Meeting SOA and Web Services Security Challenges, Part 1
"We set out to see what kind of documents were out there that might result in economic damage to banks," said researcher Scott Dynes. "We were able to look at both the documents and at the searches people were doing and we found there are people out there searching for things that other people would not want them to see, like credit card numbers, bank statements, Experian reports."
Software designers and developers are being challenged to build efficient security measures into their project work as computing is increasingly distributed via Web application services and service-oriented architecture (SOA).
Among the findings analyzed in their report "Network Security 2.0," the practice of sending data in clear text over third-party networks, the increasing presence of organized crime, growing complexity of networks, devices and applications, and the desire to enforce and easily manage network encryption were cited as prevalent threats to network security.
Further illustrating the point, researchers at Dartmouth College's Glassmeyer McNamee Center of Digital Strategies found significant risks to organizations -- banks and financial services companies specifically -- due to inadequate security and employees' use of peer-to-peer (P2P) network services.
"Users are unknowingly complicit. ... Some P2P applications allow you to set up a particular folder to share documents or music or other files, and it might be the case that there are some interfaces to the P2P systems that will enable you to share your entire hard drive -- then you'll share everything. ... There was a lawyer seen to share her entire work folder -- not a good thing to do," Scott Dynes, senior research fellow at the Center, part of Dartmouth's Amos Tuck School of Business, told TechNewsWorld.
A Rich Vein for Cybercrime
Ponemon and CipherOptics were surprised to find that just 35 percent of respondents said "no" when asked if their network environments permit sensitive or confidential information to pass over third-party networks in clear, readable text -- clearly an incentive for organizations to make use of Layer 2 data encryption technologies such as those offered by CipherOptics and others.
Using Tiversa technology, Dyne and his colleagues collected and categorized tens of thousands of P2P files and searches related to the top 30 U.S. banks.
"For one bank, we found a spreadsheet with 23,000 business accounts including their contact names and addresses, account numbers, company positions, and relationship managers at the bank," the authors noted in the report.
"We set out to see what kind of documents were out there that might result in economic damage to banks. ... We were able to look at both the documents and at the searches people were doing and we found there are people out there searching for things that other people would not want them to see, like credit card numbers, bank statements, Experian reports -- and there are documents out there that banks would not want others to see," Dynes recounted.
Private and confidential information is being exposed by banks, their law firms and other service suppliers, right on through to and including the landscaping companies they use, according to Dynes.
"We came across documents such as how to put a computer on a network at the bank. We saw one document at a law firm that talked about the merger between two financial institutions; we saw one, a proposal to banks for various services. Some of these could be quite damaging and they would be found by searches that folks are using."
Higher Performance or More Security?
Security threats are an ever-present risk regardless of IT infrastructure -- client-server, SaaS or SOA, noted Sandy Carter, vice president of SOA and WebSphere strategy, channels and marketing at IBM.
"The most prevalent security challenges today are those presented by malware, including computer hacking, consumer identity theft crimes, viruses, or other security vulnerabilities motivated by illegal profits. The emergence of organized cyber crime, coupled with the necessity for organizations to comply with myriad government regulations that ensure security and privacy of client data has made securing IT infrastructures through industry standard technologies critical for organizations of all sizes and in all industries," Carter told TechNewsWorld.
Management and IT staff face the vexing problem of striking the right balance between realizing the intended benefits of SOA and Web application services while at the same time securing information and their IT infrastructures.
"As a company establishes its SOA strategy it must carefully take into account its security requirements to ensure there aren't any trade-offs while gaining flexibility, reuse, cost reductions and productivity gains. Today, there are many SOA-specific products designed to address the security concerns associated with extending an SOA to different parts of the organization, the Web and to customers and partners alike," Carter continued.
"Products such as the IBM DataPower SOA were created to bolster the security in an SOA. These SOA appliances offer a unique way to simplify deployments, improve performance and enhance the security of SOA implementations. WebSphere DataPower SOA appliances feature critical transformation, acceleration, security and routing functions to help ease the deployment of SOA implementations," he explained.
Most IT organizations have standardized on Ethernet as their LAN technology and the WAN vendors are moving to managed Ethernet services, such as metro Ethernet and MPLS/VPLS offerings, said Scott Palmquist, CipherOptics' senior vice president of product management.
"So, the underpinnings of an SOA or Web 2.0 world are on Ethernet, which CipherEngine secures," he said.
Complexity is the biggest difference, and challenge, to developers when it comes to building adequate security measures into Web services and an SOA, according to BEA Systems' Hal Lockhart, who co-chairs the OASIS (Organization for the Advancement of Structured Information Standards) technical advisory board and security services technical committees.
"I believe SOA and SaaS 2.0 will usher in a more complex business environment. Instead of just one organization is the customer, the other organization is the vendor, there will be a number of relationships around each interaction. For example, there might be a customer, a broker, a service provider and a data provider. The security systems will have to enforce the rules specified by the business contracts," Lockhart told TechNewsWorld.
"Building applications composed of many services means that each service is called in many different ways by many other services as well as directly by users. Each service will need to consider the entire context when it is called in order to decide what should be permitted," he added.
The Importance of Open Security Standards
The development and adoption of open security standards plays a big role in enabling organizations and IT professionals to deal with the increasing complexity of SOA and distributed Web application services and protect their systems and data from criminally motivated threats.
Identification and authentication in mash-ups, which draw from a number of Web services, often from different providers, and the development of SAML (Security Assertion Mark-Up Language) is one example that illustrates the problems relating to increasing complexity and existing security measures and how open standards are addressing them, Lockhart pointed out.
"Every time you involve a new site in the mash-up, there's another username/password to deal with. A federated identity system, such as SAML, can greatly simplify matters," he said.
Increased security will be a "key enabler" to access high-value information and services and those with personal privacy or confidentiality implications, according to Lockhart.
"Introducing new technologies is a kind of trade-off in the sense that people, time and money will be required. However, I don't think it will be necessary to trade-off in favor of insecurity. In fact, many of these standards will increase security."
Organizations need to make sure their employees are well aware of the security risks involved as they move to more distributed computing architectures such as SOA, Dynes emphasized.
"Assuring that there are policies in place prohibiting the use of P2P on company machines is an important thing; and they can go out and use services, such as those provided by our research partner, to go out and search for such documents themselves -- be proactive, go out and look into P2P networks for things that they don't want to share," he added.