Maverick Fed Gov Security Topic 05Oct09-01 > "SOA Security Is An Oxymoron

SOA: Service-Oriented Architecture

I am sitting presently in a Mitre-sponsored SOA conference for the Federal Government. The 40 or so folks are supposed to represent the Fed Gov community when it comes to SOA and what it can do / is doing for the government. So far, I'm not feeling it.

We have a data issue in government. No one would dispute that. Terabytes or more of data, emails, images, files, all need to be categorized, linked, and accessible. At this conference there are lots of discussions about architecture, data structure, and even data standardization for platform independence. All important things, and necessary.

But what was missing, as usual, was any thought whatsoever to security: security of data, security at rest, security in transit, access controls, or encryption. Nothing. So of course, I asked, I asked the same question different ways for different presentations, just to see how different presenters would respond. This would give me a good sense of whether or not I was dealing with people who understood security, cared about security's role in their efforts, or even considered it at all.

It was the last, unfortunately. The last on that list...the last thing considered - if at all.

One presentation showed that 19 government agencies had agreed to SOA data standards for platform independence. A great feat, to be sure, getting 19 government agencies to agree on anything. ...but security was, as the presenter told me, "orthaganal". ie: ignored. Someone else's problem.

The best statement that came out of the conference was the following quote: "There is a huge difference between building something and executing on it."

When we create a standards-driven architecture that makes data connectivity interactive, easy, and operable, we make it a HUGE target. We also make it way easier for the bad guys to suck the teet of our government until they are fat with data.

If we are to remain the number one power on the planet, we must drive security as part of the process. It is key, or we are toast.

We are told in the government that disparate bits of data, though unclassified, when put together can tell an enemy too much. Yet with SOA, that is exactly what we are building towards.