Joe McKendrick, ebizQ's SOA in Action Blogger, is a nationally published author and consultant
with deep knowledge and insights regarding trends and developments in
the technology industry. He is a contributing editor to a number of
national and international publications and Websites including
Database Trends & Applications, ZDNet, and Webservices.Org. He also
serves as analyst for Evans Data Corp., and is lead analyst for Evans'
Web services and enterprise development management issues surveys.
SOA in Action Blog
|
« Using SOA to Cure 'Backaches' and 'Neckaches' | Main | SOA Insecurity -- Easy to Fix, Tough to Govern » February 15, 2008Secure Oriented Architecture? We Still Have a Lot of Work to Do How secure is SOA? Security has long been considered the Achilles Heel of both Web services and SOA, since both mission-critical applications and data are being opened up to the cloud. Surveys I have worked on for Evans Data over the past several years find Web services and SOA developers overwhelmingly rely on Secure Sockets Layer (SSL) for their security needs. This is not enough, of course -- a holistic approach is required, that not only encompasses service and application security, but also a layered approach involving network security, OS security, and physical security of the facilities where apps are run and data is stored. In a couple of weeks, Mike Rothman, President and Principal Analyst, Security Incite will be joining Gunnar Peterson, Managing Principal, Arctec Group for a discussion on the state of security in SOA. The session promises to be an eye-opener, with a frank discussion on new attack vectors introduced by SOA, the best places to implement SOA security, and identity and access management options. In the meantime, ebizQ's Peter Schooff provides some good pointers for better securing SOA in his latest post. Don't assume that your vendor "is taking care of" security. It's up to you to protect you're own company's assets -- your vendor's not going to care. Security is not one-dimensional. Don't assume that "because your firewall is up and functioning doesn't mean your secure," Peter cautions. "With SOA, security is much more than just perimeter and means working security in during the design and implementation phase." Don't rely on a cursory risk assessment. Resources are limited, and a company is likely to let some things lapse while attending to more "pressing" issues. Peter gives the example of a company that rationalizes that an unpatched router is a greater threat than flaws in its SOA framework. Don't rely too much on security standards or security features. Standards such as SSL, S/MIME, and WS-Security are helpful, but don't fully secure the system, Peter cautions.
Posted by joemckendrick in Management • SOA • SOA Events • SOA Research and Analyst Reports | Digg This | Add to del.icio.us Trackback Pings TrackBack URL for this entry:
|
