SOA-based system compels security overhaul at hotel chain
Building a central reservation system based on cutting-edge Service-Oriented
Architecture technology has meant a decisive overhaul in underlying IT security
at hotel group Starwood Hotels & Resorts International.
Patrick Foley, director of global technology compliance at Starwood, whose
hotel chains include St. Regis, Sheraton and Westin, this week described how
the move to XML-enabled SOA for a new central reservation system has impacted
the underlying corporate security in sometimes unexpected ways. SOA, in defining
systems as flexible services, has meant existing perimeter security is no longer
as effective, encryption is more difficult, and logging requirements are intensified
for audit and regulatory compliance. Foley, who spoke about Starwood's shift
to SOA at the Infosec World Conference in Orlando, provided insight on security
consequences of SOA.
"Service-oriented architecture defines systems as a series of services,"
said Foley. "It's the ability to link services together in a way that they
can be used in many different processes, including credit-card authorization.
The good thing is, you can go global, no longer limited by your data center
or network."
However, the transformation must also be on the security level, Foley emphasized,
acknowledging that Starwood's first SOA project, launched a few years back by
an enthusiastic IT department eager to use the latest software development techniques,
suffered a few setbacks that slowed it down.
The chief problem early on was failing to understand how necessary it was to
bring in a security architect to advise developers on how to build SOA according
to security standards, such as those promulgated by OASIS and the W3C.
"You will need a security architect," advised Foley, noting that
Starwood ended up turning to a data architect to be the security architect for
the SOA-based central reservation system. Some of the security impact that Starwood
has seen in the evolution of the new reservation system, now undergoing beta
testing, is that SOA engenders far more logging and auditing, which must be
done for regulatory compliance.
As a consequence, Starwood acquired a security information management system
-- this one being the RSA envision product from EMC -- to handle the logging
needed to satisfy regulatory compliance, including the Payment Card Industry
guidelines. "With Web services, your logs are everywhere the services are,"
Foley noted, adding this logging adds to corporate network traffic.
Another challenge associated with SOA's Web services is determining how to
encrypt and otherwise secure data traffic when it's not as centralized.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
