Recently,in the context of a client request, I had a chance to look at the IBM SOA Security Reference Architecture,
described in this redbook. I found some critical gaps in the reference Architecture. I will highlight these gaps in this and subsequent blogs. The first gap is that the SOA Security Reference Architecture, does not consider an Independent Chain of Command for managing Security Policy. The second gap is that it does not explore the use of right architectural building blocks to enable externalization of Security policies outside of applications, portals, databases, data services, service components and; Business Processes, The third gap is that it does not recommend the right set of tools with which enterprise grade SOA Security, based on the the two principles mentioned above can be implemented. With these gaps in place, demonstrating and maintaining compliance with regulations and laws will be difficult. In this blog, I will describe the concept of Independent Chain of Command in detail, I will describe the other gaps in the next two entries.
Continue reading "Gaps in the IBM SOA Security Reference Architecture- Part I" »