SOA Security

What exactly is Service Oriented Architecture? A beautifully concise definition can be found on WS-SOA:

A service-oriented architecture is essentially a collection of services. These services communicate with each other. The communication can involve either simple data passing or it could involve two or more services coordinating some activity. Some means of connecting services to each other is needed….The technology of Web services is the most likely connection technology of service-oriented architectures. Web services essentially use XML to create a robust connection.

In the business world SOA helps to address the issue of constantly changing IT landscapes. Enterprise SOA is generally implemented to slash costs and heighten efficiency by simplifiing interconnections, ensuring platform interoperability and reusing existing IT assets.

What are the security risks attached to SOA deployment?

Modern SOA infrastructures feature an application-to-application network that simplifies the sharing of normally compartmentalized data across all sorts of boundaries. Messages exchanged between services carry critical information such as privacy, intellectual property or financial data and operate on a higher application level. Traditional security tools bypass the message content and are therefore not apt to protect and monitor data generated by Web services.

How can unprotected SOA affect business?

XML traffic is prone to cyberattacks and hacktivism in much the same way as Web applications that undergo XSS, SQL injection etc. But to complicate matters Web Services have their own set of threats; new protocols, like WS-Security, WS-Addressing, SAML, WS-Trust etc. intervene in the description of traffic and hence require adapted processing. Inadequately secured SOA deployments expose the enterprise to XML-specific threats and to subsequent risk issues such as uncontrolled access, service downtime and data compromise.

What solution for SOA security?

Web Services security is similar to standard Web application security, except for message-building, which is standards-based, and information exchanges, which require accurate description.

The effective protection of XML data exchanges requires the use of a Web Services firewall. Especially equipped for processing Web Services, the Web Services Firewall associates the knowledge of standards with the capacity for deep inspection of the various components within a message.

A best-of-breed Web Services firewall should include message transformation and event logging features and provide performance optimization and ROI business benefits.