Business Guide
simplicable technology guide   »  security   »  soa security challenges

Why Security Professionals Hate SOA

        posted by , February 16, 2011

At first sight there is nothing special about SOA security. After all, it involves the same basic themes of authentication, authorization, identity, trust, confidentiality, integrity and policy management.

However, SOA architecture is more difficult to secure — keeping security analysts as busy as bees.

1. Security Can't Violate SOA Design Principles

SOA services are reusable, loosely coupled, discoverable and interoperable — security can't screw this up. In other words, the security solution must also be loosely coupled, discoverable and interoperable.

There are 9 SOA design principles that security can not impede.


2. Legacy Security Models

SOA is often used to wrap legacy applications. SOA is a great way to open up data and processes locked in legacy applications. The problem is — legacy applications were never designed to be open and flexible.

This leads to plenty of SOA security headaches. Legacy applications often have proprietary, hard-coded security models — not exactly compatible with the SOA approach. Wrapping legacy applications in a new security model is dangerous and costly.

3. Open Services

Traditional applications relied heavily on firewalls for security. SOA does not have this luxury.

SOA services are often available across organizational and network boundaries. In many cases, SOA may be exposed to partners and customers.

4. High Value Target

Attackers can get a lot more accomplished by attacking a SOA than a typical old-school application.

SOA services have the power to implement high level functionality — interfacing with multiple data sources and triggering events, tasks and processes.

5. Easy to Find

SOA's standardized and discoverable services are a dream come true for hackers. SOA services designed to be easy to locate and invoke.

6. Open to Consumers

Legacy applications often had hard-coded point to point interfaces with predetermined connection points.

SOA services are decoupled from service consumers. Security tasks such as authentication must be dynamic and flexible.

3 Shares Google Twitter Facebook

Related Articles

Enterprise Architecture
How to architect an organization.

Recently on Simplicable

The Difference Between Public, Private and Hybrid Cloud

posted by Anna Mar
Popular ideas such as cloud computing get twisted, turned and flipped upside down before anyone can agree on common definitions.

5 Levels of Tech Savvy Bliss

posted by Anna Mar
Modern technology customers and industry insiders are faced with a constant stream of change. Human ability to adapt to this pace of change is remarkable.

The 20 People In Your Organization Who Need Enterprise Architecture

posted by Anna Mar
Enterprise architects are leaders. They're near the top of the technical food chain in any organization. As leaders, there are a lot of people in the organization EAs can help.

The 4 Contenders to be Your Next CIO

posted by Anna Mar
When your organization looks internally for a new CIO there are four usual suspects.


about     contact     sitemap     privacy     terms of service     copyright