veryard projects - innovation for demanding change

Security in a Service-Oriented Economy

veryard projects > security > so
veryard projects > so > security
we offer security demands material link
consultancy

management briefings

independent advice on tools and methods

 Security is a key element in a service-based economy, and creates demands in several directions.
 
towards service providers
towards service consumers
towards specialist security products and services
towards regulators capable of setting and enforcing security policies
on this page

commentary
 
elsewhere

service-oriented economy

security

 home

notion finder

contact us
veryard projects - innovation for demanding change

Service-Based Security - Commentary

veryard projects > security > soa > commentary

Recent developments in web services affect security in two key ways. First, by making services more easily accessible from a broader range of platforms and locations, this potentially creates opportunities for people with hostile intentions. Second, by making the basic transport and connection layers easier for the application developer, and by opening up the availability and choice of third-party services, web services encourage the development of greater complexity at the application and business levels – among other things, stimulating the growth of rule-based, differentiated or context-aware services. If business-level and application-level security does not keep up with the complexity and sophistication of the range of differentiated services available to/from customers and business partners, then we can expect many business vulnerabilities will emerge. This is illustrated by the case of Kodak, which found itself providing obliged to fulfil a large number of online customer orders for digital cameras at the wrong price. The consequence of poor business security may be significant financial losses or even corporate failure.

Security is often defined by the service provider, primary to suit the interests of the service provider, or to protect other service users. This is particularly evident in financial services, where the customer is generally required to supply enough information to demonstrate that he is not trying to commit fraud or money laundering. A similar attitude is creeping into air travel, as security staff confiscate nail clippers, umbrellas and other potential hijack weapons from unwitting passengers, and as check-in procedures become ever more tedious.

There is a huge contrast between services that are defined by the service user, and services that are defined by the service provider, and this permeates security as well. Most web services at present are provider-defined – the web service declares what it can do, or what options it offers, and the user can simply take it or leave it. Security provision can be added to this service description using SAML.

But the same languages for web service description and security description can be used by service users. In future, we expect service providers to be able to interpret and deliver user-described services, and this should of course include any security requirements declared by the user. (The service provider may of course impose security requirements on the user in return.)

In the current wave of accounting scandals it is worth learning the IT security lessons from another form of business security. Much of the comment has emphasised that accounting in the USA is "rules based", i.e. a rather mechanical process. Any mechanical process invites subversion by people who want to use the process for purposes other than its intended purpose. At the level of code, of course, this is precisely what viruses and worms do.

The official response to the scandals is focusing on a proper separation of interests and a proper balance of powers: typical concerns in corporate governance. These issues apply to IT security as well. For instance we have heard rumours that experts involved in testing security systems have been implicated in breaches of that security by business competitors. What if service or solution providers are being paid large sums by people who have an interest in breaching our security. How would we know that our suppliers did not have internal conflicts of interest?

Nowadays, size and respectability is no guarantee of security. Recent scandals have touched companies that have won major US and international quality awards. The larger the company, the greater the likelihood of conflicts of interest – especially with professional service firms.

The opposite of a rules-based approach in an intelligent dynamic approach which keeps track developments in the threat and makes sure detection and response are available and adequate. In the accountancy situation the developing threat was the collusion of companies with their auditors and the corruption of the official accounts. Clearly it is no use relying on existing accounting procedures to detect or respond to this threat. The huge investment in accounting is a positive hindrance until the new threat can be detected and responded to.

Web Services typically include more stakeholders than previous service provision scenarios presenting a multilateral security challenge. In principle any of the stakeholders can compromise the security of the overall system if their interests are not aligned or have been subverted.

In a detailed report, available from the CBDi Forum, we analyse Web Services security from this perspective of maintaining an intelligent and dynamic response.
 
more Richard Veryard & Aidan Ward, Web Service Security.  CBDI Forum, 2002.

veryard projects - innovation for demanding change
[top]

[home page]

[contact us]
This page last updated on May 22th, 2003
Copyright © 2003 Veryard Projects Ltd 
http://www.veryard.com/security/so-security.htm
in asssociation with 
antelope projects
CBDi Forum