News

SOA drives need for XML security

• By Jason Turcotte
• September 1, 2006

Deliberate attacks on Web services is one obvious risk enterprises take when building such apps, and sloppy data can wreak just as much havoc. But one expert says XML security is where it’s at for adopters of service-oriented architectures (SOA).

“There’s always a risk that your investment in Web services could be brought down by poor programming,” said Dimitri Sirota, vice president of marketing and alliance, Layer 7 Technologies.

Sirota says that while developers do their best to build code that limits the number of exploits within an app, security ultimately lies in the hands of IT managers and the solutions, or products they invest in.

“A lot of programmers don’t have a deep knowledge of security on the firsthand,” Sirota said. “And, as much as possible, our customers don’t want programmers implementing these standards or processes.”

Sirota co-founded Layer 7, emphasizing products and services that focus on secure business integration for XML and Web services–a focus that continues to become more relevant as enterprises embark on SOA-based projects. The biggest challenge enterprises face today, he says, is the challenge of expanding existing identity-based security solutions to SOA.

Sirota cites other security challenges for SOA as well–access control (identifying Web services calls, defining code), message-level security (meaning as XML data flows through multiple sources, enterprises need to encrypt the appropriate parts of the messages) and service mediation (or routing).

Earlier this month Layer 7 released version 3.5 of its XML firewall, which automates policy replication and manages through multi-gateway monitoring. The firewall–built for the company’s SecureSpan XML Gateway–also enables cluster deployments. SecureSpan is a security and networking appliance designed specifically for SOA and Web services, meshing firewall technology with XML VPN technology.

Before exposing a Web service outside the enterprise, Layer 7 cautions security architects and IT managers to closely consider the following questions: How do you identify differing security policies from a calling app’s identity? How do you prevent physical addresses from being displayed to users outside the enterprise? How do you adapt to changes in data formats and protocols? How do you prevent replay attacks? And how do you protect app interface access from developers with ulterior motives?

Sirota says the solutions are out there. And while he recognizes that some start-ups are slow to maximize revenue from legacy apps, there are many products today that leverage and integrate existing legacy security technologies.

Thanks to legacy mainframe reliance, financial services and banks have been at the forefront of SOA adoption. But other industries are jumping on the bandwagon. Sirota says government, healthcare, oil and gas companies are beginning to deploy these technologies. And as they do so, the SOA security market gradually grows.

“It’s no longer a case of early adopters; it’s more mainstream now,” Sirota said. “But adoption is going slowly.”