James McGovern asks why we don't see enterprisey folks focusing on SOA *and* security? Well there are a lot of reasons here, but lets look at some facts. Most enterprisey folks look at security in binary terms - inside the firewall or outside the firewall. When a transaction is "inside the firewall" they can do silly things like load all their transaction on to something like MQ Series with no authentication, send it to the mainframe which runs their entire book of business, and in essence run their transactional backbone on anonymous ftp. Because its "inside the firewall"
Problem is - its just a Visio drawing, its not reality, its historical baggage. We were trained to think about things in these terms in the 90s
But the business and software worlds have changed a bit from the early 90s, even if security tooling hasn't
If you sent an alien from outer space to observe what an enterprise looks like today, and asked that alien to file an objective report as to the actual connections and message exchanges it wouldn't look like the idyllic, clear separation of good stuff from bad stuff, it would look like this
There is no firewall in any meaningful sense, there are links, federations, communities of interest, business units, integration points, outsourcing arrangements, business processes. In short, there is information and commerce in all its messy vitality.
Inside the firewall and outside the firewall is not a security architecture, its historical
cruft a Victorian, industrial age artifact that snuck into your Visio, not something that protects your businesses' applications and data.
If you want to let the world access your maifnrame, SAP, Siebel, or whatever so they can buy things from you, that is probably a really good idea. But don't assume that RACF or what have you came down on stone tablets from Moses. Just because your transaction is "inside the firewall" doesnt mean that your security model can only focus on resources and objects in isolation. It has to focus on how your business just broke everything apart and then re-connected everything. The subjects are different, the sessions are different, and the transactions are different. Just because the objects and resources are the same and are "inside the firewall" means little when all the context and all the relationships are different.
The world is not firewalled, its federated. Just because its convenient for enterprisey folks to buy into the same hallucination doesn't make it reality.
Next week, I am speaking at
Ping's SSO Summit on Web Services SSO basically everything that happens after you press
"SUBMIT" on a website. Your data has a journey as dangerous as Frodo Baggins' travels through Mordor. The talk traces the path from the website through the perils that lurk in the enterprise and legacy systems, we will look at ways to get Frodo and Sam home safely and we won't rely on Visio firewalls where Mithril is required.
(Note - Thanks for reminding me of the analogy
Jim)
I dunno, I'm still not buying that a firewall is historical baggage (that is what you're saying, right?).
I accept that for a firewall to continue to be as effective as the Visio image on a diagram, it needs extremely deep inspection and knowledge of the protocols (good luck there).
I accept that once "inside the firewall" the hosts need to be hardened.
I even accept the loose idea that company networks are a federation, although I'm wary to say that. Just because 20 of my users can IM in and out doesn't mean they're making full connections with full pass-thru to and from those outside servers or users. But I'll accept that communication traverses our border all the time, and systems join in and disjoin the network.
I accept that while we collectively considered firewalls a very effective protection 15 years ago, they're not *as good* a protection now (see point #1).
But none of that really follows to say firewalls are antiquated or not necessary.
I guess it might depend how you define a "firewall" and what sort of security you expect it to have (perfect versus partial value). An ACL on a router may be the same thing, so then we just play with semantics and Visio icons...
Posted by: LonerVamp | August 01, 2008 at 08:39 AM