SOA security more than authentication
Many years ago, I admired my sister's deadbolt. I made a silly comment as to how it looked like it would be impossible to break into the New York City apartment. My brother-in-law corrected me. "It's not impossible. It doesn't have to be," he said. "It just has to be harder to break into this apartment than into the other apartments." Think of it as a variation on the joke, "I don't have to outrun the bear. I just have to outrun you."
Now consider this facet of SOA. One of the greatest things about SOA services is that they are discoverable. And one of the worst things about SOA--from a security perspective--is that services are discoverable. In many cases, a cracker simply needs to scan for open ports on your servers to find out that you have a service on a given port. After that, the cracker only needs to figure out how to break your authentication mechanism. Depending on the service, the SOA component could give away everything else the cracker needs to know to access sensitive data.
Obviously, you can choose a superb authentication process to shore up your security. That may be enough. But why not add another layer of protection so that your services are harder to crack than the ones next door?
One especially useful technique, especially if you are responsible for building custom client software to access your SOA components, is to hide your services behind a port knocking-protected firewall.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
firewall
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
I forget the authintication
I forget the authintication securety caode for my lap top (dell visitor 4000).PLEASE I NEED HELP.