Begin with a plan

When deciding which type of security monitoring Web services to use, start with a plan for your support, operations, and administrative practices of providing Web services to monitor security in your organization. Just make sure security has been balanced between assessed risks and costs of countermeasures. Even if your enterprise has achieved balanced security through periodic risk assessments, returns on investment (ROIs) of countermeasures, and security policies, you need to ensure Web services are performing at the service level agreement (SLA)-guaranteed levels on uptime.

Here are some items you should have in your plan:

• Administrative delegation: Include a specification of the geographical locations, the level of delegation of administrative rights, and the administrative roles of monitoring security—dedicated and distributed. Do this at the local, regional, and global levels.
• Security infrastructure: Determine whether one central group is dedicated to managing the security of the entire enterprise or if each department manages its own infrastructure independently and works together in the security of data sharing or transfer. Consider all possible administrators' roles in the enterprise and then determine how many roles are assigned for one enterprise.
• Web services interaction: Consider whether Web services in your enterprise need to interact with Web services of other enterprises via a grid or point-to-point connection. Consider whether the grid, if used, is at the local, regional, or global levels—or all three—and how unused resources are being harnessed at multiple workstations at each grid level.
• Risk, training, and culture: Conduct risk assessment and physical security of your facility that houses the computer and network infrastructure. Provide training classes to update developers' skills on building security monitoring Web services. Consider cultural and organizational aspects within your enterprise and, if known, other enterprises.

Back to top

Dedicated security monitoring Web services

If you decide on a dedicated security monitoring Web service as the host, keep in mind that this is not the same thing as a centralized security monitoring Web service. Unlike the centralized approach, you can have more than one dedicated monitoring Web service grouped together as a virtual host within an enterprise, each complete with security tools, policies, and standards in the Service-Oriented Architecture (SOA). An enterprise can't have more than one centralized security monitoring Web service.

A dedicated security monitoring Web service for one enterprise may communicate with another dedicated security monitoring Web service for another enterprise at one of the three different levels: local, regional, and global. It must show that it will provide more benefits at less cost than a distributed monitoring Web service will.

One benefit of the dedicated model is that the Web services being monitored can transport sensitive data on an intranet or in a closed network within an enterprise, skipping the grid. Secure communication is needed to transfer or access data from one intranet to another, from one intranet to a closed network, or from one closed network to another.

Back to top

Distributed security monitoring Web services

The model of distributed security monitoring Web services describes how they are distributed across the enterprises in a grid. Starting at the top is the global monitoring host that's grouped into the second level of regional hosts, which are then grouped into the third level of local hosts.

Let's take a look at some reasons for transitioning to or building distributed monitoring Web services as the host.

Security, firewalls, and risks

Security monitoring Web services in different enterprises require a distributed model of security. Security responsibilities are split among the enterprises. Each enterprise manages its end of the security infrastructure independently.

Web service interactions in the grid must be able to traverse corporate firewalls across the enterprises. The exceptions are corporate and governmental intranets behind firewalls and the closed networks with no connection to the intranets or the Internet.

If a dedicated monitoring host detects that risks have increased over the period of time within an enterprise, it might become burdensome for this Web service to be assigned central security control of mitigating risks to more tolerable levels.

Multiple grids

Some enterprise may employ a strategy to get Web services in a grid for interactions with other grids. An enterprise can interact with multiple grids that offer different services. These services can range from supplier services to payroll services. The enterprise uses these service grids to interact with other partners, service provider customers, and suppliers' systems. The service grid lets participating companies act as a loose federation, each with its own internal computer, network, and security infrastructure and policies.

Heterogeneous technology and semantics

Web services from different enterprises may be built using heterogeneous technology stacks. Each enterprise decides on the computing infrastructure independently. Web services, including those security monitoring Web services in different enterprises or grids, are likely to use different semantics. The interpretation of the data communicated among the enterprises is different for each enterprise. There's not yet a universal data model as the enterprise-wide standard.

Back to top

Resource problems

The problem is that Web services, normally loosely coupled, run whether the resource is scarce or not. There needs to be ways to ensure that the resources for distributed security monitoring Web services aren't wasted when they're in the grid.

Volumes of resources can change from low to high and vice versa in the background in a nongrid environment. The resource is either scarce or not while Web services are waiting to send or receive a message. If the change in scale isn't adequately controlled at thousands of workstations, it can impact the one system image in the grid, resulting in resource overloads and possibly denial of service.

Resource solutions

One solution is to develop a grid monitor of how the unused resources of each workstation are harnessed and shared by other workstations. If the system finds that the unused resources on any workstation aren't properly harnessed, the distributed service monitoring Web service should send an alert to the grid and system administrators so they can look up details in the logs for resolution.

