Marriage of components called key to security

Regulatory and security pressures are fueling a rush to turn directory, identity and other network infrastructure services into components that provide a reusable security layer as part of a service-oriented architecture.

That reality – its benefits, risks and challenges – will be the major theme at this week’s annual Burton Group Catalyst Conference in San Diego.

The idea is that general-purpose infrastructure pieces such as directory and identity services, which companies have been building for the past few years, can be made available as components that exist alongside application components within an SOA. The infrastructure components would make it easier for developers to link application components to security services on a network.

“Infrastructure architects say, ‘we built it and they did not come,’ ” says Jamie Lewis, president of Burton Group. “Application developers say the infrastructure is too hard to use. They say their [integrated development environment] does not allow them to use it. The SOA represents a juncture, an opportunity to change the way we do things and get better security.”

Lewis says the emergence of SOA design principles, namely the loose coupling of components, in combination with standard Web services protocols and interfaces, will let infrastructure services, such as access management, provisioning and federated identity management, be available to applications consistently.

“The concept of SOA is providing something that has been desperately needed for a long time, which is a way to have a consistent framework for exposing and using general-purpose infrastructure-level services,” Lewis says.

Burton Group calls the concept its Infrastructure Services Model.

“We have seen a lot of progress with the [Security Assertion Markup Language], basic Web services standards and interest in SOA,” Lewis says. “But this is far from a done deal.”

Still needed is a standard application development framework that infrastructure components can plug into. Also lacking is a more mature lineup of Web services security standards beyond WS-Security.

Another key will be convergence among current efforts to create federated identity standards, namely Liberty Alliance, SAML and WS-Federation, which Microsoft and IBM are developing.

The Catalyst Conference will be the site of a Liberty Alliance interoperability demonstration including implementations from various vendors, but the test won’t include WS-Federation implementations.

Lewis also says there will have to be standards for federated trust models and a standard policy language that dictates how users interact with application and infrastructure components.

“This is a policy-driven model,” Lewis says. “When you look at SOA, what drives the interaction of components is a well understood, standardized policy framework.”

Lewis says it will take time to work out all the issues.

“There is room for cautious optimism about our ability to tackle these problems,” he says. “It will be the end of this decade before many of these things are part of the way we do things day to day. But the trends are pretty clear because business needs are forcing the solutions in a way that only strong market demand can.”