SOA Security: How Irish Luck Went a Long Way
From a security perspective, service oriented architecture (SOA) is a tricky thing. It's not hard for bad guys to compromise it with SQL injection, capture-replay and XML denial-of-service attacks, which they can ultimately use to bust through walls around a company database.
As Acumen Solutions' Igor Khurgin, SOA practice manager, and Saurabh Verma, director global services, explained in a recent CSOonline column: "Adopting services oriented architecture (SOA) in your enterprise without thinking through IT governance can cause something like the Gold Rush in the 1800s; extreme rates of growth and minimal law and order which produce unexpected outcomes." Mark O'Neill, CTO at XML network management company Vordel, also spells out the risks in SOA Security: The Basics.
The EBS Building Society, one of Ireland's largest financial services companies, wanted SOA for its ability to quickly model (and change) business processes. And it's IT Head David Yeates' responsibility to secure the resulting architecture. Below, he explains the process his company took to achieve secure SOA.
[Listen to audio of the Yeates interview: How to Secure Your SOA, which covers items not included in this story, including the affect SOA security has had on EBS compliance initiatives.]
CSO: Why did SOA make sense despite the security concerns?
Yeates: SOA has the potential to be an extremely important strategic business tool. The future IT emphasis will be on process-driven development and component-based solutions like Siebel component assembly, Oracle fusion, IBM's component business models, and so on. Future complex financial IT applications, meanwhile, may span multiple organizations in real time with organizations acting as both suppliers and consumers in such an environment and exposing applications to B2B customers as Web services. This has major implications for an IT organization which must now seriously consider the following areas: governance and service management, and an integrated security infrastructure to address Web Services and XML security.
With those security issues in mind, describe the implementation process EBS followed.
Yeates: In implementing an application infrastructure based on SOA principles, we had four distinct phases:
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
soa
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
