SOA Security: How Irish Luck Went a Long Way

From a security perspective, service oriented architecture (SOA) is a tricky thing. It's not hard for bad guys to compromise it with SQL injection, capture-replay and XML denial-of-service attacks, which they can ultimately use to bust through walls around a company database.

Slideshow: 10 of the Worst Moments in Network Security History

As Acumen Solutions' Igor Khurgin, SOA practice manager, and Saurabh Verma, director global services, explained in a recent CSOonline column: "Adopting services oriented architecture (SOA) in your enterprise without thinking through IT governance can cause something like the Gold Rush in the 1800s; extreme rates of growth and minimal law and order which produce unexpected outcomes." Mark O'Neill, CTO at XML network management company Vordel, also spells out the risks in SOA Security: The Basics.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

From a security perspective, service oriented architecture (SOA) is a tricky thing. It's not hard for bad guys to compromise it with SQL injection, capture-replay and XML denial-of-service attacks, which they can ultimately use to bust through walls around a company database.

Slideshow: 10 of the Worst Moments in Network Security History

As Acumen Solutions' Igor Khurgin, SOA practice manager, and Saurabh Verma, director global services, explained in a recent CSOonline column: "Adopting services oriented architecture (SOA) in your enterprise without thinking through IT governance can cause something like the Gold Rush in the 1800s; extreme rates of growth and minimal law and order which produce unexpected outcomes." Mark O'Neill, CTO at XML network management company Vordel, also spells out the risks in SOA Security: The Basics.

The EBS Building Society, one of Ireland's largest financial services companies, wanted SOA for its ability to quickly model (and change) business processes. And it's IT Head David Yeates' responsibility to secure the resulting architecture. Below, he explains the process his company took to achieve secure SOA.

[Listen to audio of the Yeates interview: How to Secure Your SOA, which covers items not included in this story, including the affect SOA security has had on EBS compliance initiatives.]

Why did SOA make sense despite the security concerns?

SOA has the potential to be an extremely important strategic business tool. The future IT emphasis will be on process-driven development and component-based solutions like Siebel component assembly, Oracle fusion, IBM's component business models, and so on. Future complex financial IT applications, meanwhile, may span multiple organizations in real time with organizations acting as both suppliers and consumers in such an environment and exposing applications to B2B customers as Web services. This has major implications for an IT organization which must now seriously consider the following areas: governance and service management, and an integrated security infrastructure to address Web Services and XML security.

With those security issues in mind, describe the implementation process EBS followed.

In implementing an application infrastructure based on SOA principles, we had four distinct phases:

• Simple Internal Integration (tactical -- technology driven): This focused on application and platform level peer-to-peer communication; elements of coarse and fine-grained services.
• Rich Internal Integration (technology driven): Addressed the complexity and cost of distributed applications, the application spaghetti environment, rudimentary service business technologies, elements of routing and transformation and multi-channel applications.
• External Partner Integration (business driven): Extending an SOA-based application infrastructure to consume (and) or provide B2B services.
• Core Business Functionality (strategic -- business driven):Process driven development -- Web services integration and orchestration; business process modelling and monitoring.

We recognized we needed a loosely coupled SOA which addressed areas such as the reality of long-running transactions with complex routing and transformation; the notion of compensating transactions for transaction integrity; service choreography; the need to integrate with human workflows systems; and the potential for process-driven development. We also needed to address data semantics, data modelling and operational data stores and needed a comprehensive security architecture to underpin the future operational environment.