How secure is SOA? Security has long been considered the Achilles Heel of both Web services and SOA, since both mission-critical applications and data are being opened up to the cloud.
Surveys I have worked on for Evans Data over the past several years find Web services and SOA developers overwhelmingly rely on Secure Sockets Layer (SSL) for their security needs. This is not enough, of course -- a holistic approach is required, that not only encompasses service and application security, but also a layered approach involving network security, OS security, and physical security of the facilities where apps are run and data is stored.
In a couple of weeks, Mike Rothman, President and Principal Analyst, Security Incite will be joining Gunnar Peterson, Managing Principal, Arctec Group for a discussion on the state of security in SOA. The session promises to be an eye-opener, with a frank discussion on new attack vectors introduced by SOA, the best places to implement SOA security, and identity and access management options.
In the meantime, ebizQ's Peter Schooff provides some good pointers for better securing SOA in his latest post.
Don't assume that your vendor "is taking care of" security. It's up to you to protect you're own company's assets -- your vendor's not going to care.
Security is not one-dimensional. Don't assume that "because your firewall is up and functioning doesn't mean your secure," Peter cautions. "With SOA, security is much more than just perimeter and means working security in during the design and implementation phase."
Don't rely on a cursory risk assessment. Resources are limited, and a company is likely to let some things lapse while attending to more "pressing" issues. Peter gives the example of a company that rationalizes that an unpatched router is a greater threat than flaws in its SOA framework.
Don't rely too much on security standards or security features. Standards such as SSL, S/MIME, and WS-Security are helpful, but don't fully secure the system, Peter cautions.
Leave a comment