Blog: Are you Insecure about SOA Security?

Blog: Are you Insecure about SOA Security?

Service-oriented architecture (SOA) creates tremendous opportunities for companies to integrate across departments, across systems and across enterprises. Integration can help simplify business processes, improve speed to market, allow companies to react quicker to changes in the business, and share data and services. For example, SOA architected correctly can allow an e-commerce site to integrate seamlessly with its suppliers, distributors, credit card companies and consumers. After a customer places an order, a flurry of messages is orchestrated by the system without asking for any of the users or systems to login each time.

SOA also allows companies to rejuvenate their legacy systems by abstracting certain business processes, services, or data points without having to rip out and replace these systems. Companies can leverage their existing investments in their legacy systems while building new systems that seamlessly integrate with them.

To the end users this is nirvana. To the folks in the security department, this is their worst nightmare!

Integration Side Effects

The benefits I mentioned above come with great risks in the area of security, privacy and compliance. For services to integrate easily with other services both behind and outside of the firewall, they must be discoverable and easy to translate. Many SOA implementations use Web services. Web services use WSDL (Web Service Description Language) which describes how to invoke the service. UDDI (Universal Description, Discovery, and Integration) is a standard that is commonly used with Web Services that allow services to be discovered and retrieved. Two other important standards frequently used in an SOA are XML (eXtensible Markup Language) and SOAP (Simple Object Access Protocol). XML is a self describing format that contains information about the messages in clear text while SOAP is a protocol for exchanging XML based messages and provides important information in the clear. While these standards make it easier for companies to integrate services, it also could give the keys to the kingdom away to hackers if the proper security is not in place.

Many legacy systems were never architected to be exposed to other systems, especially systems outside of the firewall. Now with SOA, hackers can get access to systems and data that they couldn't get to before, thanks to the discovery and self-describing nature of SOA.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments