Monthly Archives: August 2009

SOA & Cybersecurity

I recently started my research into cybersecurity and I am working to become more prolific in this area. Naturally, given my inclination to Service Oriented Architecture (SOA), I am really interested in issues related to both SOA and cybersecurity.

One thing I noticed immediately regarding cybersecurity is that, in general, there are relatively few experts in this area given the total number of IT professionals in the world. This is a known fact. The US Government estimates that we will need on the order of a hundred times more cybersecurity experts in coming years than we currently have. Moreover, due to the nature of work of cybersecurity experts, they don’t readily publish what they know and, thus, it’s even more difficult to expand the pool of cybersecurity experts.

Seek long and hard and you can find some excellent research and literature on the topic of cybersecurity. However, attempting to locate research that covers cybersecurity and SOA was a fruitless endeavor. Sure, we can start with basic concepts like digital signatures, encryption, policy management and access control, however, the literature and examples in these areas often focus on corporate enterprises being operated on secure networks. But, I delve too deeply, too quickly.

In the past, I have been a harsh critic on the lack of consistency of definition and agreement of SOA. Up till now, this has been an academic discussion that isn’t going to greatly impact the universe. If a company wants to build JBOWS (just a bunch of web services), call it their SOA strategy and believe think their acting strategically, so be it. However, lack of agreement on SOA has significant real-world implications with regard to cybersecurity.

If you can’t define it, you cannot secure it!

SOA has become a catch-all for multiple application development and enterprise architecture initiatives. So, if you’re tasked with focusing on cybersecurity for your SOA, you could focus on locking down access to your Web Services, stopping SQL injection attacks, addressing DDoS attacks against the service, etc? Each of these areas requires considerable knowledge of the entire computing stack from telecom through the hardware through the operating system and into the application. Holy rotten fish Batman! That’s a tall order for even the most adept team, but it’s made even more difficult by the fact that there aren’t that many cybersecurity experts available that understands this entire domain.

Additionally, if SOA is the architecture, then shouldn’t security be a primary consideration across the entire architecture? That is, shouldn’t the resulting artifacts of an SOA deliverable address security top-to-bottom? I believe it should, but if you’re in the camp that believes SOA is driven by identifying your service boundaries by your business processes versus business function, then it’s going to be much more difficult to manage appropriate access since processes cross boundaries so often. Nothing screams louder for ensuring proper granularity in an SOA like cybersecurity. A black box is easier to protect than a set of discrete, interconnected nodes.

I’m clearly at the beginning of this exploration. However, what I have experience in with regard to the WS-* security mechanisms, security tools and technologies for securing Web-based and non-Web-based applications, still do not begin to address the real hard issues regarding cybersecurity in an SOA; especially as we expand the notion of service. For example, Twitter, for all intensive purposes, is a service that, according to Twitter staff, was recently unavailable for a considerable amount of time due to directed denial of service attacks.

What if this service was germane to you running your business? Do you still believe WS-* is going to help you protect your SOA-based services? Furthermore, if you take your services into the Cloud, what impact is that going to have on securing your critical business services? The Internet is a darker and grimmer place that the pleasant face we see in Google everyday.

Of note, if you’re a cybersecurity expert looking to mentor someone on the real esoteric issues of how systems are compromised, let me know!