Facilitating compliance management in an SOA environmentJuly 2008

Compliance in an SOA environment

Facilitating compliance management in an SOA environmentPage 2

Contents

2 Introduction2 The SOA factor4 Security encompasses all

aspects of the SOA life cycle 9 Conclusion1 For more information

2

Introduction

From industry regulations to data privacy laws and government mandates,

meeting compliance has become a permanent criterion for doing business.

As each year passes, the resources needed to comply with ever-multiplying,

disconnected regulatory and industry requirements continue to escalate. The

challenge is even greater with the recognition that there is no finish line when

it comes to compliance. Instead, it is a cyclical process that requires continual

diligence and focus.

The necessity of conforming to regulations and mandates has wide-ranging

implications in the way organizations manage and run their businesses,

particularly in the area of security. The majority of regulatory compliance

requirements and internal control objectives include major IT security

components, in part designed to protect public assets and interest. In short,

compliance has become the new driver for IT security.

The SOA factor

Data privacy regulations and compliance-reporting mandates require that you

define consistent security policies, monitor compliance with these policies and

government or industry regulations, and provide a complete audit trail for

proof of policy enforcement. In an SOA Environment, there is increased

flexibility with which an organization can implement and manage services,

which improves the speed with which it can implement and enforce policies.

An organization can disconnect policy information from the actual service,

improving the ability to manage and update policies rather than if policy

information were built directly into the applications themselves. However,

Service Oriented Architecture (SOA) can make it challenging to ensure that

information remains secure and auditable as it moves across systems, and

difficult to reconcile who is doing what, where and when between applications

and processes.

Security policies for services include the rules established for allowing

services to be accessed. In moving to SOA, a key initial activity needs to be to

establish the SOA Governance framework that can be used as the basis for

creating and controlling policies, including security policies. A user or service

Facilitating compliance management in an SOA environmentPage 3

might require specific privileges to allow them to access a service. However,

when services are combined, such as when they are choreographed into a

higher-level business process, the combination of these services can require

another examination of the security policy. For example, a user might be

allowed to access Service A and Service B independently. Yet, when these

services are choreographed together, perhaps with other service invocations,

the user might no longer be allowed to access these services. The complexity

in an SOA environment means that the security policy for the choreographed

services needs to take into account the mixing and matching of services in

different combinations as required to reflect changes in business processes.

Each new sequence of steps can require examination of the security policy to

ensure it remains valid for this new combination.

Protection of data from unauthorized modification and disclosure is

a key requirement within SOA. Data needs to be protected because it is

business sensitive, privacy sensitive or both. For this reason, a policy should

be in place to ensure that data is protected in transit and at rest, with

consistent security measures applied. Data protection is especially important

when data moves outside the organizational boundary, which can happen

without the knowledge of the consumer. For example, an internal service

might be replaced with an outsourced service with data now flowing to the

external organization. The service provider might need to ensure appropriate

protection is in place to satisfy the policy requirements of the calling

organization if the data is business sensitive or privacy sensitive.

Auditing of transactions is required to provide the data needed for assessing

compliance as it measures the performance of the IT environment relative to

measurements established by the business policies. This can include verifying

the working system against a set of internally created policies, and also against

external regulatory acts. Complexity is increased in an SOA where different

applications from dissimilar sources or vendors are targeted for different levels

Facilitating compliance management in an SOA environmentPage 4

Figure 1. Model of the SOA life cycle

of compliance. This is especially true when accessing services provided

by an external organization, and the complexity increases when the regulatory

and compliance regime for that organization is different from that in the

requesting organization. Ideally, the audit data produced by the various policy

enforcement points should be integrated into a single repository or federated

into a single logical view of the data. This facilitates the production of the

required audit reports, verification of compliance against policy and

investigation of security-related events.

Security encompasses all aspects of the SOA life cycle

Certain roles in an organization contribute to the creation, definition,

refinement, monitoring, verification and management of security policies

throughout the SOA life cycle. Corporate security officers and equivalent

executives define corporate security policies and outline regulations with

which the business must comply. Business analysts work with security policy

officers to translate corporate security policies into terms of a business

vocabulary and process. These security-related decisions are then applied at

various phases of the SOA life cycle. (See Figure 1.) To help you address

compliance requirements, IBM provides solutions that are especially useful

during the assemble, deploy and manage phases.

Facilitating compliance management in an SOA environmentPage 5

Assemble

Application and security architects model the security policies based on

choices provided by the business analyst. Application programmers and

administrators factor in these security policies by declaring the requirements

for the infrastructure to enforce. The security policy can be implemented in

the applications when the infrastructure support is not sufficient.

Getting to the definition stage of security policies requires assessments

and planning. An assessment can help identify and prioritize audit

deficiencies, as well as vulnerabilities at the system, network and application

levels. In addition, organizations should inventory enterprise assets—both

systems and information assets—to better understand what needs to be

protected and to what degree.

IBM offers a number of solutions to help assess and evaluate your

compliance posture, including IBM Audit and Compliance Gap Analysis,

security assessments and risk assessments. Other solutions include

IBM Rational® AppScan, which can help assess security compliance reporting

for Web applications through more than 40 ready-to-use security compliance

reports such as PCI Data Security Standard, ISO 17799, ISO 27001, HIPAA,

Gramm-Leach-Bliley Act (GLBA) and Basel II, and IBM Rational Policy

Tester, which can help audit Web sites for compliance with regulations for

consumer data privacy, e-government, banking and accessibility.

IBM solutions such as IBM Information Security Policy and Process

Definition can help organizations investigate the requirements for information

security and the associated priorities, and create a custom security policy.

Other solutions such as IBM Rational Method Composer can provide a

flexible process management platform, with tooling and an extensive process

library to help organizations implement effective processes for successful

software and IT projects.