My article, "Tight-coupling Web services in the SOA" (developerWorks, Jan 2008), discusses another solution: a Web service with a coupling switch mechanism at the workstation level. This switch flips to tight coupling from loose coupling when the Web service receives an alert that its corresponding resources have reached certain levels. When the Web service makes the switch, certain standards must be switched (for example, WS-Context for loose coupling to WS-Addressing for tight coupling).

Distributed security monitoring Web services should include the coupling switch mechanism plus the WS-Resource Framework WS-Resource Transfer. Taken with WS-Notification and WS-Security specifications, this Web service at the grid level can send an alert to specified workstations to switch from loose coupling to tight coupling of some Web services when the resources at the grid level reach certain levels.

If this is reversed, there should be a Web service on a specified workstation that can send an alert to the distributed security monitoring Web service in the grid when the resources of other Web services switched to tight coupling in the same machine have reached certain levels.

Back to top

Enterprise collaboration

A distributed monitoring Web services host in one enterprise accessing a like host in different enterprises requires collaboration among the enterprises. Why?

• To ensure that the policies, standards, and tools provided by the distributed security monitoring Web services host are interoperable and compatible.
• To operate and defend grids of enterprises by determining what are to be standardized and what needs to be compatible and interoperable.
• To agree what security policies, standards and tools are applicable to the enterprises participating in the collaborative efforts.

Conclusion

You need a team of developers, testers, and system and grid administrators to choose between dedicated or distributed security monitoring services as a host. You must plan ahead for developing, migrating, testing, and deploying either host type within and across the enterprises. Resolving these issues makes your job of monitoring the security of Web services a lot easier. You can use IBM® Rational® ClearQuest®, IBM Rational Tester for SOA Quality, and IBM Rational Functional Tester to increase productivity by reducing testing and defect-tracking time.

Resources

Learn

• Explore the OASIS consortium.
  
  
• See all the articles in Judith M. Myerson's series Work with Web services in enterprise-wide SOAs.
  
  
• Check out Judith M. Myerson's developerWorks series, Use SLAs in a Web services context.
  
  
• Read "Tight coupling Web services in the SOA" (developerWorks, Jan 2008).
  
  
• Learn more about WS-Resource Transfer.
  
  
• Get details about the following products:
  • IBM Rational ClearQuest
  • IBM Rational Functional Tester
  • IBM Rational Tester for SOA Quality
  
  
• Read Judith M. Myerson's book The Complete Book of Middleware, which focuses on the essential principles and priorities of system design and emphasizes the new requirements brought forward by the rise of e-commerce and distributed integrated systems.
  
  
• Read Enterprise Systems Integration, Second Edition to get the business insight and the technical know-how to ensure successful systems integration.
  
  
• Read RFID in the Supply Chain, which explains business processes, operational and implementation problems, risks, vulnerabilities, and security and privacy.
  
  
• The SOA and Web services zone on IBM developerWorks hosts hundreds of informative articles and introductory, intermediate, and advanced tutorials on how to develop Web services applications.
  
  
• Play in the IBM SOA Sandbox! Increase your SOA skills through practical, hands-on experience with the IBM SOA entry points.
  
  
• The IBM SOA Web site offers an overview of SOA and how IBM can help you get there.
  
  
• Stay current with developerWorks technical events and webcasts.
  
  
• Browse for books on these and other technical topics at the Safari bookstore.
  
  
• Check out a quick Web services on demand demo.
  
  

Get products and technologies

• Download a trial version of Rational ClearQuest.
  
  
• Download a trial version of Rational Functional Tester.
  
  
• Download a trial version of Rational Tester for SOA Quality.
  
  
• Download IBM product evaluation versions and get your hands on application development tools and middleware products from DB2®, Lotus®, Rational®, Tivoli®, and WebSphere®.
  
  

Discuss

• Participate in the discussion forum.
  
  
• Get involved in the developerWorks community by participating in developerWorks blogs.
  
  

About the author

Comments (Undergoing maintenance)

Back to top

Trademarks  |  My developerWorks terms and conditions

Table of contents

• Begin with a plan
• Dedicated security monitoring Web services
• Distributed security monitoring Web services
• Resource problems
• Resource solutions
• Enterprise collaboration
• Conclusion
• Resources
• About the author
• Comments

Next steps from IBM

• Try: Rational ClearQuest
• Demo: Create customized queries with IBM Rational ClearQuest
• Webcast: Tips on achieving global IT efficiency through collaboration, automation, and project insight
• Briefing: Quality driven software delivery
• Buy: Rational ClearQuest

My developerWorks community

Dig deeper into SOA and Web services on developerWorks

Rate a product. Write a review.

Write a review for Rational products today!

Special offers