While we are on the topic of SOA, or “modular distributed computing” as many friends are calling SOA these days, let us take a moment to visit SOA security.
Many of the security issues associated with SOA come from the fact that security, SOA-style, attempts to replace traditional security controls with new, open standards. Most of these new SOA security standards are relatively immature and unproven. In addition, the SOA standards that have emerged, like XML, SOAP, WSDL, and UDDI, have done little, if anything to address IT security.
XML, SOAP, WSDL, and UDDI are open standards that enable the transmission and description of data and interprocess communications between systems. These standards do not address SOA security and, by themselves, are simple a security breach that easily circumvent firewalls and put organizations at higher risk.
Therefore, as we move to “modular distributed computing” the architecture of loose coupling has the second order effect of decreasing SOA adoption when we get past the market hype and move into the details of how to actually secure this loosely coupled monster we are building.
In this series, wearing my CISSP hat, we will visit many of the key issues in SOA security and talk about why event processing is critical to securing modular distributed architectures.