Securing Data Beyond PCI in a SOA Environment: Best Practices for Advanced Data Protection

Abstract

New business models rely on open networks with multiple access points to conduct business in real time, driving down costs and speeding responses to revenue generating opportunities. That's the good news. The bad news is that this modern business architecture is often riddled with vulnerabilities that can easily be exploited to gain unauthorized access to sensitive information. To make life even more exciting, you can't rely on traditional best practices like establishing strong boundaries around critical applications to secure SOAs or you'll be defeating the features and flexibility that SOA brings to the enterprise. Another attractive feature of SOAs is the use of standardized contracts and contract retrieval methods, which make life much easier for developers, authorized users and malicious hackers. Using a collection of freely available contract descriptions a hacker can target weakly authenticated or high-value services, easily penetrate an improperly secured SOA, eavesdrop on SOAP message traffic and see information that may be private. In addition, it is relatively easy to intercept a SOAP message in an unsecured SOA and reroute it or transform its content for purposes of mischief or fraud. Layers of security - including integrated key management, identity management and policy-based inforcement as well as encryption are essential for a truly secure SOA. This article reviews a practical implementation of a transparent, risk-based management approach that can be used to lock down sensitive data utilizing policy driven encryption and key management for data-at-rest and in-transit across enterprise systems.