Friday, December 22, 2006

Application Security Monitoring

I found the following quote by Microsoft's Ray Ozzie, in The Web 2.0 World According to Ozzie, to be fascinating:

"In terms of managing trust boundaries, one of the huge challenges that enterprises are going to have is...managing trust between components of composite applications...

"We believe there should be significant auditing within service components—such that when you do expose a partner to certain enterprise data...you have a complete record of the kinds of things that their app did."
(emphasis added)

I think Mr. Ozzie is advocating application security monitoring, a cousin of network security monitoring. If Mr. Ozzie is being as clever as I think he might be, he's realizing that it's going to be nearly impossible to run Web services and the like "securely." We're going to have to rely on monitoring and response since prevention will be far too complex. Resistance will be tried, but will be -- you guessed -- futile.

1 comment:

John Ward said...

Rich,

Running web service based applications securely is really no more difficult than running traditional applications securely. Web service packets can be subject to the same encryption schemes, authentication and verification schemes as any other application. The problem is that the people who are far too eager to jump into a service oriented architecture are still at the mind set that services are the holy grail of computing. I've seen web service based applications that require authentication tokens and encrypted service messages to run, although not as often since web services have not been as widely adopted.

Just because its a Ajax Enabled front end with a SOAP backend following a Web 2.0 architecture scheme doesn't mean that its any more or less secure than anlready existing apps. They will have their own unique set of issues that won't exist in other application, but they will also have many issues that they share in common.

Just because it may be percieved as futile doesn't mean they shouldn't try...