Why Security Professionals Hate SOA
posted by Anna Mar, February 16, 2011At first sight there is nothing special about SOA security. After all, it involves the same basic themes of authentication, authorization, identity, trust, confidentiality, integrity and policy management.
However, SOA architecture is more difficult to secure — keeping security analysts as busy as bees.
1. Security Can't Violate SOA Design Principles
SOA services are reusable, loosely coupled, discoverable and interoperable — security can't screw this up. In other words, the security solution must also be loosely coupled, discoverable and interoperable.There are 9 SOA design principles that security can not impede.
2. Legacy Security Models
SOA is often used to wrap legacy applications. SOA is a great way to open up data and processes locked in legacy applications. The problem is — legacy applications were never designed to be open and flexible.This leads to plenty of SOA security headaches. Legacy applications often have proprietary, hard-coded security models — not exactly compatible with the SOA approach. Wrapping legacy applications in a new security model is dangerous and costly.
3. Open Services
Traditional applications relied heavily on firewalls for security. SOA does not have this luxury.SOA services are often available across organizational and network boundaries. In many cases, SOA may be exposed to partners and customers.
4. High Value Target
Attackers can get a lot more accomplished by attacking a SOA than a typical old-school application.SOA services have the power to implement high level functionality — interfacing with multiple data sources and triggering events, tasks and processes.
5. Easy to Find
SOA's standardized and discoverable services are a dream come true for hackers. SOA services designed to be easy to locate and invoke.6. Open to Consumers
Legacy applications often had hard-coded point to point interfaces with predetermined connection points.SOA services are decoupled from service consumers. Security tasks such as authentication must be dynamic and flexible.
Service-oriented Architecture (SOA) is as simple as can be — it can all be boiled down to these 9 principles. |
Recently on Simplicable
The Difference Between Public, Private and Hybrid Cloudposted by Anna MarPopular ideas such as cloud computing get twisted, turned and flipped upside down before anyone can agree on common definitions. |
5 Levels of Tech Savvy Blissposted by Anna MarModern technology customers and industry insiders are faced with a constant stream of change. Human ability to adapt to this pace of change is remarkable. |
The 20 People In Your Organization Who Need Enterprise Architectureposted by Anna MarEnterprise architects are leaders. They're near the top of the technical food chain in any organization. As leaders, there are a lot of people in the organization EAs can help. |
The 4 Contenders to be Your Next CIOposted by Anna MarWhen your organization looks internally for a new CIO there are four usual suspects. |