Today’s guest blog post by Francois Lascelles tackles why RESTful web services matter in the enterprise, and why they’re going to matter even more in the new future. Francois is the technical director of Europe for Layer 7 Technologies, and he also blogs at SYS-CON. -Michael
As the ‘old SOA’ post-mortem reality settles, many enterprise architects are turning their attention to WOA (Web Oriented Architecture) and more lightweight REST-style Web services. REST lowers the bar of complexity for exposing Web service-type APIs. What started off as a grassroots movement is now maturing fast: RESTful Web services support is growing, standards are emerging and the debates on the comparative merits of REST vs. WS-* have given place to inclusion and rapprochement.
Cloud-based deployments are especially well-suited for RESTful Web services. Enterprises already use SaaS (Software as a Service) applications, which expose their own REST-style APIs. PaaS (Platform as a Service) offerings enable enterprises to expose their own cloud-side services. These, along with on-premise deployed services, partner services and others, constitute the new distributed SOA upon which enterprises are increasingly relying.
What can the enterprise do to leverage such deployment patterns and address security concerns? The security considerations about enterprise services being exposed, whether on or off premise, are equally important for RESTful Web services as for their WS-* counterparts.
A crucial factor to enable the management of security is standards. This is especially true in the context of a distributed SOA where an ecosystem of service zones interact with each other under varying authority. A case in point: two dominant cloud-based application platforms today—AWS and Azure. Both platforms define an HMAC-based authentication scheme but both versions are home-baked and incompatible with each other. Emerging standards will be essential to ensure consistency and richer security management. The so-called Enterprise vs. OpenSource identity ‘camps’ are not mutually exclusive. Standards like OAuth and OpenID should be considered by the enterprise; their application is broader than just social media. Along the same lines, it would be useful to define a new SAML binding specification that would be tailored to RESTful Web services.
Because RESTful Web services have a strong transport-level orientation, they tend to be network infrastructure-friendly. Yet, just as for WS-* services, these RESTful Web services receive payloads and potential message-level threats such as injections and parser attacks. Network-focused types of infrastructure do not address the content-level inspection needed. Consider SOA specialized perimeter gateways that detect message-level threats, validate compliance for XML structures, implement emerging standards such as JSON Schema Validation, enable the enforcement of rules that take into consideration identity, URIs, HTTP Verbs, etc: the ability to virtualize service endpoints at the edge is an important aspect of securing and managing their use.
As standards continue to mature and infrastructure increasingly focuses on addressing RESTful Web service use cases, expect REST to increase its footprint in the enterprise landscape in the near future.
Francois Lascelles works for Layer 7 Technologies, an Enterprise SOA and Cloud infrastructure provider. As the Technical Director, Europe for Layer 7, Francois advises global corporations and governments in designing and implementing secure SOA and cloud based solutions. Francois joined Layer 7 in its first days back in 2002 and has been contributing ever since to the evolution of the SecureSpan SOA infrastructure product line. Francois is co-author of Prentice Hall’s upcoming SOA Security book.
Interested in guest blogging for the IT Watch Blog? Contact Michael Morisy at Michael@ITKnowledgeExchange.com.