We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Twenty-Four Seven Security

Peter Schooff

Why is SOA Security So Difficult?

user-pic
Vote 0 Votes

Haven't posted anything about SOA Security in a bit, even though SOA Security is becoming one of the determining factors when a company chooses on their SOA solution. Also, next month ebizQ has a round table coming that's going to be all about SOA security, which you can read about/sign up right here.

I came across this fairly old blog posting from all the way back in November 12, 2007, which, in tech time, equals about a year, but the info was all about the difficulty of SOA security, which I thought was still quite relevant, and which is below.

1. SOA is all about opening up and reusing information, which often exposes monolithic and hidden applications. But the more integration points an application has, the more attack points there are.

2. SOA often relies on unsecured technologies, but as implied above, as Alex Maclinovsky puts it, there is no more security through obscurity.

3. By it's very nature, SOA must operate between multiple applications with many different security mechanisms and vulnerabilities in real time, which is sorta like having more than one wife/husband at the same time. Need I say more?

4. SOA and ROI: the most secure way to do things would be do the least important things first, then continually ramp up, most companies demand some ROI for their SOA investment, which essentially means tackling the most difficult parts first.

5. SOA is all about service architecture, which means automation, which means removing human oversight and security controls.

6. A deployed SOA solution expands the number of consumers and the number of access points, adding untold complexity to an often already overwhelmed security perimeter.

7. IAM: SOA makes identity and access management truly earn it's money, as SOA makes it so-a very difficult to figure out who to authenticate and who to authorize, i.e. the doctor for the medical records, the patient, the doctor's assistant, the nurse, the patient's kid, or the insurance company.

A pretty easy analogy would be a car, where, in the old days a car was just a car, a car that drove up and down the highways and byways, but then the SOA car comes which is a car that can splash through water and soar up into the skies, which clearly changes the safety and security profile of said car, and by the way, exactly where are our flying cars?

3 Comments

| Leave a comment

That's why use of an xml gateway is very important as you can leave the security outside of the actual service code. So depending on the client you can have different security policies.
There are some cost effective options available for XML security. Just research it.
Don't by and appliance. Buy software firewalls has much better ROI

user-pic

Peter,

An interesting post.

On a related topic, would you mind sharing with your readers some specific details of technology / vendor products that have allowed you to successfully implement SOA Governance - and what level of automation was provided by the selected tools? Or what you were left to implement via manual procedures?

Thanks,

Kelvin Meeks

Excellent idea, Kelvin...stay tuned and I'll try to get to it next week.

Leave a comment

Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

Peter Schooff

Peter Schooff is Contributing Editor at ebizQ, and manager of the ebizQ Forum. Contact him at pschooff@techtarget.com

Recently Commented On

Monthly Archives

Blogs

ADVERTISEMENT