Notebook: SOA as a security opportunity
TD Ameritrade Chief Security Officer Bill Edwards figures that he's going to be pulled onto the service oriented architecture (SOA) bandwagon soon. He might as well use it to enhance security.
Among all the drivers for SOA adoption security rarely comes up as one of them. Edwards begs to differ. As companies increasingly use SOA to build Web services and connect various business functions, there's a security opportunity.
"When the architects approached me about SOA my first reaction was 'no you can't do that,'" said Edwards, who spoke at a financial services online fraud panel at Wharton Technology Conference in Philadelphia on Friday. "But then I realized I'm going to be dragged along with SOA anyway so I should use it to rebuild security from the ground up. I know it's coming so my team got friendly with the architecture group."
The specific benefit: With SOA Edwards can focus his security efforts on the module in question. Say one module requires a patch. Instead of patching--and breaking--multiple applications Edwards can take advantage of SOA to zero in on one Web service. Even better, Edwards could rearchitect the module to make it more secure without a patch.
"SOA is going to be embraced by security. I don't know if the industry is ready for security on SOA, but I'm looking forward to it as it will make my job easier," he said. "SOA allows you to get granular on security and focus on specific modules."
For more reading on SOA see Joe McKendrick's blog.
Other odds and ends:
Want to see folks squirm? Ask about browser security. At the online fraud panel at the conference I asked three questions (provided by Ryan Naraine).
- Why does browser security (where online fraud is perpetuated) rely on certificate warnings that nobody can understand?
- Do we have a browser architecture crisis on our hands?
- Is anyone switching away from IE as an official policy?
Then the tap dancing began. Secure Computing CTO Dr. Paul Judge said before the question that hackers were obviously moving up the application layer to focus attacks. After the question, he said it's not really a browser issue. "It's not like you can shut down the Internet on a Wednesday and retrofit browsers," said Judge.
He did acknowledge that browser architecture was built in an era where attacks weren't as prevalent.
Capital One CIO Gregor Bailar said browsers have a security issue with their plug-in architecture, but said efforts are better focused on users. If you told users not to click on an email and don't run strange programs you'd be much more productive than picking browser sides. He suggested "mandatory Internet ethics training at age 5."
Panelists also noted that they have to support all browsers. Bottom line: No one was going to pick a browser side security be damned.
Has anyone looked at the costs of Patch Tuesday? I haven't seen any hard stats, but it has to be substantial.
Edwards notes that when Patch Tuesday hits TD Ameritrade "stops everything to patch the environment." His team has the drill down, but it does take time.
Capital One's Bailar added that "It's a cost. X plus 5 hours."
Will virtualization lead to new security threats?
Edwards acknowledges that "virtualization scares me from a security perspective."
Say you have 3 operating systems standardized on one virtualization infrastructure. Say that virtualization software gets hacked. Suddenly all of the OS diversity you have goes kaput.
Scary huh?
Bailar says companies may ultimately need virtualization software diversity to lower risks.
ROI and finding that magic security fix. Edwards said there are no security magic bullets. A more vexing question is how much security is enough?
"That goes back to the ROI question. What's the end game here. There may not be a solution today. How do we solve the browser issue?"
Given the lack of security fixes, Edwards asked whether financial services firms need to invest in security startups that can meet the company's needs. Investing in security startups may not be a bad idea and a natural extension for TD Ameritrade considering it already gives customers anti-malware software.