SOA policy in a box

By Rich Seeley, News Writer 28 Jul 2008 | SearchSOA.com

News on SOA, EAI, Web services Digg This!     StumbleUpon     Del.icio.us

Can you get service-oriented architecture (SOA) policy management out-of-the-box from a box?

We can enforce [policy] automatically across any number of Web services without requiring our developers to become skilled in managing the security aspects of their Web services. Michael Richardson CTO, Sterling InfoSystems Inc.

Yes, according to Michael Richardson, CTO of Sterling InfoSystems Inc., a provider of pre-employment screening and background-checking information to more than 6,000 clients. He estimates his implementation of the ServiceNet appliance from Sonoa Systems, Inc. will save hundreds of programming hours it would take to apply security policies to RESTful services containing highly sensitive personal data in the next generation Web 2.0 applications currently being developed at Sterling.

"For example, one of the things our market cares a lot about are Social Security numbers," Richardson said. "We can secure where those go and which services are doing what with that kind of personal identity information through ServiceNet as the gateway for Web service level requests and for HTTPS requests, both inside the firewall and outside the firewall."

Prior to finding the appliance from Sonoa, a privately held company in Santa Clara, Calif., Richardson had been looking at developing policy enforcement in-house for its internal-facing RESTful services. The policy enforcement also had to extend to the data and business services Sterling provides in a Software as a Service (SaaS) delivery model to corporate human resources departments as well as business partners that integrate Sterling information into applications for their own customers.

"We were moving down the path of leveraging the ESB layer of our stack and looking to enforce the usual layered-security model that includes all of the certificates and authentication," Richardson said. "So we were moving down the path of having to individually secure, authenticate and test a host of those services, and trying to create a Web services governance model internally. That was proving to be potentially rather costly, rather burdensome across a distributed developer base."

He estimates that developing its own policy management system would have taken hundreds and perhaps thousands of programming hours for his New York City-based company, which has developers working in both U.S. and international locations.

Making policy work with best of breed
The developers are working with what Richardson describes as "a typical hybrid environment" that has grown up with the company.

"We historically come from a Microsoft VB SQL Web 1.0 world," he said. "Now, we're migrating very rapidly to a Web 2.0 world with an open source SOA environment that features JBoss app server, BPM from Lombardi [Software Inc.]. For a rules engine we like JRules from ILOG [Inc.]. We're implementing our user interface in [Lazlo Systems Inc.] OpenLazlo using DHTML as a presentation layer. We connect that layer to the backend through a set of RESTful Web services that will pass through the ServiceNet gateway and have pretty fine-grained security policy applied."

The legacy Microsoft SQL database on the backend is being incorporated into the Web 2.0 infrastructure using a combination of the Hibernate and Spring frameworks, he explained. It's a complex environment, which made the policy enforcement project so daunting.

"In that environment, you've got centrally evaluated rules, you've got orchestrated business processes, and you've got a UI layer that's very dynamic and driven by that orchestrated business process," Richardson said. "We're talking about hundreds or thousands of Web services communicating in a RESTful state between the front and back end. We see a tremendous advantage in being able to funnel those through ServiceNet in terms of very uniformly, very predictably applying fine grained security policies."

Chet Kapoor, CEO of Sonoa, said his company's appliance, which is also available in a SaaS model to a customer base that includes Warner Music Inc., Pfizer Inc. and JP Morgan Chase Corp., takes middleware functionality and applies traditional networking principles to it.

"That gives you two things," Kapoor said. "One it gives you the performance and scale the way networking devices do. The other thing is the policy model is all declarative so you can have operations folks go out and make changes to the policy while a system is running. If Sterling's business folks want to go out and change a policy, they don't have to go back to the developers to reprogram it and re-compile it. It happens on the fly. Both the performance as well as the policy model are a direct result of applying networking principles to the middleware concept."

For more information CTO views SaaS as the ultimate in SOA SOA and SaaS synthesis working in ERP and CRM spaces

Another advantage for the developers working on the Web 2.0 products for Sterling is that they do not have to become policy experts, Richardson said.

"Plugging in the ServiceNet capability relieved our developers from spending dramatic amounts of time on the Web service security modeling side," the Sterling CTO said. "We were able to just focus on proper security modeling using the graphical tools from the ServiceNet Suite. So we can reduce the number of people who have to deal with it. We can increase the depth and sophistication of the policy embodiment, and we can enforce that automatically across any number of Web services without requiring our developers to become skilled in managing the security aspects of their Web services.

"That's a cost saving that we calculate in hundreds to thousands of man-hours in the platform project in which we're engaged right now," he added.

Tags: Representational State Transfer (REST),  Service-oriented architecture (SOA) development,  Enterprise Services Bus (ESB),  SOA implementations,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Representational State Transfer (REST) Restlet framework wrestles RESTful Web applications Mulesoft architect talks REST, ESBs How do I balance throughput requirements and interoperability? IBM Sabbah's say on REST for collaborative ALM Report on REST- REpresentational State Transfer Are tools available to work with OSGi today? Expert Query: What is the difference between RESTful transactions and Web Services transactions? Progress/Actional SOA diagnostic tool builds on Mindreef purchase SOA goes beyond 'rip, replace, repeat' Inside the SOA big tent; Azure at PDC; more Service-oriented architecture (SOA) development SOA Video Library Skyway restructures Skyway Builder Altova updates MissionKit SOA Tutorials XAware releases XAware 5.4 Zend released Zend Server 5.0 for PHP applications At Microsoft P&P Summit, distributed systems head talks Cisco grows beyond its roots with new Developer Network Open source and ESBs Enterprise Architecture is more than a technology Enterprise Services Bus (ESB) U.S. Coast Guard adopts SOA and ESB to better track ships at sea Mulesoft architect talks REST, ESBs "Stripped-down" open source ESBs still solid middleware engines Open source and ESBs Low-latency ESB solution relies on powerful hardware An open source ESB can cost you Read our new ESB tutorial! ESB Tutorial Three tips for choosing an ESB ESB watered down by EAI, but distinction remains Enterprise Services Bus (ESB) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary REST  (SearchSOA.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary