It seems there's a lot more attention being paid to the matter of SOA security as of late, and it's understandable to see why it's all happening at this stage of the game.
SOA methodologies have become a mainstream part of enterprises just over the past one to two years. ebizQ's latest surveys find that at least half of companies have serious SOA-based efforts underway, and at least 20 percent have a functioning SOA-based infrastructure in some part of their business.
As ebizQ colleague Peter Schooff found in a recent interview with Fred Etemadieh, Chairman of the SOA Security Working Group for the Open Group, "Good SOA" and "Good Security" do not have to be mutually exclusive terms, though it often seems as if they are. "SOA is a distributed environment, and more importantly, the information that traditionally had been part of an internal IT organization, an internal corporate framework is now being scattered all over the Internet," Etemadieh said. "Therefore, the nature of information needs to maintained as far as the confidentiality is concerned, and indemnity is concerned, and a bunch of other features, which in the past were not necessarily at the forefront of security definition and design."
This brings the need for robust identity management into the forefront, and as Etemadieh put it, "the nature of identity can be very convoluted if we leave it the old traditional way of identifying either one as an individual, or a feature, or a process." In the new world of SOA, he said, identity "needs to be more uniformly defined across the net in that it makes it more -- simplifies the process of exchanging information, recognizing where the information is coming from, authenticating where the information is coming from." Federated identity is becoming key to effective SOA security.
I also just had the opportunity to explore these topics with Dr. Raj Nagaratnam, IBM distinguished engineer and chief architect for Identity and SOA Security. Nagaratnam talked about the importance of identity management in highly loosely coupled SOA environments, noting that services themselves need identities as well.
“In an SOA environment, identities are not limited to user alone but service themselves. Services start to have or need to take on identities themselves because services in a composite application environment; one service may invoke another service. A shipping service may be invoked by an order processing system. So in this context, services take on identities so the life cycle of services as well as users need to be taken into account when considering identity."
We also just got a reminder that SOA-based systems are not immune from many of the vulnerabilities that are seen with Web-based networks in general. Dan Kaminsky, a well-known IT security researcher, recently disclosed his findings around the Domain Name Server flaw, (or DNS cache poisoning vulnerability), which could enable attackers to quickly find the transaction IDs of address queries and re-route users to other domains.
Tim Wilson of Dark Reading reported on Kaminsky's presentation at Black Hat, in which Kaminsky warned that enterprise systems are just as susceptible to DNS exploits as Web and email servers, because "internal environments also work with external DNS servers, and even if they didn't, most internal environments are also connected to DNS servers used by customers or suppliers."
Thus, as Kaminsky put it: "Back-end IT systems such as Telnet, SNMP, authentication servers (such as Radius), backup and restoral systems, and even service-oriented architecture (SOA) environments all use DNS, and could be subject to attack via the newly discovered flaw."
Over at CIO, Nicholas Petreley also warned that "there is more to SOA security than authorization and authentication." He advises an additional layer of security -- called a "port knocking-protected firewall" -- to keep hackers and crackers from scanning for open ports across servers. After an open port is discovered, "the cracker only needs to figure out how to break your authentication mechanism. Depending on the service, the SOA component could give away everything else the cracker needs to know to access sensitive data."
As Petreley so eloquently put it: "One of the greatest things about SOA services is that they are discoverable. And one of the worst things about SOA—from a security perspective—is that services are discoverable."
___________________________________________________________________
Leave a comment