SOA is one of those buzzword acronyms that mean so many things to so many people, it's hard to pin down what it is. Nevertheless, many large enterprises are integrating applications and building applications using XML, Web services and rudimentary service-oriented architectures. But what about security?
An SOA is meant to provide enterprises with the means to develop applications rapidly by mixing together small, self-contained application services. What used to be "internal" communication in an application becomes an external network transaction. Because large enterprises are using these technologies and architectures already, we sought to learn to what degree enterprises have begun thinking about securing their SOA-based applications The answer -- very little. Just one-third are planning to implement SOA security within the next year.
Why the relatively low level of interest in SOA security? Quite frankly, companies still are getting their arms around how SOA-based applications will affect their overall architectures, not just security. SOA security is an issue on the horizon, but it's one of several.
"I'm worried about bots and botnets," says the head of security for a large university. "It seems to me that we're on the cusp of a new generation of attack tools that are precisely going to find vulnerability in these applications, much more so than they do now. Apps don't do a good job separating application from presentation layer. I'm imagining a scenario where agents look for and exploit very subtle vulnerabilities."
That said, SOA security is one area where companies at least are planning to put their money where their mouths are: 50 percent say they expect their SOA security budgets to increase during the next 12 to 18 months. That's not too difficult, given the low levels most folks are starting from: US$78,000 was the mean spending of the handful of companies reporting they had a SOA security budget. Of course, there's also the question of precisely what companies are going to spend their money on. Leading-edge enterprises complain there's a lack of standardized products: "The mechanisms to date have not resulted in products that people are using. We have an initiative to look at message-brokering facilities. We have deployed XML gateways for security purposes. With the Web Services Security protocol, we are not seeing much vendor standards agreement in that space," says an IT executive at a financial-services firm.
And, unsurprisingly, just a quarter of IT executives say they're using SOA-enabled devices in their security infrastructures.
The take-away? Mixed, but intriguingly so. Unlike the case with other communications-security issues (in particular, mobility and VOIP), IT executives seem to have aligned their SOA-security investment strategies with their priorities. As SOA activities in the enterprise continue to increase, we expect security budgets to follow. As I embark on further research in enterprise applications, I surely will be returning to this topic!