Thursday, April 19, 2012

REAL WORLD SOA APPLICATION SECURITY -- PART ONE: gain and maintain, vendor control.

"...The stories you are about to hear are true, the names have been changed to protect the innocent..."

What do I mean by, "...gain and maintain, vendor control?..". It's a take off of the sales guy mantra, "...gain and maintain, customer control...". I once sold Encyclopedia's for a living (after watching, "Glengary, Glenross", I just had to experience this mindset on my own). People who make their paycheck, selling you stuff are a unique category of life form, we classify them as human, but this, in retrospect, may be a mistake. When we started down this path with our main "...two second advantage..." vendor, they put their hearts and souls into a valiant attempt to "...gain and maintain, customer control...". When they finally realized that WE had turned the tables, and "...gained vendor control....", the look on their faces told me that we had crushed their very souls. Oh well. They aren't paying me, my current employer is paying me, to deliver.

The crying, hand wringing, and actual screaming by the vendor employees was impressive. At the end of a meeting on Information Security Planning, one of the lead vendor System Engineers stayed behind, closed the door and told me (while screaming), "...I hate you, I hate working with you, I hate every breath I have to take on this project...", he was quite animated and quite serious. He actualy looked releived when Security walked him off the property that day, the stress of having to actualy deliver and NOT dictate to the customer was more than he could bear.

The primary vendor's issue was that, " one does security like that!...", oh, well we are going to do it that way, "...we do security for Banks for crying out loud and even they don't want this much security...", oh, well I came from two of the worlds largest financial services institutions and sadly for YOU, I refuse to recreate the mistakes I saw there! In the end, the CIO and CTO backed my play with the purse strings and off we went. After briefing the CIO and CTO this week on progress with the Global User Provisioning Project (based on Oracle's IDM stack, more on this later), they were ecstatic, INFOSEC that delivers key business functionality is a new dynamic in the Board Room, bundle that with zero tolerance for F.U.D. and people get kinda jiggy about INFOSEC, it warms the cockles of my cold dark heart.

Sadly (for them)[my vendor], our approach to SOA and Web Services Security (right out of the OWASP and OASIS-OPEN playbooks) slowly began to gain traction, and surprisingly, that tired old horse, actually waddled over to the trough and began to drink [the vendor that is].

Over the last two years, we've made dramatic strides to the point where we had a nice, relaxing lunch meeting with that Vendor, and a few other big dogs in the Identity Mgmt space and our primary vendor offered, on their own dime, to code up a XACML PeP to live in their JAVA Message Bus. No doubt, they have big plans for selling this to other customers, no doubt they will forget all about that quiet afternoon long lunch, but in the end, it's all about business requirements and results.

I wonder where that screaming vendor System Engineer is now?...


"SOA Security" an outstanding reference by Mr. Ramarao Kanneganti, available on Amazon here:

"Total Vendor Management: getting what you pay for" by ICN Inc, is also another excellent reference:

No comments:

Post a Comment