Computerworld - Service-oriented architecture changes the security equation by introducing a greater reliance on third parties for application development and operation. But according to Ray Wagner, managing vice president of information security and privacy at Gartner Inc., this is a matter of degree rather than an introduction of a totally new security exposure.
For instance, an SOA application may depend on a Web-based third-party service to provide vital functionality, with obvious security implications. But thousands of users already do this when they activate Microsoft's automatic updates.
"Ultimately, it's a matter of trust," he says. "You decide whether you trust Microsoft to send you good code. Then the computer checks that it has received what Microsoft sent, using cryptographic operations like hashes and digital signatures."
SOA may increase the number of these exchanges hugely. "Doing this hundreds of times an hour may have implications for computing loads, but it really is just a change of degree," not a qualitative change, Wagner says.
He acknowledges that normally trustworthy partners may occasionally accidentally send bad code or a bad identity assertion. But, Wagner says, overall, "it is much more likely that someone will decide to trust the wrong site because it promises to provide the functionality he needs." Already malware commonly masquerades as useful code and sometimes does provide the function it promises while doing other, less desirable things in secret.
Technology and education
That's one of the three main exposures Wagner sees with SOA, and organizations are already experiencing problems when employees access the wrong sites from their work desktops and accidentally import malware into the enterprise. Combating malware -- whether it is associated with SOA or someone downloading "free" music from a file-sharing site -- requires a strategy combining technology with education.
The security technology needs to be able to stop malware before it can infect the network. But the best solution is to educate users about the dangers of unknown sites to minimize the exposure in the first place.
The second major exposure is more technical and harder to intercept. "XML basically can contain any kind of executable or data, including things designed to do damage," Wagner warns. Again, every organization accepting XML-encoded files, which is the vast majority of organizations today, is exposed already.
But SOA promises to increase the number of XML transfers -- and, therefore, the exposure -- by orders of magnitude, while the huge volume of these transmissions in the SOA architecture also complicates the problem of intercepting the occasional piece of malware in that flow, even as it attracts increasing attention from criminals. And the increasing technical sophistication of malware clearly demonstrates that those crooks are able to pervert the technology to their uses.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
