The traditional approach of getting security right in an environment from the beginning does not apply to the service-oriented architecture (SOA) environment.
This is according to Mark Lowe, security lead at Accenture, speaking at ITWeb Security Summit 2008, this week.
He said the dynamic environment of SOA architecture should be supported by a dynamic security system.
"It is nice to get things right in the beginning; however, SOA is something that never ends. The architecture is built so you can combine, upgrade and include new services, so security should evolve with that."
However, he said securing a loosely coupled environment inherent to SOA is challenging. SOA exists to allow organisations to make reusable components in a different configuration, creating a dynamic and flexible environment.
"Security must now be added over and above that and it places a large burden on developers to create custom code."
To remove that burden, Lowe suggested companies consider a modular approach to securing the environment. Instead of end-to-end security, organisations can look at individual processes and manage those in terms of access and security.
Another challenging aspect of SOA is the introduction of Web services to the environment. Hyper Text as a protocol never really developed to wrap other business services and ensuring transactions performed through Web services are secure.
For Web services, it is important to ensure the point-to-point services are secured, with something like secure sockets, and again approach the rest as modular, he noted.
If companies use third-party services, there is little to no control over where information is passed. "Managers must define if users can or can't use services outside organisation boundaries. Information flow must be physically controlled and requirements for data should be really specific."
Related stories:
Telkom modems hacked wirelessly
Certify our hackers
Be paranoid
Share