Facilitating compliance management in an SOA environmentPage 6

Deploy

Application administrators install the applications and work with security

developers and security administrators to configure the applications and

associated security policies.

Tivoli® Federated Identity Manager offers an efficient and effective way

to manage and validate user identities across the SOA environment and

provide a robust identity-assurance and trust-management solution. Tivoli

Federated Identity Manager can enforce consistent identity propagation and

token mediation across diverse, heterogeneous enforcement points, such as

XML firewalls, application servers and the enterprise service bus.

IBM Tivoli Federated Identity Manager for z/OS® provides a strong

security bridge for distributed applications and mainframe applications by

integrating with IBM RACF® software to enable end-to-end identity

propagation and secure access to mainframe applications. As part of this

support, the federated audit solutions delivered by Tivoli Federated Identity

Manager for z/OS support the auditing of the identity-mapping function that

is used to create the bridge between RACF and distributed identity

management.

Manage

IT and security administrators manage the security policies across a set of

applications and infrastructure to meet requirements, which might continue to

change over time. Operators monitor the system behavior for compliance.

They detect situations that are potential security threats and feed them back

to administrators to make changes as required. Business analysts view

business dashboards to assess the effect of certain system security events on

the business. Security auditors assess the system’s compliance with regulatory

Facilitating compliance management in an SOA environmentPage 7

and corporate policies. It is significant to observe that security policies

are specified and refined throughout the SOA life cycle, undergoing

transformation from one phase to the next.

In many cases, these tasks rely on manual processes that drain considerable

time and money from organizations and prevent compliance staff from

focusing on higher-value activities. For example, IT still uses human eyes to

review and human hands to generate reports on security-relevant events in

the environment. To maximize efficiency and flexibility, these tasks should be

automated wherever possible.

With IBM Tivoli Security Policy Manager, you can centrally manage

security policies for multiple business applications across your enterprise. It

provides unified policy life-cycle management and enforces policies at run

time, strengthening your organization’s security posture. Security Policy

Manager also offers centralized change and control, making it easier to meet

tightening or new compliance requirements.

IBM Tivoli Security Information and Event Manager—designed to support

security compliance and audit management—is a powerful solution that allows

you to monitor, correlate and report on security audit data and user activity

across your enterprise. IBM Tivoli Security Information and Event Manager

can help automate key components of the IT organization that affect

compliance, such as:

● Generating sufficient audit trails in the form of logs of network, system and application events.

● Monitoring user activities for misuse or noncompliance.● Leveraging automated policy-enforcement mechanisms.● Managing incidents using standardized, trackable procedures.● Leveraging standardized compliance reporting.

Facilitating compliance management in an SOA environmentPage 8

It captures relevant security audit data from a broad set of systems, including

applications, databases, operating systems, mainframes, security devices and

network devices. A log continuity mechanism helps ensure that internal

controls over log collection are properly carried out. It communicates through

effective reporting on the status of user activity within IT systems. This

capability enables executives to see the ongoing status of security operations,

including attempts to gain unauthorized access, how those attempts were

stopped and recommendations about how to prevent similar attacks.

(See Figure 2.)

Figure 2. Tivoli Security Information and Event Manager provides numerous audit and compliance reporttemplates. This example shows more than 30 report templates specific to helping manage Payment CardIndustry (PCI) compliance efforts.

Facilitating compliance management in an SOA environmentPage 9

Other solutions, such as Rational AppScan, can help automatically scan

and test Web applications for common vulnerabilities, using intelligent fix

recommendations and advanced remediation capabilities.

And IBM Tivoli zSecure Audit can help you automatically analyze and

report on mainframe-related security events and incorporate that information

directly into Tivoli Security Information and Event Manager for a more

holistic view of the organization’s security posture. Because critical and

sensitive information is often stored on mainframes, the ability to audit events

on these systems and correlate that activity with activity in the distributed

environment is critical to maintaining security and demonstrating due

diligence when it comes to protecting sensitive data.

In addition, the IBM WebSphere® DataPower® XML Security Gateway

XS40 appliance provides a centralized means of controlling and viewing

services within an SOA to meet compliance requirements. Its policy

enforcement blocks threats to XML Web services, helps ensure secured access

and helps enforce service levels. This SOA appliance can easily manage and

secure multiple Web services and helps ensure full policy compliance within

your IT infrastructure.

Conclusion

The complexity of an SOA environment increases the challenge of meeting

compliance requirements. IBM offers a comprehensive range of solutions to

help you address your compliance needs as you move through the stages of

the SOA life cycle.

For more information

To learn more about compliance in

SOA environments, please contact

your IBM marketing representative

or IBM Business Partner, or visit the

following Web sites:

● ibm.com/software/solutions/

soa/mgmtsec/security.html

● ibm.com/software/tivoli/

governance/security/

compliance.html

© Copyright IBM Corporation 2008

IBM CorporationSoftware GroupRoute 100Somers, NY 10589U.S.A.

Produced in the United States of AmericaJuly 2008All Rights Reserved

IBM, the IBM logo, ibm.com, DataPower,RACF, Rational, Tivoli, WebSphere and z/OSaretrademarks or registered trademarks ofInternational Business Machines Corporation inthe United States, other countries, or both. Ifthese and other IBM trademarked terms aremarked on their first occurrence in thisinformation with a trademark symbol (® or™),these symbols indicate U.S. registered orcommon law trademarks owned by IBM at thetime this information was published. Suchtrademarks may also be registered or commonlaw trademarks in other countries. A current listof IBM trademarks is available on the Web at“Copyright and trademark information” atibm.com/legal/copytrade.shtml.

UNIX is a registered trademark of The OpenGroup in the United States and other countries.

WSW14030-USEN-00