Service Oriented Architectures (SOA) and Web services may offer organisations innovative ways to meet the IT application and integration needs of their employees, customers and partners, but many senior IT executives believe they also introduce significant security challenges.
According to an independent global survey of 555 IT directors sponsored by CA, 43% of senior IT executives perceive security threats as the most critical issue in the implementation of SOA and Web services-based applications.
This perception and concern about security is justified as the executives surveyed also reported experiencing an average of seven XML targeted attacks against externally facing SOA or Web services applications in the past year.
“The state of SOA and Web services security is similar to what we saw with Web sites and portals about 10 years ago," says Lina Liberti, vice-president of CA Security Management. "As organisations rolled out Web applications, best practice security management approaches had not yet been resolved and security became a significant challenge. Web services and SOA applications have experienced those same security issues, but we believe the best practice approaches implemented for Web applications apply to these application architectures as well.”
The survey also revealed that as organisations deploy SOA and Web services security systems, the vast majority of respondents (93%) believe integrating it with their identity and access management (IAM) solution is critical. However, just 43% of IT executives have done this integration to date.
Despite the security concerns, organisations surveyed have a surprisingly high percentage of externally facing SOA/Web services implementations. For example, respondents said that 75% of their Web services are externally-facing while 68% are external SOA-based applications. At the same time, more than half of the respondents (57%) reported they have deferred or slowed adoption of some SOA and Web services due to security-related issues.
“The fact that respondents are deferring SOA and Web services applications for security reasons indicates a strong collaboration between business and IT security teams," says Liberti. "They are truly evaluating risk versus benefit to the business. Further evidence of the need for such collaboration is that 93% of the IT executives surveyed believe SOA and Web services security should be integrated with identity and access management systems, which directly support critical business concerns such as compliance.”