Enterprise Initiatives

This blog focuses on Enterprise IT topics such as Enterprise Architecture, Portfolio Management, Change Management, Business Process Management, and recaps various technology events and news.


My last day at my job for the past 13 years is coming up this Thursday (7/3). I have spent the last couple of weeks writing a document describing everything I have learned about SOA over the past two years so that I can leave some knowledge behind. When I got to the chapter on security, I was surprised to find how little information there was on the web as compared to most SOA topics. As I dug deeper I realized that what was missing was blog posts from practitioners. Nearly the entire Google result set for SOA security was links to vendor information, industry analysts, or authors. Where are all of the bloggers on this topic?

This concerns me. I wonder if IT in general is underestimating the need for more security when it comes to SOA. Security in SOA is much more complex then what we were used to in the world of client server. Improperly secured SOA is a hackers dream!

Check out this quick white board video on ZDNet




SOA Security risks
  • SOA exposes your legacy applications to the outside world
  • SOA uses, WSDL, XML, and SOAP to allow services to be discoverable and self-describing. These are human readable in ASCII and can give away the keys to the kingdom if the proper security is not in place.
  • Integration presents numerous challenges including single sign-on, privacy, encryption, etc. at the message level.
This last point is important. In the traditional client server world we are concerned with network security (point to point communications) and application security which deals with user roles. But services exposed to customers, partners, and suppliers requires another level of security that I will call message level security. This requires us to embrace a whole new level of standards in the WS-* family (WS-Security, WS-Trust, etc.). Read blogger Eric Roch's post from last year called SOA Security Architecture.

Of all the research that I have done recently, I recommend two sources of research. First is the book SOA Security by Ramarao Kanneganti and Prasad A. Chodavarapu. This is an outstanding book that uses simple examples to get key points across. You don't have to be a security guru to read this book. Second is spend some time at the OWASP website and make sure you design for the Top Ten threats.

To all you EA and SOA bloggers out there, let's start a conversation about SOA security. There seemed to be discussions in the previous years but for whatever reason it has becoming very quiet in 2008. Security should be built in upfront and not an after thought that you take care of later.

0 comments

Post a Comment



Subscribe to: Post Comments (Atom)

My favorite sayings

"If you don't know where you're going, any road will get you there"

"Before you build a better mouse trap, make sure you have some mice"