SOA's Hidden Danger

So when a press release from Progress Software with "rogue services" and "silent killer" at the top popped into my e-mail this week, I couldn't resist a look.

The basic idea is that SOA is great -- assuming a company's IT management is in full control of the SOA environment. But bad things can happen when SOA systems aren't centrally monitored and managed. Developers throughout a company can create unauthorized Web services that tap into an SOA system, and that can lead to all kinds of nasty surprises.

Granted, Progress Software has a vested interest here in that it's promoting its Actional Web services management and SOA runtime governance products. (Progress acquired Actional in January 2006 for $32 million.) But IT managers should listen when Dan Foody, Progress Actional products VP, sounds a warning.

"It's an issue if you don't know what you have in production in your IT environment," Foody argues.

id
unit-1659132512259
type
Sponsored post

Rogue Web services that circumvent IT approval processes to make it into production may not comply with a company's business policies or compliance mandates. Such a Web service embedded within a financial application, for example, could compromise a company's compliance with Sarbanes-Oxley regulations. Or it could create IT system havoc if it bypasses load-balancing technology to accomplish its task. Or an unauthorized service being tested could introduce fake data into the production system. Or data captured by an unsecured Web service could be vulnerable to hackers. You get the idea.

Foody says one customer site he visited had an SOA environment managing employee data with five authorized application services. But the system's performance was poor. After investigation, Foody discovered a total of 34 applications tapping into the employee data system. Overall, he says about 60 percent of the companies with SOA environments he visits have some kind of rogue application service in production.

Now understand we're not talking about malicious attempts by outside hackers or even insiders trying to sabotage an IT system. These are just employees, developers and other IT workers who, for whatever reason, opt to take a shortcut to get a Web service up and running.

Foody's argument is that relying on manual processes for monitoring what's running in an SOA is asking for trouble, and automated tools like Progress Actional are a critical element of any SOA system. Solution providers who work with SOA technology should take note.

What's your experience with implementing and managing service-oriented architecture technology? I plan to look at this issue in future articles, so drop me a note at [email protected].