In his latest post, ebizQ analyst Peter Schooff spoke with Anne Thomas Manes about the insecurity that continues to nag at SOA. (Transcript and podcast link here.)
This is an issue that's not getting near enough attention, Anne points out. Ironically, securing SOA is not a big deal, as it employs the same mechanisms used to secure Web services and Websites. Actually, Anne pointed out, "at this point, I think it's really easy to secure your environment. You just have to use different practices than what you would probably do just for your Websites... Any platform that support Web services has the ability to support WS-Security."
And, as with Web services and Websites, applications or systems may be vulnerable to outside intrusions. "With services, you're exposing business processes within your organization," Anne says. "If you don't properly secure those interfaces to those business processes, you're now letting anybody in the world come in and access them." Too many companies think that having those services contained within a well-protected firewall will do the trick. But, as she points out, these are intended to only protect point-to-point connections.
"If there is a URL that provides access to a service, chances are somebody's going to be able to connect into it," Anne cautioned. "And the -- the idea that your perimeter is actually going to protect your internal systems is pretty dangerous at this point."
What to do? The best practice for SOA security is to enable security to be applied uniformly and automatically across all services deployed or run within the SOA, versus trying to build in security for each separate service.
Anne said that a layered defense will better protect SOA-based transactions and underlying data. "Use a combination of security protections when you're dealing with a service-oriented system," she said. "You use the traditional periphery type of security measures, you also use identity-based security measures at the endpoints, and then potentially you use additional intermediaries to perform additional security capabilities like auditing, or cross domain, credential mapping and things like that."
Plus, she said, look into technologies from XML gateway vendors or from Web services management vendors "which will automatically protect your services for you, and automatically configure the kind of management and security protections that you want, such that you don't have to do a whole bunch of effort every single time you deploy a service."
Emerging approaches also include new OASIS specifications such as WS-Federation, and "WS-Secure Conversation" that "gives you an additional layer of security by enabling two communicating service endpoints to establish a secure connection... a more efficient way of establishing a secure conversation so that you don't have to authenticate on each interaction."
In a Webinar I moderated last fall, Anne also raised another important point that needs to be addressed better by enterprises: that all too often, the burden of security is left on the shoulders of IT or integration teams, and therefore not getting the holistic view required to be effective. SOA brings this issue even more to the fore, since the goal is to provide service-enablement across the enterprise, well beyond the walls of IT.
You can get answers to your specific SOA Security questions from four of the top experts in distributed-computing security at this Webinar. Join Fred Etemadieh, co-chair of The Open Group's SOA and Security Project, Gunnar Peterson of Arctec, Andrew Brown of AmberPoint and moderator Mike Rothman of Security Incite on Wednesday, February 27, 12:00 p.m. ET for the special Roundtable that will key on the to discuss the most effective initial precautions (including using existing identity and access management) systems and long-terms strategies to keep your SOAs safe.
Find out more, submit a question or register here.
Check out submitted questions that will be covered here.
Leave a comment