliance -Security Security -WS-Security -X509TokenProfile -SAMLTokenProfile -XML Encryption -XML Signatures Message X -Form -Versioning -Localization -DS (ACORD, FIX) Corporate Architectural Drivers (Inputs) -Flexibility and Reuse -Platform Independence -Integration with existing infrastructure -Security, Scalability, Availability, Performance SLA -Response Time -Availability -IP Range, ToD -Throughput Limits -Non-repudiation Transport -HTTP -TLS -JMS Reliability -WS-RM Platform -Load Balancing -WS-Addressing Threat Protection -Schema Validation -Virus Scanning -Attachments Registry/Repository (metadata) Runtime Policy Framework Page 10
Slide 11: Policy Central to SOA Governance Deploy and configure services according to policies: Physical endpoints Routing, load balancing, transport Service Level Agreements Identity stores, Access decision points Deploy Enforce Enforce policies at the edge and in the core: Alerts, Reports, Audit trails Policy Lifecycle Author Monitor Define and author corporate policies: Privacy, Integrity, Non-repudiation Identity, Access control, Credentials Reliability, performance, scalability Reusability/Discoverability Compliance to industry and corporate standards Monitor compliance with policies: Manage alerts Generate reports Forensics and Audit trails Conformance to technical standards – WS-I, SOAP, WSDL, WS-S, WSRM etc. Page 11
Slide 12: Identity Crucial to SOA Governance • Identity: Who? > > > > > can access information; has accessed information; owns information; is subject of information; has performed action. reliability and service level agreements and rules. • Policy: > Framework of identity centric corporate security, privacy, • Audit: > Monitoring - identity-based audit trail; > Ongoing process - automated. Page 12
Slide 13: Policy-centric SOA Governance Architectural View Policy Enforcement Consumer XML VPN (client policy coordination) XML Gateway (policy enforcement) Last Mile Extender (endpoint agent) Service Reg / Rep Policy Definition Identity / Trust Layer7 Sun Page 13
Slide 14: Scenario: Richer Credential Options L7 + Sun FAM Benefits: • Web Service SecureSpan Gateways Flexibility in requiring different credentials from different consumers Leveraging existing Access Management solution Centralized Access Management and auditing across platforms • • Basic-Auth Sun FAM Username Token Payload Credentials Service Consumers Page 14
Slide 15: Scenario: Advanced SAML Processing Federation ID Provider & Security Token Service Federation Policy Enforcement Point Federation ID Provider & Security Token Service Green’s Identity Server STS Token Orchestration & Caching Layer Trust Blue’s Identity Server Authentication Responsibility SAML Organization Blue Michelle Dimitri Program X Organization Green Federation Policy Application Point Page 15
Slide 16: Secure SOA Solution Page 16
Slide 17: Summary • Identity Enabled SOA is critical to achieve “Responsible Reuse” • Embedding Policy in service implementation is contrary to the principles of SOA • Sun Microsystems and Layer7 Technologies have combined their class leading products to deliver a robust solution for Identity Enabled SOA • More info at : http://sun.com/layer7 Page 17
Slide 18: Q&A