Consider this: a staff portal calls Weather.com's web service for local weather conditions. The portal's web service requests could include host location, so a Boston employee gets Boston weather, for example. This may seem low-risk, but what if the calls are made to the employer's 401(k) provider? The request and underlying security must be identity-centric – coarse-grained, all-or-nothing security will not suffice.
In simple point-to-point web services, scale is manageable because the tight coupling between partners restricts the number of authorized identities. But as companies expose more web services, bulk identities are not sufficient. Companies will require better visibility into who is accessing web services. Coarse- or bulk-level identity is not sufficient.
This is why industry pundits and the press stress the importance of identity management in web services. Initially, people tend to visualize web services as app-to-app, making identity straightforward. But as the point-to-point model expands, identities become more fine-grained and harder to manage.
To reap the full benefits of Service Oriented Architectures while mitigating the security risks, enterprises should couple identity management with web services and adopt these four points:
- Ensure consistency in security policy – abstract security policy from the web service container to a third-party security solution;
- Extend existing investment protection – for those who have invested in ID management (IDM) solutions to protect web apps, it is a natural evolution to extend that same infrastructure to web services;
- Consider scalability – managing a growing number of user identities can become a nightmare;
- Monitor compliance and segregation of duties – developers creating security run the risk of creating risks or gaps by coding security directly into the web services container. IDM can mitigate this risk, as well as easing compliance by providing centralized audit.
Companies that adopt identity-centric web services will realize stronger security, better scalability and greater flexibility. Enterprises that rely on coarse-grained security risk potential security breaches.
Merritt Maxim is director of XML technologies for Netegrity, a division of Computer Associates, Inc.