The subject I am writing my network security research paper on is service oriented architecture (SOA) and how to secure it. I remember a few years ago when I first heard about the idea that software would simply discover and consume webservices from remote objects and thus put the heavy duty processing off to powerful servers out on the net while the local machine would be mostly a host for a user interface, organizing the information for display. It has never really worked out that way. One of the concerns is the accuracy and security of the services delivered. Organizing a network that the application architect can trust to provide services turned out to be a more difficult task than the original concept imagined. Like everything the devil was in the details.
The fact that is driving the adoption of SOA is that it works well in a framework which requires fast development. SOA is the perfect extension of the object oriented concept of reuse. One of the hopes of OOP has been that as objects are developed for one application they will be placed into libraries so future application developers would not have to reinvent the wheel all the time. SOA moves that concept one step further by exposing the methods of the object to the internet in a discoverable way so that remote developers just need to be aware of the webservice and not of the library at all. But allowing this type of access requires a trust relationship on both sides. It also creates a situation where data is transported across the public internet where it is susceptible to interception. This has necessitated a need to develop means of securing individual messages. Strong encryption is used to provide message level security but authentication is also a dilemma. It is an interesting problem and I will be breaking my paper up over the next few weeks into manageable bite for the blog.