SOA Security: How Irish Luck Went a Long Way

From a security perspective, service oriented architecture (SOA) is a tricky thing. It's not hard for bad guys to compromise it with SQL injection, capture-replay and XML denial-of-service attacks, which they can ultimately use to bust through walls around a company database.

By Bill Brenner
Wed, May 06, 2009
. What's this?

CSO — From a security perspective, service oriented architecture (SOA) is a tricky thing. It's not hard for bad guys to compromise it with SQL injection, capture-replay and XML denial-of-service attacks, which they can ultimately use to bust through walls around a company database.

As Acumen Solutions' Igor Khurgin, SOA practice manager, and Saurabh Verma, director global services, explained in a recent CSOonline column: "Adopting services oriented architecture (SOA) in your enterprise without thinking through IT governance can cause something like the Gold Rush in the 1800s; extreme rates of growth and minimal law and order which produce unexpected outcomes." Mark O'Neill, CTO at XML network management company Vordel, also spells out the risks in SOA Security: The Basics.

The EBS Building Society, one of Ireland's largest financial services companies, wanted SOA for its ability to quickly model (and change) business processes. And it's IT Head David Yeates' responsibility to secure the resulting architecture. Below, he explains the process his company took to achieve secure SOA.

[Listen to audio of the Yeates interview: How to Secure Your SOA, which covers items not included in this story, including the affect SOA security has had on EBS compliance initiatives.]

CSO: Why did SOA make sense despite the security concerns?Yeates: SOA has the potential to be an extremely important strategic business tool. The future IT emphasis will be on process-driven development and component-based solutions like Siebel component assembly, Oracle fusion, IBM's component business models, and so on. Future complex financial IT applications, meanwhile, may span multiple organizations in real time with organizations acting as both suppliers and consumers in such an environment and exposing applications to B2B customers as Web services. This has major implications for an IT organization which must now seriously consider the following areas: governance and service management, and an integrated security infrastructure to address Web Services and XML security.

With those security issues in mind, describe the implementation process EBS followed.Yeates: In implementing an application infrastructure based on SOA principles, we had four distinct phases:

  • Simple Internal Integration (tactical -- technology driven): This focused on application and platform level peer-to-peer communication; elements of coarse and fine-grained services.
  • Rich Internal Integration (technology driven): Addressed the complexity and cost of distributed applications, the application spaghetti environment, rudimentary service business technologies, elements of routing and transformation and multi-channel applications.
  • External Partner Integration (business driven): Extending an SOA-based application infrastructure to consume (and) or provide B2B services.
  • Core Business Functionality (strategic -- business driven):Process driven development -- Web services integration and orchestration; business process modelling and monitoring.

Continue Reading

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
White Papers »
Finding the right cloud solutions for your organization
HP is driving the evolution of what we call the Instant-On Enterprise. It is an enterprise that embeds technology into everything it does to better serve citizens, partners, employees, and clients. We believe that today's Instant-On Enterprises need to think differently about how they source and deliver services that are enabled by technology. They need to take advantage of a hybrid delivery model-one that truly optimizes the mix between traditional IT, private cloud, and public cloud.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
Converged Infrastructure for Dummies
As you know, everything is mobile, connected, interactive, and immediate. This is exactly why organizations need a highly agile IT infrastructure in order to keep pace with extreme fluctuations in business demand. This book will help you understand why infrastructure convergence has been widely accepted as the optimal approach for simplifying and accelerating your IT to deliver services at the speed of business while also shifting significantly more IT resources from operations to innovation.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
Seven Priorities for Integrated Network Management - How HP Intelligent Management Center Delivers an Enterprise-class Solution
This white paper describes the major requirements for network management solutions to help the organizations become more profitable, efficient and reliable.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
Measuring the Business Value of CI in the Data Center
One of the key strategies that IT teams are pursuing to reduce capital costs while boosting asset utilization and employee productivity is the transition to highly virtualized data centers. However, IDC finds that expectations for further boosts in IT asset use and operational efficiency often surpass the actual results for a variety of reasons. These problems can quickly overwhelm any hoped-for benefits as the scope of virtual server deployment expands.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
Building Cloud-Optimized Data Center Networks white paper
Enterprises are turning to the Cloud to improve business agility, reduce expenses and accelerate business innovation. Cloud computing redefines the way IT assets are deployed and consumed and dramatically affects the way data center networks are architected and managed. Conventional hierarchical data center networks built to support traditional IT architectures can't meet the security, agility and price/performance requirements of virtualized cloud computing environments. This white paper reviews the impact of cloud computing on data center networks and describes HP's approach to building simpler, more secure and automated networks that fully meet the stringent performance, security, reliability and agility demands of the new data center in the Cloud.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
The Forrester Wave: Activities Streams, Q2 2012
The enterprise social software market is exploding thanks to converging trends of consumerization, cloud, and mobile. In this must-read report, "The Forrester Wave: Activities Streams, Q2 2012", Forrester Research Inc. evaluated five social software vendors with core strengths in the stream based on the overall strength of vendors' current offerings, a clear product strategy, and vendor market presence. In a detailed look at the space, Forrester named Yammer as a leader.
Webcasts »
Virtualization Success is a Team Effort
As greater numbers of datacenter servers transition from the physical to the virtual world, the components of virtualization success come to the fore. What scores of organizations have discovered is that success is derived from an optimal pairing of the right software platform with the right hardware platform.
Oracle Database Appliance Best Practices
Business users increasingly demand 24x7 availability of their data while IT departments face the challenge of ensuring maximum availability while operating with limited budgets.
Unlock the Value of Cloud Computing with Workload Automation
Learn how to get the most from your cloud investment in our on-demand webinar from BMC and InformationWeek. You'll hear how integrating the cloud into your production workload brings critical business benefits.
Best Practices to Optimize Your Data Center at Every Layer of the Stack
Date: May 31, 2012
Time: 1 PM EST

