I want to have Gunnar Peterson’s Baby (His SOA posts are the schizzle!)
I really look forward to reading Gunnar Peterson’s blog. He’s got a fantastic writing style and communicates in an extremely effective form about one of my favorite topics SOA and security. His insightful posts really get to the point in a witty and meaningful way. I’m going to try to make one of the OWASP meetings he is presenting at soon.
Gunnar made a fantastic post commenting on Arnon Rotem-Gal-Oz‘s writings on Service Firewall Patterns, but within the context of this discussion, his comments regarding the misalignment of developers, network folks, security practitioners and enterprise architects is well said:
One of my issues with common practice of enterprise architecture is
that they frequently do not deep dive into security issues, instead
focusing scalability, detailed software design, and so on. But here is
the thing – the security people don’t know enough about software
design, and the software people don’t know enough about security to
really help out.
Sadly, this is very true. It goes back to the same line of commentary I’ve also made in this regard. The complexity of security is rising unchecked and all the policy in the world isn’t going to help when the infrastructure is not capable of solving the problem and neither are the people who administer it.
Add to this the reality that many security mechanisms
cannot make a business case as a one off project, but need to be part
of core infrastructure to be economic, and wel[l], you get the situation
we have today.
Exactly. While this may not have been Gunnar’s intention, this description of why embedding security functionality into the "network" and expecting packet jockeys to apply a level of expertise they don’t have to solving security problems "in the network" as a result of economic cram-down is going to fail.
The architects define the "what", and unless security is
one of those whats, it is not feasible to make the case for many
specialized security services at a project by project level. This is
why, enterprise architects that enable increased integration within and
across enterprises, must also invest time and resources in revamping
security services that enable this to be done in a reliable fashion.
…but sadly to Gunnar’s point above, just as security people don’t know enough about software design and software people don’t know enough about security, enterprise architects often don’t know what they don’t know about networking or security. The problem is systemic and even with the best intentions in mind, an architect rarely gets the opportunity to ensure that after the blueprints are handed down, that the "goals" for security are realized in an operational model consistent with the desired outcome.
I’m going to post separately on Rotem-Gal-Oz’s Service Firewall Pattern shortly as there are tremendous synergies between what he suggests we should do and, strangely, the exact model we use to provide a security service layer (in virtualized gateway form) to provide this very thing.