Tim Bass
Sat, 06 Oct 2007 20:45:12 +0000
In
SOA Security (Part*2), after dropping a book shelf on my head preparing for a move to Asia,*I promised to tell a*”war story” and*discuss how one of my past experiences in IT security applies to SOA Security.* The theme of this post is
Don’t Let Technology Get in the Way of a Good Solution, often known by another old saying,
The Enemy of Good is Great.
So, we embark on this story, nearly*8 years ago, with about 120
Air Force bases world-wide and a quasi-public Air Force Internet that connected the bases together, together with
defense mega-centers and other critical sites.** Like other large organizations they had*network management traffic, email, web traffic, and myriad other network traffic running across the net.***
As*the most senior*trusted network advisor*/ consultant to the*USAF at the time,*we*thought it was time to build a fully-meshed virtual private network (VPN) connecting all the sites together that would provide confidentiality, integrity and authentication to the network traffic
IPSEC.*
Althought the solution architecture*is not classified,*I am not comfortable discussing the technical details of our solution.** However, I can say that my architectural design was the foundation for the largest fully-meshed*operational VPN in the world.**
At the time, many of the technologies associated with automatically keying the VPN were immature and expensive.*** I rejected all of the “immature complexity” and used an approach we called “
Defense-in-Depth“.** In this methodogy, we*architect a*solution based on risk and the appropriate compensating controls to manage risk.
To secure an SOA,*we need a similar approach.**You will need to look at your requirements for authentication, authorization, integrity and confidentiality based on the risk-profile of your business.* One size does not fit all.***
Don’t get trapped (or wrapped)*in the blind alleyway of immature, confusing*and less-than-proven* security “standards”*like SAML, XACML, WSS, WS-Federation, WS-Security, WS-SecureConversation, WS-SecurityPolicy, WS-Trust, XML-Encryption, or XML-Signature (to name a few).** Take a step back (or maybe two) and look at your risk and exposure and the available compensating controls (i.e. your VPN) for the AIC (authentication, integrity, and confidentiality) triad.
In Part 4, I will begin to discuss how to use a Defense-in-Depth approach to SOA security.
Source...