Why Security Professionals Hate SOAposted by Anna Mar, February 16, 2011
At first sight there is nothing special about SOA security. After all, it involves the same basic themes of authentication, authorization, identity, trust, confidentiality, integrity and policy management.
However, SOA architecture is more difficult to secure — keeping security analysts as busy as bees.
1. Security Can't Violate SOA Design PrinciplesSOA services are reusable, loosely coupled, discoverable and interoperable — security can't screw this up. In other words, the security solution must also be loosely coupled, discoverable and interoperable.
There are 9 SOA design principles that security can not impede.
2. Legacy Security ModelsSOA is often used to wrap legacy applications. SOA is a great way to open up data and processes locked in legacy applications. The problem is — legacy applications were never designed to be open and flexible.
This leads to plenty of SOA security headaches. Legacy applications often have proprietary, hard-coded security models — not exactly compatible with the SOA approach. Wrapping legacy applications in a new security model is dangerous and costly.
3. Open ServicesTraditional applications relied heavily on firewalls for security. SOA does not have this luxury.
SOA services are often available across organizational and network boundaries. In many cases, SOA may be exposed to partners and customers.
4. High Value TargetAttackers can get a lot more accomplished by attacking a SOA than a typical old-school application.
SOA services have the power to implement high level functionality — interfacing with multiple data sources and triggering events, tasks and processes.
5. Easy to FindSOA's standardized and discoverable services are a dream come true for hackers. SOA services designed to be easy to locate and invoke.
6. Open to ConsumersLegacy applications often had hard-coded point to point interfaces with predetermined connection points.
SOA services are decoupled from service consumers. Security tasks such as authentication must be dynamic and flexible.
What is security trying to achieve?|
Current state architectural blueprints.|
Learn why IT Governance is not just another project.|