Extending XML-based Services Beyond the Perimeter

Across leading enterprises, architects have discovered that convincing a business owner to invest in Service Oriented Architectures and XML is most efficient when the architect identifies a clear revenue-producing or cost-reducing project that would be demonstrably accelerated by these technologies. The most compelling are often those projects that entail integration between the enterprise and its business partners, suppliers or even customers. The most significant challenge to those projects is assuring security. The vast majority of IT professionals and business people agree that security is the leading concern for SOA and XML messages and most quickly realize that SSL is limited by not providing content security, auditability or reliability.
Thought leaders from leading analyst firms and enterprises assert that addressing security concerns is both pragmatic and possible. In fact, many enterprises can and are extending their XML-based services beyond the perimeter with a more pragmatic and graduated approach than is required for comprehensive internal SOA.
This paper will discuss how to extend SOA beyond the perimeter through high performance:
1. Service access controls
2. Deep content inspection
3. Alignment of people and processes for sustainable growth

XML services (XML, REST, Web Services, ebXML) continue to gain momentum as the most efficient and flexible architecture for real-time system to system integration. The largest auto-manufacturers are finding that XML based services are a more flexible and cost effective mechanism to connect dealer networks. Financial services institutions are expanding their market reach by reducing the costs of integrating their services with employers' portals ? growing total revenues while improving their margins. Loyalty companies are enabling real-time "points-based" ecommerce to increase the value of loyalty programs and increase revenues. These are a few of the many examples of pragmatic enterprises realizing significant business gains by extending XML-based services across the perimeter ? often as their first foray into XML and standards-based SOA.
The virtually instantaneous, open application integration promised by XML services offers organizations the potential to respond rapidly to new business opportunities. The business benefits of connecting and automating mutual processes are clear. XML services technology advances make that goal easier to achieve than ever before. Direct connections to mission-critical functions improve business responsiveness and results, however, they also expose the enterprise to a new class of problems.
To extend XML-based services beyond the enterprise, the services architect must:
1. Control service access
2. Deeply inspect content
3. Align people and processes for sustainable protection

Expanding XML-based Services Beyond the Perimeter
At the beginning of an SOA initiative, many architects make a design assumption that all services will be "within the firewall" and consequently have limited to no protection requirements. These projects often demonstrate integration benefits, but often have trouble getting the enthusiastic support of business teams. The exception is those services built for external consumption to drive a business goal.
By focusing on services that extend outside the enterprise and generate benefits visible and quantifiable, services architects can develop a comprehensive SOA that is deployed gradually with continuous business support. To generate continuous support, the projects delivered through SOA must be faster, cheaper and as reliable as projects delivered through traditional integration technologies. With minimal initial infrastructure, services architects can deliver these benefits and be prepared for the growth that follows initial success.

Protecting the Enterprise when Exposing Services
Every services architect faces choices and trade-offs about where and how to protect the enterprise. Use of XML-based Web services removes the network safety-net because those messages will transit ports that are open for internet access (Port 80 and Port 443). Existing network defenses are mostly oblivious to XML and cannot deliver perimeter protection that has the necessary application understanding to be useful. Consequently, service architects must choose between the following alternatives to protect their multiple services perimeters:

- SSL-only protection
- Hard coded protection
- Platform protection
- Agent protection
- Gateway protection

SSL-Only Protection
The logical first response to securing XML traffic crossing the Internet is to use SSL to secure the transport. This is a viable first step and is often a core element of a protection program for XML-based SOA. SSL is well-understood and broadly supported, making it an attractive alternative. But reliance on existing SSL technologies will expose the enterprise to significant deployment delays and considerable risks.