Debate: Is SOA still too immature to secure?
Two recent posts by leading SOA thinkers have different takes on the state of SOA security. Is it a monstrosity that is almost impossible to secure end to end, or is it something that can be started relatively simply and grown with proper attention and management?
Will SOA outgrow its insecurity?
Forrester's Randy Heffner says we have reached a point where SOA is secure enough for prime time. However, he cautions, while WS-Security has helped standard Web services using SOAP, some careful navigation is required for full-blown SOA. But it's doable. "Advanced SOA security - involving federation among partners, nonrepudiation, and propagation of user identities across multiple layers of service implementations - is in its early days," Randy points out. Still, the need for robust SOA security will be inevitable. "Many user organizations will find that advanced SOA security becomes mandatory - especially with increasing data privacy and other regulations."
JP Morgenthal takes a dimmer view on SOA security, pointing out the world really hasn't agreed on a consistent definition of SOA, and, therefore, there may be issues with attempting to provide security. As he points out: "If you can’t define it, you cannot secure it!"
JP adds that while there is plenty of research and literature on the topic of cybersecurity, there's very little that connects SOA and cybersecurity. The problem is that SOA touches so many parts of the technology stack, and each has its own security solutions and protocols.
"If you’re tasked with focusing on cybersecurity for your SOA, you could focus on locking down access to your Web services, stopping SQL injection attacks, addressing DDoS attacks against the service, etc. Each of these areas requires considerable knowledge of the entire computing stack from telecom through the hardware through the operating system and into the application. Holy rotten fish Batman! That’s a tall order for even the most adept team, but it’s made even more difficult by the fact that there aren’t that many cybersecurity experts available that understands this entire domain."
Still, Randy Heffner takes a stab at designing SOA security, starting with virtual private networks and two-way Secure Sockets Layer (SSL) at the simplest level. "Hackers cannot even connect to an SOA-based service unless they steal a certificate and key from a service consumer," he says. Move up a step or two, and the next option is to leverage "existing SOA security features in Java or .NET application platforms and concentrating SOA security within an SOA specialty product such as an enterprise service bus, SOA and Web services management solution, SOA security server, or SOA appliance," Randy says.
Ultimately, even when starting with a simple SOA security such as VPNs or SSL, SOA proponents need to recognize that the process will develop into something more intricate. The key is "to anticipate the need for and leave paths open to build additional, deeper security functionality as business requirements demand and SOA security maturity allows," Randy says. We'll grow and learn as we go along, he believes:
"Typically not all applications need all of your security requirements; initial applications may be able to do with a lighter-weight pass on building your SOA security solution, while later applications require you to fill in your solution with additional features.... Each time you make a pass through, you will learn more about how to build the most effective SOA security solution with the pieces that you have."
Still, JP says the current crop of tools and protocols are too immature for top-to-bottom SOA. Things will only get more complicated as SOA-enabled services become part of cloud offerings. "What I have experience in with regard to the WS-* security mechanisms, security tools and technologies for securing Web-based and non-Web-based applications, still do not begin to address the real hard issues regarding cybersecurity in an SOA; especially as we expand the notion of service."
SOA raises issues that never arose in the days of siloed applications and point-to-point Web services. Both Randy and JP recognize that securing a complex network that touches many parts of the stack is going to take work. Where they disagree is whether current approaches are at least a place to get started. JP adds that SOA is too much of an amorphous, changing entity on which to base solid security decisions.