One of the biggest challenges to widespread SOA adoption remains security. Service-enablement of existing applications provides a universal SOAP or REST tunnel for function calls or data access. The increased flexibility and interoperability of service oriented architecture comes at the expensive of new security requirements such as SOAP or REST message level security, service virtualization, delegated AAA functions and threat prevention.
Moreover, XML based message level security such as WS-Security or XML security are highly intensive and difficult to scale with off-the-shelf software, further inhibiting widespread adoption. Also, connecting heterogeneous applications requires proper federation of identities, or credential mapping between systems that expect identities in different formats such as SAML, X.509 or username and password.
Typical solutions for managing SOA security involve the use of an intermediary in the DMZ to provide service virtualization, trust and threat functions. This model moves security policy deployment to a central place and reduces last-mile security configuration at each service endpoint in the internal network. Until now intermediaries of this type required an expensive, purpose-built hardware appliance for security functions. While hardware appliances are appealing due to their perceived security benefits, they lack true integrated SOA governance, virtualization for data-center efficiency and extensibility. Hardware appliances often use custom operating systems that rely on a “security by obscurity” model, even in cases where some aspects of the appliance (such as crypto) have undergone FIPS certification. SOA Expressway provides the same benefits as a hardware security gateway including trust enablement, threat prevention, security offload, central security policy deployment and credential mapping but without the traditional drawbacks of a hardware appliance, such as high costs, poor upgrade path, and lack of governance.
