Home > De-Perimeterization, General Rants & Raves, Information Security > Good News! SOA Will Make Your Life Easier…and Easier to Secure!

Good News! SOA Will Make Your Life Easier…and Easier to Secure!

February 28th, 2007 Leave a comment Go to comments

Soafortune
I read ZDNet’s coverage of the Wharton Technology Conference in Philadelphia by Larry Dignan and was astounded by what Larry reported was said in regards to comments made by TD Ameritrade’s Chief Security Officer, Bill Edwards.

I’m not trying to pick on Mr. Edwards as I have never met the man, but his comments regarding SOA left me disillusioned about how security and emerging technologies are approached in what continues to be a purely reactive, naive and disconnected manner.

Specifically, SOA is not exactly "new."  The evolution of technology, maturing of standards, proliferation of Web 2.0 and massive deployments of SOA’s in some of the world’s largest companies shouldn’t come as a surprise to anyone…even in the risk averse financial services sector.  That being said, SOA is disruptive and innovative and needs to be approached both strategically as well as tactically.

As a former CISO of a $25 Billion financial services firm, I was embroiled in our first SOA deployments 2.5 years ago.  It’s blood and guts.  It involves dealing with the business, business partners, IT and development staffs in ways you never have.  It takes communication, education, expertise and business acumen.  It’s not something you wait to be dragged into.

The notion that a security team would be "dragged" into SOA rather than embrace and approach it proactively and from the perspective of a thought leader and collaborative contributor astounds me.

That said, here’s what I had a problem with:

TD Ameritrade Chief Security Officer Bill Edwards figures that he’s
going to be pulled onto the service oriented architecture (SOA)
bandwagon soon. He might as well use it to enhance security.

"When the architects approached me about SOA my first reaction was ‘no
you can’t do that,’" said Edwards, who spoke at a financial services
online fraud panel at Wharton Technology Conference in Philadelphia on
Friday. "But then I realized I’m going to be dragged along with SOA
anyway so I should use it to rebuild security from the ground up. I
know it’s coming so my team got friendly with the architecture group."

What disturbs me is that SOA represents potentially monumental impact to business, technology and security and instead of embracing (see below) this in a proactive manner, the ad hoc formation of a "strategic" response is "…if you can’t beat ’em, join ’em" and perhaps leverage this to fix problems that weren’t fixed prior.

Paying for sins of the past with currency of the future and confusion in the present isn’t exactly showing alignment to the business as an enabler.  But that’s just me.

It’s clear that the first reaction of saying "no, you can’t do that" is so incredibly typical and representative of the security industry in general; fear what you don’t understand and can it. I can’t imagine how making decisions on risk without an effective model is doing the business justice.

Realizing that this is a train on the tracks that can’t be ducked and that he’s going to be "dragged along with SOA" and that something must be done to head off disaster at the pass (or at least get more budget,) I’m having trouble reconciling this:

"SOA is going to be embraced by security. I don’t know if the industry
is ready for security on SOA, but I’m looking forward to it as it will
make my job easier," he said. "SOA allows you to get granular on
security and focus on specific modules."

I am really having trouble understanding whether this is a statement or a question, but I just cannot comprehend how much sense that last sentence fails to make. 

You’re not embracing SOA when you describe being "dragged into it" and your first reaction is "no." Further, if you’re deploying SOA and you’re not baking in security, you should be fired.

Secondly, Explain to me how SOA is going to make security (his job) easier?  Because you can get "granular on security?"  Huh?  SOA is complex.  If you don’t have your "stuff" together in the first place, it’s only going to make your life more difficult.

I’m sorry for this reading like I’m a grumpy bastard (I am) and that I’m singling out Mr. Edwards (he chose to be on a panel) but this just doesn’t jive.

My advice to Mr. Edwards and anyone else looking for the right approach to take with SOA and security is to read Gunnar Peterson’s blog or some more of his work.
 

/Hoff

  1. No comments yet.
  1. No trackbacks yet.