SOA Security: How Irish Luck Went a Long Way

CSO — From a security perspective, service oriented architecture (SOA) is a tricky thing. It's not hard for bad guys to compromise it with SQL injection, capture-replay and XML denial-of-service attacks, which they can ultimately use to bust through walls around a company database.

As Acumen Solutions' Igor Khurgin, SOA practice manager, and Saurabh Verma, director global services, explained in a recent CSOonline column: "Adopting services oriented architecture (SOA) in your enterprise without thinking through IT governance can cause something like the Gold Rush in the 1800s; extreme rates of growth and minimal law and order which produce unexpected outcomes." Mark O'Neill, CTO at XML network management company Vordel, also spells out the risks in SOA Security: The Basics.

The EBS Building Society, one of Ireland's largest financial services companies, wanted SOA for its ability to quickly model (and change) business processes. And it's IT Head David Yeates' responsibility to secure the resulting architecture. Below, he explains the process his company took to achieve secure SOA.

[Listen to audio of the Yeates interview: How to Secure Your SOA, which covers items not included in this story, including the affect SOA security has had on EBS compliance initiatives.]

CSO: Why did SOA make sense despite the security concerns?Yeates: SOA has the potential to be an extremely important strategic business tool. The future IT emphasis will be on process-driven development and component-based solutions like Siebel component assembly, Oracle fusion, IBM's component business models, and so on. Future complex financial IT applications, meanwhile, may span multiple organizations in real time with organizations acting as both suppliers and consumers in such an environment and exposing applications to B2B customers as Web services. This has major implications for an IT organization which must now seriously consider the following areas: governance and service management, and an integrated security infrastructure to address Web Services and XML security.

With those security issues in mind, describe the implementation process EBS followed.Yeates: In implementing an application infrastructure based on SOA principles, we had four distinct phases:

• Simple Internal Integration (tactical -- technology driven): This focused on application and platform level peer-to-peer communication; elements of coarse and fine-grained services.
• Rich Internal Integration (technology driven): Addressed the complexity and cost of distributed applications, the application spaghetti environment, rudimentary service business technologies, elements of routing and transformation and multi-channel applications.
• External Partner Integration (business driven): Extending an SOA-based application infrastructure to consume (and) or provide B2B services.
• Core Business Functionality (strategic -- business driven):Process driven development -- Web services integration and orchestration; business process modelling and monitoring.

Continue Reading