[ISN] SOA-based system compels security overhaul at hotel chain

From: InfoSec News (alerts@private)
Date: Thu Mar 13 2008 - 00:09:49 PST


http://www.networkworld.com/news/2008/031208-soa-security-starwood.html

By Ellen Messmer
Network World
03/12/2008

ORLANDO -- Building a central reservation system based on cutting-edge 
Service-Oriented Architecture technology has meant a decisive overhaul 
in underlying IT security at hotel group Starwood Hotels & Resorts 
International.

Patrick Foley, director of global technology compliance at Starwood, 
whose hotel chains include St. Regis, Sheraton and Westin, this week 
described how the move to XML-enabled SOA for a new central reservation 
system has impacted the underlying corporate security in sometimes 
unexpected ways. SOA, in defining systems as flexible services, has 
meant existing perimeter security is no longer as effective, encryption 
is more difficult, and logging requirements are intensified for audit 
and regulatory compliance. Foley, who spoke about Starwood's shift to 
SOA at the Infosec World Conference in Orlando, provided insight on 
security consequences of SOA.

"Service-oriented architecture defines systems as a series of services," 
said Foley. "It's the ability to link services together in a way that 
they can be used in many different processes, including credit-card 
authorization. The good thing is, you can go global, no longer limited 
by your data center or network."

However, the transformation must also be on the security level, Foley 
emphasized, acknowledging that Starwood's first SOA project, launched a 
few years back by an enthusiastic IT department eager to use the latest 
software development techniques, suffered a few setbacks that slowed it 
down.

The chief problem early on was failing to understand how necessary it 
was to bring in a security architect to advise developers on how to 
build SOA according to security standards, such as those promulgated by 
OASIS and the W3C.

"You will need a security architect," advised Foley, noting that 
Starwood ended up turning to a data architect to be the security 
architect for the SOA-based central reservation system. Some of the 
security impact that Starwood has seen in the evolution of the new 
reservation system, now undergoing beta testing, is that SOA engenders 
far more logging and auditing, which must be done for regulatory 
compliance.

As a consequence, Starwood acquired a security information management 
system — this one being the RSA envision product from EMC — to handle 
the logging needed to satisfy regulatory compliance, including the 
Payment Card Industry guidelines. "With Web services, your logs are 
everywhere the services are," Foley noted, adding this logging adds to 
corporate network traffic.

Another challenge associated with SOA's Web services is determining how 
to encrypt and otherwise secure data traffic when it's not as 
centralized.

"The initial reaction was, 'Let's just encrypt everything,'" Foley said. 
But it quickly became apparent that encrypting all traffic put a huge 
load on the corporate infrastructure and also brought in issues of key 
management.

Adjustments had to be made to selectively encrypt the more sensitive 
data. Another hurdle was finding new approaches to security because with 
Web services, "the perimeter controls are less effective than with only 
an internally managed system,"  Foley said. He added that although a lot 
of the key data will still be stored behind a firewall, some will not. 
Hardening servers, and making sure hosting providers adhere to security 
guidelines as well, becomes more important than ever.

Intrusion-detection/prevention systems take on greater importance with 
SOA, Foley said, "because you may have to leave your firewall more 
open." One adjustment has been to segment off the network more 
internally to create more trusted areas that are harder to access.

All of these security questions that arise with Web services should be 
tackled before gung-ho software developers go about building critical 
SOA-based systems, Foley cautioned.

"Developers aren't going to stop developing while you're busy trying to 
determine how to encrypt someone's credit card," he pointed out. 
Appointing a security architect as chief guide on an SOA project is one 
of the best ways to "save your organization from going over the edge," 
Foley concluded.

All contents copyright 1995-2008 Network World, Inc.



___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Thu Mar 13 2008 - 00:24:20 PST