Compliance in an SOA environment


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Compliance in an SOA environment

  1. 1. Facilitating compliance management in an SOA environment July 2008 Compliance in an SOA environment
  2. 2. Facilitating compliance management in an SOA environment Page 2 Introduction Contents From industry regulations to data privacy laws and government mandates, meeting compliance has become a permanent criterion for doing business. 2 Introduction As each year passes, the resources needed to comply with ever-multiplying, 2 The SOA factor disconnected regulatory and industry requirements continue to escalate. The 4 Security encompasses all aspects of the SOA life cycle challenge is even greater with the recognition that there is no finish line when 9 Conclusion it comes to compliance. Instead, it is a cyclical process that requires continual 1 For more information diligence and focus. 2 The necessity of conforming to regulations and mandates has wide-ranging implications in the way organizations manage and run their businesses, particularly in the area of security. The majority of regulatory compliance requirements and internal control objectives include major IT security components, in part designed to protect public assets and interest. In short, compliance has become the new driver for IT security. The SOA factor Data privacy regulations and compliance-reporting mandates require that you define consistent security policies, monitor compliance with these policies and government or industry regulations, and provide a complete audit trail for proof of policy enforcement. In an SOA Environment, there is increased flexibility with which an organization can implement and manage services, which improves the speed with which it can implement and enforce policies. An organization can disconnect policy information from the actual service, improving the ability to manage and update policies rather than if policy information were built directly into the applications themselves. However, Service Oriented Architecture (SOA) can make it challenging to ensure that information remains secure and auditable as it moves across systems, and difficult to reconcile who is doing what, where and when between applications and processes. Security policies for services include the rules established for allowing services to be accessed. In moving to SOA, a key initial activity needs to be to establish the SOA Governance framework that can be used as the basis for creating and controlling policies, including security policies. A user or service
  3. 3. Facilitating compliance management in an SOA environment Page 3 might require specific privileges to allow them to access a service. However, when services are combined, such as when they are choreographed into a higher-level business process, the combination of these services can require another examination of the security policy. For example, a user might be allowed to access Service A and Service B independently. Yet, when these services are choreographed together, perhaps with other service invocations, the user might no longer be allowed to access these services. The complexity in an SOA environment means that the security policy for the choreographed services needs to take into account the mixing and matching of services in different combinations as required to reflect changes in business processes. Each new sequence of steps can require examination of the security policy to ensure it remains valid for this new combination. Protection of data from unauthorized modification and disclosure is a key requirement within SOA. Data needs to be protected because it is business sensitive, privacy sensitive or both. For this reason, a policy should be in place to ensure that data is protected in transit and at rest, with consistent security measures applied. Data protection is especially important when data moves outside the organizational boundary, which can happen without the knowledge of the consumer. For example, an internal service might be replaced with an outsourced service with data now flowing to the external organization. The service provider might need to ensure appropriate protection is in place to satisfy the policy requirements of the calling organization if the data is business sensitive or privacy sensitive. Auditing of transactions is required to provide the data needed for assessing compliance as it measures the performance of the IT environment relative to measurements established by the business policies. This can include verifying the working system against a set of internally created policies, and also against external regulatory acts. Complexity is increased in an SOA where different applications from dissimilar sources or vendors are targeted for different levels
  4. 4. Facilitating compliance management in an SOA environment Page 4 of compliance. This is especially true when accessing services provided by an external organization, and the complexity increases when the regulatory and compliance regime for that organization is different from that in the requesting organization. Ideally, the audit data produced by the various policy enforcement points should be integrated into a single repository or federated into a single logical view of the data. This facilitates the production of the required audit reports, verification of compliance against policy and investigation of security-related events. Security encompasses all aspects of the SOA life cycle Certain roles in an organization contribute to the creation, definition, refinement, monitoring, verification and management of security policies throughout the SOA life cycle. Corporate security officers and equivalent executives define corporate security policies and outline regulations with which the business must comply. Business analysts work with security policy officers to translate corporate security policies into terms of a business vocabulary and process. These security-related decisions are then applied at various phases of the SOA life cycle. (See Figure 1.) To help you address compliance requirements, IBM provides solutions that are especially useful during the assemble, deploy and manage phases. Figure 1. Model of the SOA life cycle
  5. 5. Facilitating compliance management in an SOA environment Page 5 Assemble Application and security architects model the security policies based on choices provided by the business analyst. Application programmers and administrators factor in these security policies by declaring the requirements for the infrastructure to enforce. The security policy can be implemented in the applications when the infrastructure support is not sufficient. Getting to the definition stage of security policies requires assessments and planning. An assessment can help identify and prioritize audit deficiencies, as well as vulnerabilities at the system, network and application levels. In addition, organizations should inventory enterprise assets—both systems and information assets—to better understand what needs to be protected and to what degree. IBM offers a number of solutions to help assess and evaluate your compliance posture, including IBM Audit and Compliance Gap Analysis, security assessments and risk assessments. Other solutions include IBM Rational® AppScan, which can help assess security compliance reporting for Web applications through more than 40 ready-to-use security compliance reports such as PCI Data Security Standard, ISO 17799, ISO 27001, HIPAA, Gramm-Leach-Bliley Act (GLBA) and Basel II, and IBM Rational Policy Tester, which can help audit Web sites for compliance with regulations for consumer data privacy, e-government, banking and accessibility. IBM solutions such as IBM Information Security Policy and Process Definition can help organizations investigate the requirements for information security and the associated priorities, and create a custom security policy. Other solutions such as IBM Rational Method Composer can provide a flexible process management platform, with tooling and an extensive process library to help organizations implement effective processes for successful software and IT projects.
