Service-oriented architectures raise security issues, says Jean-Noël Ezingeard
When describing service-oriented architectures (SOAs), some talk of "paradigm shift". The idea that everything can be modular, be it business process activities or software components, is very appealing.
Specifically for information systems, many argue that modular components, called up when needed as "services", are not only cheaper to run but also more robust because they are self-standing and do not rely on complex and bloated software.
Another claimed advantage is that services can be benchmarked against each other from both a performance and cost point of view. The paradigm shift that some technical experts refer to is not about the concept of service orientation itself, but more about the management of such services - and the dearth of IT professionals that possess SOA skills.
There is another critical aspect to consider: security. This can be particularly acute because of the outsourcing element that often accompanies SOA. It is almost impossible to disentangle the idea of service orientation (SO) from that of outsourcing, since application components can be called from outside the company's boundaries. Is this something that should worry security experts? One of the advantages of SO is that it relies on standards and incorporates clear service level agreements to ensure adequate protection against known threats.
Security is not the only area of concern. Governance and privacy, for instance, may become more important than service levels and threat protection.
Who is in charge?
These two issues are often discussed when talking about outsourcing. Governance in federal environments can be problematic. A high level of outsourcing can make it impossible to pin down responsibility in a crisis.
When a company's firewall is outsourced to one business partner because of their technical skills, desktops to another because of their low cost and data warehousing to a third because of the robustness of their business continuity programmes, who is in charge when a penetration test reveals a flaw in the protection of sensitive data? Who, for instance, should have the authority to request the closure of a firewall port that has been opened to test a new application that is now not being used? There are worrying situations that can easily be exacerbated when software components are called in from different vendors in different locations.
The second issue worthy of management interest is privacy. Often outsourcing involves not only information technology services and support, but also complete business processes such as payroll, customer call centres and physical asset maintenance.
As outsourcing has gathered momentum there has been growing disquiet, particularly among financial services customers, about the adequacy of data protection. In some instances this has led to petitioning of the Information Commissioner and the subsequent insourcing of outsourced customer services.
Data protection concerns
In the case of business process outsourcing, developing the appropriate service level agreements and company data protection standards between the client organisation and outsourcing partners can help to allay customer fears and prevent leakage of sensitive information and subsequent damage to brand and reputation. Similar issues exist with SO, since sensitive customer data may be passed around various web services, sometimes without the customer's full knowledge or explicit agreement. The PR implications of data getting corrupted, misappropriated or lost are just as great with software components as offshore call centres.
In many organisations, information security management is still based on procedures and governance that rely on three pillars: centralisation, clear boundaries and a clear definition of roles and responsibilities. With the increasingly fast move towards SO we can only be certain of one of these - clear roles. Our work with CIOs and CSOs suggests that it is no longer possible to rely on the other pillars, and that new ways of thinking about security need to acknowledge the balkanisation of information systems in organisations. This trend calls for stronger information security governance and tighter control mechanisms.
Jean-Noël Ezingeard is professor of systems and processes management at Henley Management College
This was first published in September 2005