SOA rollouts create security headaches for organisations

11 Nov 2008

Almost half of senior IT executives perceive security threats as the most critical issue in the implementation of software oriented architecture (SOA) and web services-based applications.

While SOA and web services offer organisations innovative ways to meet the IT application and integration needs of their employees, customers and partners, they also introduce significant security challenges that must be addressed, according to an independent global survey sponsored by CA.

The survey revealed that 44pc of senior IT executives found security threats when implementing SOA and web services.

This perception and concern about security is justified as the executives surveyed also reported experiencing an average of seven XML-targeted attacks against externally facing SOA or web services applications in the past year. 

“The state of SOA and web services security is similar to what we saw with websites and portals about 10 years ago,” said Lina Liberti, vice-president for CA Security Management.

“As organisations rolled out web applications, best-practice security management approaches had not yet been resolved and security became a significant challenge.

“Web services and SOA applications have experienced those same security issues, but we believe the best-practice approaches implemented for web applications apply to these application architectures as well,” Liberti said.

The survey also revealed that as organisations deploy SOA and web services security systems, the vast majority of respondents (93pc) believe integrating it with their identity and access management (IAM) solution is critical. However, just 43pc of IT executives have done this integration to date.

Despite the security concerns, organisations surveyed have a surprisingly high percentage of externally facing SOA/web services implementations.

For example, respondents said that 75pc of their web services are externally facing, while 68pc are external SOA-based applications. At the same time, more than half of the respondents (57pc) reported they have deferred or slowed adoption of some SOA and web services due to security-related issues.

“The fact that respondents are deferring SOA and web services applications for security reasons indicates a strong collaboration between business and IT security teams. They are truly evaluating risk versus benefit to the business,” Liberti said.

“Further evidence of the need for such collaboration is that 93pc of the IT executives surveyed believe SOA and web services security should be integrated with identity and access management systems, which directly support critical business concerns such as compliance,” Liberti added.

By John Kennedy

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years