SOA Security and Compliance

Organizations must ensure SOA security and compliance to protect their reputation and bottom line. Yet many companies tightly couple policies to the services to which they apply, putting the various IT teams responsible for the different services in charge of the related policies. This can lead to inconsistencies in policies and gaps in coverage, as well as high IT costs resulting from re-coding policies as services change and vice versa.

Centralized Management, Distributed Enforcement of SOA Security and Compliance

In contrast, Progress® Actional® for Active Policy Enforcement separates the policy lifecycle and service lifecycle. It provides centralized creation and management of policies for SOA security and compliance, while ensuring distributed policy enforcement. This allows companies to put policy in the hands of security and compliance experts and empowers the experts to author policies once and apply them across the SOA, ensuring consistent policy enforcement while reducing risk and cost. While alternative approaches can only apply policies to services and operations, Actional applies policies to end-to-end processes wherever they flow. Once policies are applied, they dynamically adapt to changes in services, processes, and schema and are seamlessly enforced without the time and cost of being re-coded or re-applied.

SOA Security and Compliance Features: At a Glance

Actional for Active Policy Enforcement is designed to handle the variety of SOA security and compliance requirements present in the extended enterprise. It provides flexible, standards-based support for authentication and authorization and integrates with a broad range of identify management and single sign-on (SSO) technologies. For compliance, it records audit data to a relational database, where it is available to any audit tools.

Actional also applies policy to abstract information types, such as "personal identity" or "credit card details," providing consistent control over sensitive information, wherever it appears in messages. And with Actional, organizations can enforce last-mile security by creating "trust zones" that prevent message traffic from reaching a service endpoint if it hasn't passed through a designated security enforcement point.

SOA Security: Alignment with PCI Compliance Requirements

Actional can help merchants and other companies that deal with credit card information comply with the Payment Card Industry Data Security Standard (PCI DSS) for providing a secure, traceable, and audit-ready environment. Specifically:

• To protect stored cardholder data, Actional can selectively audit only specific message fields, so that the entire credit card number isn't stored. This provides control over the persistence of sensitive data, mitigating risk, while keeping required, comprehensive audit trails.
• To restrict access to cardholder data by business need-to-know, Actional enables control of who has access (via the user interface or programmatic APIs) to what data. This capability can be tied to existing user roles in the organization, allowing administrators to restrict access to audit logs, message fields, and other critical information.

For additional questions on Actional solutions for SOA security, please contact us.