Another passenger for your bus?

Here I am, back in the office and still recovering from a four day of technical conference. I just got back from ACCU 2007. This is a software development conference renowned for its high quality technical content and impressive collection of international speakers. In some previous years it also hosted a track specifically on security. This little posting is not about why I was there talking about paradigms such as Generative Programming. Neither is it about answering the question a fellow attendee asked: How come you get to do all of this kewl stuff at McAfee? Actually it is about sharing a concern of mine …

I was sitting in a session about SOA presented by Nico Josuttis, and it just dawned on me how big the scope for exploitation of the Enterprise Service Bus (ESB) is. The moment loose-coupling is introduced to allow for interoperability between heterogeneous systems, a security threat is also introduced. This obviously does not mean that a vulnerability or two has been introduced, it simply means that additional security is mandatory as part of the design and testing of any new introduced service or system. The ESB is an asset that needs to be secured and protected. As it is so pervasive, not being a couple of networking cables or some centralised hardware, there are many attack vectors. With anyone in an enterprise being able to tap into this ESB in some or other way, the possibility for stealing data from within is a serious risk as well. With companies sharing their ESBs this risk is elevated.

Coincidentally, Sage 2 – The Future of Security also went out last week. It contains an excellent article on risk management. Dan Molina, the author, explains why every company should have a comprehensive and integrated plan of defense. In the same publication, John Viega, has a good write-up on data leakage. I invite you to read both these articles as they provide very good insights that are relevant to ESBs.

I do not have a quick solution or answer; I simply have concerns. I am worried that people try to implement solutions with the very good intent of solving the fast-paced business needs of today, yet are opening themselves up to threats of a new malicious nature. To a great extent security is an intellectual challenge more than a technological solution. Simply throwing hardware and software at it, will not solve the problem. The book Security Patterns – Integrating Security and Systems Engineering¹ is well worth a read as well. I would like to highlight two pragmatic little gems from this:

• Paralysis by Analysis : “People spend so much time and money in analyzing threats and designing the security solution that there is no time or money to implement it” (p524). Be pragmatic, introduce security in a piecemeal approach. Some solution at anyone time is better than no solution whilst everyone is waiting for the grand unified solution. Just imagine a military defence strategy that decides to have no army, because one day all encompassing nukes will be available!
• Enlist the Users : “Social engineering attacks are often the most damaging and can only be defended against with user education” (p522). The human observer is still one of the best forms of defense. The uneducated user is still one of the weakest links in the system.

Web Services which are widely found in SOA solutions are just one conduit for attacking the ESB. Another might be internally eavesdropping via some form of spyware. As always be vigilant in your security planning, but do not go overboard. Just keep an eye out for those unwanted passengers trying to get onto your bus.

¹ Schumacher et al., Security Patterns – Integrating Security and Systems Engineering. John Wiley & Sons, Chichester. ISBN 978-0-470-85884-4. [LINK TO WILEY]