Organizations moving to SOA need to prevent enthusiasm for the new architecture from leading to a service sprawl. As the adoption of new compliance measures and regulatory concerns such as SOX increase, securing large numbers of fine-grained services in a distributed environment becomes a daunting task.

The challenge with securing an SOA is that most services and applications aren’t stand-alone; they are already connected, with or without security. The challenge is to introduce SOA or service-enable such resources without having to write extensive code, incur additional maintenance costs, or leave loopholes that compromise sensitive data.

Some services and applications already provide their own preferred security protocol. Leveraging these in an SOA is a challenge. For example, one application’s security protocol may differ from the security protocol of the application with which it is communicating.

BEA’s interoperable, easy-to-use, configuration-based products help address security concerns, starting from a business perspective and extending all the way to fine-grained code. BEA AquaLogic Service Bus drives policy-based SOA, while BEA WebLogic Integration helps create service-enabled processes for enterprise integration.

Policy-based enforcement allows access to services, using BEA AquaLogic Service Bus as an intermediary and a single point of enforcement for policies that can be centrally governed. The maintenance of these security policies becomes much more manageable as a result. For intermediary layers as well as service-enabled processes and back-end systems, standards-based security can smooth interoperability between consumers and providers.

BEA AquaLogic Service Bus provides a configuration-driven alternative that bridges multiple security protocols with minimal coding. It also provide flexible authentication for transports, including username/password basic authentication in transport headers and certificate-based authentication. Message-level encryption can also be added, including the use of security credentials in SOAP headers. SSL or HTTP can provide encryption for confidentiality.

These options—to create secure service-enabled processes for integration using BEA WebLogic Integration and to use BEA AquaLogic Service Bus as a central security bridge—make it far easier both to secure new and existing services, and to manage those services on an ongoing basis.