Section 19.8. How will security between companies function and evolve in an ESA environment?


19.8. How will security between companies function and evolve in an ESA environment?

It's absolutely critical that intercorporate security function well, at all levelsfrom trust functions down to message-level encryption. Otherwise, companies will run the risk of disaster. It's especially important to understand that security cannot be implemented at the service level alone. Potential gaps or blind spots in business process logic make it imperative to create checks that monitor the entire process. For instance, say an office supply buyer at an airline is allowed to buy pencils from an online supplier and is channeled to that supplier's web services, which also link to Boeing's order system. If services in this case only check to see that someone from an airline is doing the ordering, that buyer might inadvertently have permission to buy a 747 in addition to pencils. Once a composite application is accessedeither by a human user or by a service callit may find itself in the midst of process orchestration distributed across a variety of other composites, or perhaps in an environment in which one service will be executed in an entirely different security environment (another company, for example). A lot is at stake in ensuring that entire processes are protected, not just enterprise services.

It's also important to note that when it comes to processes that cross company borders or security domains, issues of trust cannot be resolved by software alone. The willingness of one company to receive an order or fulfillment request from another ultimately boils down to whether that company trusts that the request is legitimate. Before building a federated identity and access management model, it's necessary to sit down with partners to define what is and is not acceptable for granting authorized access to each other's usersand there may be surprisingly large gaps. One side might have employees register using their passport and then never check IDs after having done so, and the other, which works with a far-flung network of distributors, merely asks for an email address. And email is particularly vulnerable to interception.

Before one can build a secure, cross-company process, both sides must first agree on an answer to a critical question: what does it mean to be secure?




Enterprise SOA. Designing IT for Business Innovation
Enterprise SOA: Designing IT for Business Innovation
ISBN: 0596102380
EAN: 2147483647
Year: 2004
Pages: 265

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net