What follows is a transcript of my podcast with Adam Vincent, the Federal Technical Director of Layer 7 Technologies. Adam has extensive experience building secure service oriented architecture as well as sharing information across security boundaries, and in this podcast we discuss the challenges of SOA security, the similarity between SOA and Web 2.0, Layer 7's solution, SOA governance, and finally, the SOA security challenges of the upcoming U.S. Presidential election.
Also, don't forget next month's ebizQ roundtable on SOA security. Sign up right here!
Could you give me a quick overview of SOA security?
Sure. So SOA security is very similar to what we've seen in typical application security. The big difference in SOA vs. 'what we're used to' is that SOA is somewhat of a concept vs. a technologies so the concept itself allows for more interoperable information sharing and it's often seen as being an enabler of more business-to-business communications and so with that comes the complexity of crossing organizational, departmental and community boundaries so not only do you have to deal with integrity, confidentiality, and non-repudiation like you do with any other application but now you have the challenge of trying to federate and govern those security policies between different organizational partners.
That pretty much leads to my next question. Why is SOA security considered such a challenge?
I would say based on my experience especially around working within the government that any time you want to try to define security policy that crosses multiple organizations that there's a challenge just politically in making sure that the policy defined actually allows all of the participants of the information sharing system to actually possess the capabilities that they desire so an example would be that if you're sharing information that might be privacy act and FISMA control oriented, that there might be policies that govern how you do that from an enterprise perspective so, you know, from organization to organization but there may be different policies that each of those organizations also adds to that and specifically you end up with a hierarchy of policy as related to a particular information sharing opportunity.
Interesting. Now are there a lot of similarities between securing SOA and Web 2.0?
I see Web 2.0 as being an extension of SOA. It's basically taking what SOA has created as an opportunity for more advanced information sharing, quicker time to market, you know, all of the overloaded terms that are used to say that the SOA is great, I see Web 2.0 as being an extension of that and allowing those same kinds of premises to now be pushed out to the user so SOA on its own is generally seen as an application to application distributed model that allows those applications to be more interoperable and more reusable across a single enterprise but also multiple enterprises where Web 2.0 has been seen as a very quick to market technology or set up technologies and concepts that allows now that SOA paradigm to be fully realized in a user-oriented capacity.
Tell me about Layer 7's solution for SOA security.
So, Layer 7 is basically founded on the concept of SOA security so we specialize in web services, AJAX and REST based applications security. We have come to be focused on the policy that I mentioned earlier so, you know, I don't want to go too far down in the weeds here but the hierarchical policy and governance relating to those policies is, in my opinion, the challenge in information sharing and it is the challenge that SOA has in front of it and so Layer 7 is based on a technical approach of using something called web services policy as an underlying policy configuration allows, in a technology form, us to collapse all of those organizational and departmental and enterprise policies into a single policy engine that then can enforce and rapidly adjust based on those policies.
One of my readers wanted me to ask about SOA governance and also the level of automation provided by your solution.
That's, again, a very complicated topic. What I can say, you know, quickly about SOA governance is that there's two different forms of SOA governance that are required to fully realize what we see as being the vision of SOA enablement and I typically refer to them as "design time" and "run time" governance. A lot of people have differing definitions but that's mine. Design time governance is the process that you would go through to collaborate within the human sense with all of the participants of a information sharing approach and design time is what we're used to today and generally takes quite a bit of time. Now run time is the expectation of making sure that all of the requirements that we came to when we discussed what we were going to use our SOA for, run time would be where the actual processing logic would exist to make sure that those things are actually happening. So, security is by far, in my opinion, the biggest run time governance challenge that's faced by the enterprise that's adopting SOA.
Interesting. Now with the upcoming US election, presidential candidates are using their websites for donations and to increase voter participation. Last year, there was a breach in security of several campaign websites. What advice do you have for people who are looking to make donations or to submit their information online?
There's basically a list and the list is growing, unfortunately, of issues that relate to consumer security and with the political election approaching, the biggest thing that we need to look at is the sheer number of users that will be using these websites so most of these websites will leverage some kind of registration so that they can track user information so all of that user information is going to be captured somewhere, generally this is one level removed from what the user interacts with so an example would be a user interacts with their browser which is, in fact, interacting with the web application but that web application is actually communicating with a database and that database has all of the information about all of the users that have gone to that website. It may include credit card information, it may include some very limited cases this is not seen much anymore, it may even include their social security number. This information is paramount for that website owner for doing their business process and doing the things they need to do. What is not paramount for is a single place of attack and so hackers will look to high interest and high use websites especially as we get closer to the presidential election and the number of users of those websites grows.
Now what do you see as the other challenges for security, especially in the area of SOA?
So, in regard to the presidential election, I think that there are multiple challenges that exist for the service provider so, a second ago I talked a little bit about the consumer of a website and there are certain things that they care about and so they basically you can put it in the form of different buckets. They care about the information they're looking at is it correct, that they're looking at the right website and that their information is kept private and that there's no risk of identity theft in their information being, you know, let out into any public forums. But there's another risk that we haven't talked about and there's a lot of threat and that's with the provider of that website and so, you know, as the provider threat is realized, that's also going to impact the customer, the user of that website. So, in that, I would say that, you know, the provider has to worry about things like the ability for their information to be correct on that website so more and more people are hacking websites, logging in as, you know administrative users and then actually changing content on a page to actually harm the reputation of the website owner, in this case it would be a presidential campaign member or in some cases, it's basically to get their name out. In either case, that's detrimental to the political party. Another risk would be denial of service. Denial of service is probably the easiest exploit for an attacker to use and specifically allows the attacker to bring down a website through some kind of overflow of traffic or, you know, some kind of crafty message that they send to the web application. That harms the political party again, because now the website is unavailable for anyone to use. And other one that's probably not as prevalent but is still a threat is that these websites are used, there's hundreds of thousands of hits per day and one form of attack that we need to be aware of is the ability to upload malicious code to that website and then use that as distribution point so, you know, that would be something that impacts the service provider, in this case the political party because they would then be used as an attack vector on all of the browsers that are interacting with that website.