Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

How SOA Increases Your Security Risk

Combating malware -- whether it is associated with SOA or someone downloading "free" music from a file-sharing site -- requires a strategy combining technology with education.
Page:

Service-oriented architecture changes the security equation by introducing a greater reliance on third parties for application development and operation. But according to Ray Wagner, managing vice president of information security and privacy at Gartner Inc., this is a matter of degree rather than an introduction of a totally new security exposure.

For instance, an SOA application may depend on a Web-based third-party service to provide vital functionality, with obvious security implications. But thousands of users already do this when they activate Microsoft's automatic updates.

"Ultimately, it's a matter of trust," he says.

"You decide whether you trust Microsoft to send you good code. Then the computer checks that it has received what Microsoft sent, using cryptographic operations like hashes and digital signatures."

SOA may increase the number of these exchanges hugely.

"Doing this hundreds of times an hour may have implications for computing loads, but it really is just a change of degree," not a qualitative change, Wagner says.

He acknowledges that normally trustworthy partners may occasionally accidentally send bad code or a bad identity assertion. But, Wagner says, overall, "it is much more likely that someone will decide to trust the wrong site because it promises to provide the functionality he needs."

Already malware commonly masquerades as useful code and sometimes does provide the function it promises while doing other, less desirable things in secret.

Technology and education

That's one of the three main exposures Wagner sees with SOA, and organizations are already experiencing problems when employees access the wrong sites from their work desktops and accidentally import malware into the enterprise. Combating malware -- whether it is associated with SOA or someone downloading "free" music from a file-sharing site -- requires a strategy combining technology with education.

The security technology needs to be able to stop malware before it can infect the network. But the best solution is to educate users about the dangers of unknown sites to minimize the exposure in the first place.

The second major exposure is more technical and harder to intercept.

"XML basically can contain any kind of executable or data, including things designed to do damage," Wagner warns.

Again, every organization accepting XML-encoded files, which is the vast majority of organizations today, is exposed already.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: CrossBeam, Crossbeam Systems, Exposure, Forum Systems, Gartner, Gateway, Microsoft

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • SOA and Business Processes: Making the Connection
    Service-Oriented Architecture (SOA) is also complex, and one of its main characteristics is that an SOA system is comprised of multiple applications that are combined to accomplish critical business processes. Discussions of SOA can quickly grow so complex that the system’s main benefits to an organization are difficult to fully understand. This article discusses SOA Suite 11g, a family of products that take SOA to a new level and correct some of the problems caused by the very combination of components and multiplication of languages that make SOA a flexible, agile system.
    Learn more »
  • Why Two Thirds of Enterprise Architecture Projects Fail
    This is the conclusion of a study for the R otterdam U niversity carried out by J onathan B roer in the summer of 2008, ordered by BPM and E A software vendor IDS S cheer. B roer questioned 161 respondents from 89 organizations representing a range of industries about their vision and implementation of the enterprise architecture concept.
    Learn more »
  • Oracle Enterprise Gateway
    Oracle Enterprise Gateway is a standards-based, policy-driven, standalone software security solution that provides first line of defense in Service-Oriented Architecture (SOA) environments. Learn more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments