Service-oriented architecture changes the security equation by introducing a greater reliance on third parties for application development and operation. But according to Ray Wagner, managing vice president of information security and privacy at Gartner Inc., this is a matter of degree rather than an introduction of a totally new security exposure.
For instance, an SOA application may depend on a Web-based third-party service to provide vital functionality, with obvious security implications. But thousands of users already do this when they activate Microsoft's automatic updates.
"Ultimately, it's a matter of trust," he says.
"You decide whether you trust Microsoft to send you good code. Then the computer checks that it has received what Microsoft sent, using cryptographic operations like hashes and digital signatures."
SOA may increase the number of these exchanges hugely.
"Doing this hundreds of times an hour may have implications for computing loads, but it really is just a change of degree," not a qualitative change, Wagner says.
He acknowledges that normally trustworthy partners may occasionally accidentally send bad code or a bad identity assertion. But, Wagner says, overall, "it is much more likely that someone will decide to trust the wrong site because it promises to provide the functionality he needs."
Already malware commonly masquerades as useful code and sometimes does provide the function it promises while doing other, less desirable things in secret.
Technology and education
That's one of the three main exposures Wagner sees with SOA, and organizations are already experiencing problems when employees access the wrong sites from their work desktops and accidentally import malware into the enterprise. Combating malware -- whether it is associated with SOA or someone downloading "free" music from a file-sharing site -- requires a strategy combining technology with education.
The security technology needs to be able to stop malware before it can infect the network. But the best solution is to educate users about the dangers of unknown sites to minimize the exposure in the first place.
The second major exposure is more technical and harder to intercept.
"XML basically can contain any kind of executable or data, including things designed to do damage," Wagner warns.
Again, every organization accepting XML-encoded files, which is the vast majority of organizations today, is exposed already.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.