Security is NOT the Primary Limiting Factor Inhibiting SOA’s Growth
Peter Schoof over at eBizQ’s Twenty-Four Seven Security makes a couple of very interesting assertions regarding the lack of growth of Service Oriented Architecture (SOA.)
I haven’t seen much discussion in the blogosphere about the security
challenges that arise from loosely coupled service orientated systems,
but that will soon change. As more and more companies move towards open
applications ala SOA, data is also opened up to a whole new series of
exploits and vulnerabilities.
I will agree that SOA provides some very interesting security
challenges that, much like many emerging technologies, are attempted at being solved by having security bolted
on instead of baked in. I’d also agree that SOA will manifest new attack surfaces and potential vulnerabilities; it already has.
Interestingly, the market for SOA security solutions came out of the gate strong, looked hot in the midst of consolidation and M&A madness, but then stumbled as the adoption of SOA (or specifically SOA security) did not support this nascent market kindly. It has, in fact, become a feature, not a market.
As to there not being much discussion in the blogosphere surrounding SOA, perhaps Peter missed Gunnar Peterson, Lori MacVittie, Arnon Rotem-Gal-Oz, or even Me. Obviously Joe McKendrick has been blogging about SOA and security for some time also since he’s the person moderating the webinar that Peter is referring to in his full post.
At this point, security is the primary limiting factor inhibiting
SOA’s growth. In order to counteract that, "Enterprises need to apply
non-invasive, externalized security policy enforcement mechanisms
consistently throughout their SOA ecosystems, while also centrally
managing security policy."
<Cough!> Um, no. Firstly, please shoot the marketing drone that wrote that.
Secondly, and most important, the primary limiting factor inhibiting SOA’s growth is gross sum of: the definition of SOA, the state (mess) of Enterprise Architecture, operationalizing SOA and message buses, the business case, business value, complexity, and the cost center. Security’s in there somewhere, but it’s far from being THE primary limiting factor, Peter.
I’m all for trying to raise the flag regarding SOA and the need for security, but please don’t play pin the tail on the donkey with security as the Ass…you’re only going to look like one.
/Hoff
Over in this corner…I hear "security is holding us back!"
And over in the other corner… I hear "Insecurity is holding us back!"
Sysadmin/Network guys and gals should all be thankful that the new punching bag of this decade is the security team…
What's even more sad is that there's only one combatant in the ring.
I have seen the enemy and it is us…
/Hoff
Should security in SOA be improved? Sure. Did this ever stop any previous technology from being widely deployed? Nope. The dotcom boom was built on far weaker security architecture than what SOA has. The real problem with SOA security is that the security people need to learn more about how apps are built and the software people need to learn more about security.
As you say, this is an integration challenge not an inherent security technology gap.
'zactly, Gunnar.
In fact, if we use virtualization as an example (don't moan) we see just this behavior. We'll play catch up and cyclically when the market's ready, we'll see a demand for more secure virtual environments…at around Web 4.0 😉
I think we're getting incrementally closer to security folks getting better about communicating with the developers. The difficulty most "security" folks have is that generally they come from operational networking roles, not programming backgrounds.
That's why the folks who make the big news (the security vulnerability researchers, etc.) all code…they straddle both sides of the fence.
I think it's much easier to come from the programming side and learn about security than it is the other way around.
At any rate, I think it was an odd bit of trolling to suggest that security was to blame here…I don't think McKendrick who's moderating the discussion would say that.
/Hoff
I wrote the offending blog, and yes, you are right, I got sucked into the marketing hyperbole and used the word 'primary.' But that's more a matter of semantics, wouldn't you say, as security IS definitely an issue with SOA.
I do dig your blog, Hoff, keep it up.
Thanks, Peter.
I think we're on the same page.
Thanks for the ping.
/Hoff
Lack of security is usually not the prime reason for halting growth, lack of creativity or added value is. However, when you want to use a SOA component to establish an adequate level of trust, the traditional security approach doesn't work. Given the many security issues on the web traditional security approaches are also becoming less effective for non-soa components anyway. Looking at services from a business perspective and not a technical perspective would be the first step towards mobilizing the brains to solve the trust issues.