Organizations are reaping the benefits of simplifying IT, lowering costs and dramatically improving transactional throughput by deploying optimized application-to-disk solutions. These pre-tuned, tested solutions encompass a wide variety of applications and use cases. Hear from industry experts, and IT executives, how these full-stack solutions can achieve three times faster deployment times and up to 75% reductions in acquisition and operational costs.
Workload Automation Trends and Best Practices in 2012
Find out when you join EMA Senior Analyst, Torsten Volk, for a discussion on the 2012 trends in workload automation and how these trends contribute to better connecting workload automation to business processes. These trends are derived from EMA's empirical research work conducted for the 2012 Workload Automation Radar Report.
Analytics at the Speed of Thought
What if you could run financial and operational planning cycles 10 times faster? Or monitor and adjust marketing campaigns in real time? What if you could instantly visualize how a price change would impact the profitability of thousands of products?
Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  11. View all Newsletters | Privacy Policy
White Papers » All White Papers

Finding the right cloud solutions for your organization

Converged Infrastructure for Dummies

Seven Priorities for Integrated Network Management - How HP Intelligent Management Center Delivers an Enterprise-class Solution

Measuring the Business Value of CI in the Data Center

Building Cloud-Optimized Data Center Networks white paper

The Forrester Wave: Activities Streams, Q2 2012

SMBs Get Virtualization, Plus the Benefits of High Core Count Processors

Virtualized for Agility

The Accelerated SMB: Moving at the Speed of Virtualization

Make Virtual Desktops a Valuable Reality with AMD

Has Your Server Infrastructure Kept Pace with End User Demands?

Real Fabrics for a Virtual World

Enabling Remote Employees with High Quality Video

From Systems to Service Management: Running Your IT Department Like a Business

Generation Gmail: How are you dealing with "work-around email" workers?

5 steps from Scheduler to Enterprise Workload Automation

Optimizing Business Processes in Today's Enterprises

Analyst WP: ESG-Proven value with the Oracle Database Appliance

Effective Data Leak Prevention Programs: Start by Protecting Data at the Source - Your Databases

Forrester: Formulate A Database Security Strategy to Ensure Investments Will Actually Prevent Data Breaches and Satisfy Regulatory Requirements
Sponsored Links

Master the cloud with the power of convergence from HP

Connect with IT leaders redefining mobility at the Enterprise Mobile Hub

Choose New and manage one device instead of 170

Choose New for 8x the firewall and NAT performance

Check out a smart way of mobilizing your business with enterprise-ready Samsung Mobile.

Redefine your data center with HP servers.

Enhance your business with Windstream IT Solutions. Speak to someone local.

BlackBerry® Mobile Fusion. Different mobile devices. One platform.

Click to see how Accenture has delivered high performance to clients

CYBERMARYLAND | Learn Why Maryland is the Epicenter for Cybersecurity

Get Ethernet speeds from 1 Mbps to 10 Gbps - Comcast Business Class

Cognizant. Leading in Business, Application & Technology Services

Collaboration: driving better business outcomes

Gain cutting-edge insights at MIT in 2-5 day executive programs.

Complimentary Gartner Report on BYOD: Media Tablets & Beyond. View Now

Elevate storage agility and efficiency with HP 3PAR storage.

Choose New and slash the number of devices you manage

Customized information views & Twitter events at New Fulcrum Point

Splunk translates machine data into "aha" moments for IT and the business.

ManageEngine Desktop Central - Automate and Audit Your Desktop Management! Learn More...

Cloud Readiness Starts with Intel® Technology

High performance. Delivered. Click to see Accenture's client successes

Visit the Virtually There Learning Page to learn how to use virtualization to your competitive advantage.

Free: Hunter Muller's "The Transformational CIO."

Join us for an upcoming Microsoft 365 live online demo event.

Discover your easiest path to unified communications

Virtualizing Your Infrastructure Just Got Easier

Connect with global CIOs now at Enterprise CIO Forum

Resource Center
buy a link »
Ads by TechWords