  6. 6. Facilitating compliance management in an SOA environment Page 6 Deploy Application administrators install the applications and work with security developers and security administrators to configure the applications and associated security policies. Tivoli® Federated Identity Manager offers an efficient and effective way to manage and validate user identities across the SOA environment and provide a robust identity-assurance and trust-management solution. Tivoli Federated Identity Manager can enforce consistent identity propagation and token mediation across diverse, heterogeneous enforcement points, such as XML firewalls, application servers and the enterprise service bus. IBM Tivoli Federated Identity Manager for z/OS® provides a strong security bridge for distributed applications and mainframe applications by integrating with IBM RACF® software to enable end-to-end identity propagation and secure access to mainframe applications. As part of this support, the federated audit solutions delivered by Tivoli Federated Identity Manager for z/OS support the auditing of the identity-mapping function that is used to create the bridge between RACF and distributed identity management. Manage IT and security administrators manage the security policies across a set of applications and infrastructure to meet requirements, which might continue to change over time. Operators monitor the system behavior for compliance. They detect situations that are potential security threats and feed them back to administrators to make changes as required. Business analysts view business dashboards to assess the effect of certain system security events on the business. Security auditors assess the system’s compliance with regulatory
  7. 7. Facilitating compliance management in an SOA environment Page 7 and corporate policies. It is significant to observe that security policies are specified and refined throughout the SOA life cycle, undergoing transformation from one phase to the next. In many cases, these tasks rely on manual processes that drain considerable time and money from organizations and prevent compliance staff from focusing on higher-value activities. For example, IT still uses human eyes to review and human hands to generate reports on security-relevant events in the environment. To maximize efficiency and flexibility, these tasks should be automated wherever possible. With IBM Tivoli Security Policy Manager, you can centrally manage security policies for multiple business applications across your enterprise. It provides unified policy life-cycle management and enforces policies at run time, strengthening your organization’s security posture. Security Policy Manager also offers centralized change and control, making it easier to meet tightening or new compliance requirements. IBM Tivoli Security Information and Event Manager—designed to support security compliance and audit management—is a powerful solution that allows you to monitor, correlate and report on security audit data and user activity across your enterprise. IBM Tivoli Security Information and Event Manager can help automate key components of the IT organization that affect compliance, such as: ● Generating sufficient audit trails in the form of logs of network, system and application events. ● Monitoring user activities for misuse or noncompliance. ● Leveraging automated policy-enforcement mechanisms. ● Managing incidents using standardized, trackable procedures. ● Leveraging standardized compliance reporting.
  8. 8. Facilitating compliance management in an SOA environment Page 8 It captures relevant security audit data from a broad set of systems, including applications, databases, operating systems, mainframes, security devices and network devices. A log continuity mechanism helps ensure that internal controls over log collection are properly carried out. It communicates through effective reporting on the status of user activity within IT systems. This capability enables executives to see the ongoing status of security operations, including attempts to gain unauthorized access, how those attempts were stopped and recommendations about how to prevent similar attacks. (See Figure 2.) Figure 2. Tivoli Security Information and Event Manager provides numerous audit and compliance report templates. This example shows more than 30 report templates specific to helping manage Payment Card Industry (PCI) compliance efforts.
  9. 9. Facilitating compliance management in an SOA environment Page 9 Other solutions, such as Rational AppScan, can help automatically scan and test Web applications for common vulnerabilities, using intelligent fix recommendations and advanced remediation capabilities. And IBM Tivoli zSecure Audit can help you automatically analyze and report on mainframe-related security events and incorporate that information directly into Tivoli Security Information and Event Manager for a more holistic view of the organization’s security posture. Because critical and sensitive information is often stored on mainframes, the ability to audit events on these systems and correlate that activity with activity in the distributed environment is critical to maintaining security and demonstrating due diligence when it comes to protecting sensitive data. In addition, the IBM WebSphere® DataPower® XML Security Gateway XS40 appliance provides a centralized means of controlling and viewing services within an SOA to meet compliance requirements. Its policy enforcement blocks threats to XML Web services, helps ensure secured access and helps enforce service levels. This SOA appliance can easily manage and secure multiple Web services and helps ensure full policy compliance within your IT infrastructure. Conclusion The complexity of an SOA environment increases the challenge of meeting compliance requirements. IBM offers a comprehensive range of solutions to help you address your compliance needs as you move through the stages of the SOA life cycle.
  10. 10. For more information © Copyright IBM Corporation 2008 IBM Corporation To learn more about compliance in Software Group SOA environments, please contact Route 100Somers, NY 10589 U.S.A. your IBM marketing representative Produced in the United States of America or IBM Business Partner, or visit the July 2008 following Web sites: All Rights Reserved IBM, the IBM logo,, DataPower, ● RACF, Rational, Tivoli, WebSphere and z/OSare trademarks or registered trademarks of soa/mgmtsec/security.html International Business Machines Corporation in ● the United States, other countries, or both. If these and other IBM trademarked terms are governance/security/ marked on their first occurrence in this compliance.html information with a trademark symbol (® or™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at UNIX is a registered trademark of The Open Group in the United States and other countries. WSW14030-USEN-00