So what does Security, Cyber Crimes, Denial of Service, and other Security Concerns have to do with a Service Oriented Architecture?
Does having a Service Oriented Architecture translate into having a more secure enterprise? Maybe yes and maybe no.
Certainly having an Enterprise Architecture can translate into better security and I will explain why further down. And since arguably a Service Oriented Architecture is a Strategic decision, then it might also mean your Strategic Plans that include a Service Oriented Architecture MAY translate directly into better security. BUT just having a Service Oriented Architecture DOES NOT mean you have better security.
What do you need to consider? For one, it should be obvious that not having an Enterprise Architecture that includes: Standards, Practices, Policies and GOVERNANCE leaves gaps that could be exploited and reduce security.
Let me give an example. Let's say you realize a threat, maybe because of an attack or attempt to penetrate your defenses. You employ a security vendor and they do a scan and fix and give you a secure enterprise from the Firewall into your internal systems. Ok great, probably money well spent and you now can sleep at night. But without an Enterprise Architecture there would be no governance to enforce the Standards, Practices and Policies that were the result of the scan and fix. Then the same factors that were responsible for your previous gaps in security will exist and being ungoverned could lead to the same vulnerability. Perhaps it is simply the addition of a new service may open a small seemingly insignificant hole in your defenses.
A Service Oriented Architecture when part of an Enterprise Architecture will make the task of implementing Standards, Practices and Policies but also Governance. A security service domain that can interact with your integration layer and your OSS service domain, will be far more agile and efficient in preventing, detecting and predicting attacks and in responding to unforeseen attacks.
Being able to modify in flight processes automatically might just save your enterprise when a trial and error attack is detected and your OSS is notified and your Security Operations Center is notified and that process vulnerability can be corrected rapidly. If your systems are large monolithic applications, (i.e. Non SOA) then such agility is NOT POSSIBLE.
Be safe, be agile.
No comments:
Post a Comment