> Archive > Issue XLV: December 2010 > Machiavellis SOA: Toward a Theory of SOA Security


Machiavelli's SOA: Toward a Theory of SOA Security

Published: December 07, 2010 • SOA Magazine Issue XLV
Abstract: Among the most perplexing issues facing the design of a SOA is that of security. In this paper, we reach back four centuries for guidance on how to build SOA security.


"Am I politic?" asks the host of the Garter Inn in Shakespeare's Merry Wives of Windsor. "Am I subtle? Am I Machiavel?" Over the last four centuries, Niccolò Machiavelli (1469-1527) has been called worse things than "subtle". Machiavelli's name has become a synonym for intrigue and his most famous book The Prince has been regarded as a blueprint for amorality [REF-1]. Joseph Stalin had a copy of this book on his bed stand and Benito Mussolini incorporated Machiavelli's ideas into his fascist regime. On the other hand, progressives such as presidents Woodrow Wilson and Theodore Roosevelt praised the Italian diplomat for his republican ideals. But the challenge of his slender volume is that it may not be what it purports to be-a manual for newcomers to power and a plea to the Medici to drive foreigners from Italy. It could be satire or a practical joke, and more than one tyrant has dug his grave on Machiavelli's bum steers. But The Prince is also bestrewn with insights. Machiavelli's assessment of human nature in relationship to security can also help us as we design our enterprise's SOA security

Figure 1 – Santi di Tito's Machiavelli, 16th Century
Wikimedia Commons

  1. SOA-S presents unique challenges.
  2. Machiavelli's The Prince with an understanding of current SOA approaches can address those challenges.

Machiavelli and Truth

Machiavelli's foundational premise is the criticality of road-tested truth. In his preface to The Prince, first published in 1532, he addresses Lorenzo Di Piero De' Medici: "Desiring therefore to present myself to your Magnificence with some testimony of my devotion towards you, I have not found among my possessions anything which I hold more dear than, or value so much as, the knowledge of the actions of great men, acquired by long experience in contemporary affairs, and a continual study of antiquity; which, having reflected upon it with great and prolonged diligence, I now send, digested into a little volume, to your Magnificence."

Machiavelli was trying to transform experience and learning into rules of applied ethics. He differs from the great German philosopher of the 19th century, Immanuel Kant (1724-1804). Kant emphasizes the need to separate morality from empirical considerations. But, like Kant, Machiavelli is striving to universalize governance rules along the same lines of the categorical imperative: "Act only according to that maxim by which you can at the same time will that it should become a universal law." For Machiavelli, establishing what is real or true comes before ethics. And the drive for security remains for him a rule-governed activity, a moral world of permissions and prohibitions, at the center of which is a striving for truth, imperfectly as it may be apprehended.

Machiavelli's View of Man

Machiavelli writes that people "are ungrateful, fickle, false, cowardly, covetous, and as long as you succeed they are yours entirely; they will offer you their blood, property, life, and children, as is said above, when the need is far distant; but when it approaches they turn against you." He saw the interests of consultants, or what he called mercenaries, as a threat. "Mercenaries and auxiliaries are useless and dangerous; and if one holds his state based on these arms, he will stand neither firm nor safe."

What are we to make of this? Should we distrust everyone and fire our consultants? Machiavelli tries to look at humanity as realistically as possible. He saw that fear, greed, and credulousness is the one constant through the ages and that all people are driven by passions, even though they may be blind to those passions.

Machiavelli's great contribution to security is that he teaches us not to trust in the altruism, virtue, and rationality of humanity, in our technology, or in ourselves. He challenges us is to look past the sugarcoating of life's realities. And one of those realities is that security breaches always come from people rather than from systems. It surely is true that consultants are more than happy to fill a policy-making vacuum, that thieves will steal credit card numbers when there is the opportunity, and that the greatest threat to an enterprise is inertia and myopia.

Machiavelli and the Problem of Security

The Institute for Security and Open Methodologies (ISECOM) defines security as "a form of protection where a separation is created between the assets and the threat." Security exists only in the same sense that unicorns and Utah exists-as mental buckets that have no meaning but come to life as they get filled with meaning from use. It is a fluid term and it is also in part a psychological projection. That security has a subjective component means that companies tend to minimize threats and underfund their security.

While Machiavelli suggests many things that the Prince can do to keep himself safe, he concludes with a reduction to absurdity: "In fact, destroying cities is the only certain way of holding them." In modern terms, he might say that the only secure SOA is a nonexistent SOA. This only makes sense when we consider that Machiavelli was a conservative who despaired of his conservatism: "No government should ever believe that it is always possible to follow safe policies. Rather, it should be realized that all courses of action involve risks: for it is in the nature of things that when one tries to avoid one danger, another is always encountered. But prudence consists in knowing how to assess the dangers, and to choose the least bad course of action as being the right one to follow."

Thus, lasting security for Machiavelli is unattainable and threats are ceaseless. Machiavelli's tragic vision begs the question that if all is deceit, why should anyone trust a Prince? Companies now have it within their means to build a technocratic caste that will deploy the kind of systems that will intrude into people's privacy as the desire for security overrides the need for freedom and accountability. And the irony is that such intrusions can be more destructive to the company's brand than any Trojan horse. Machiavelli recognizes this danger and repeatedly stresses that the best security a Prince can possess is the loyalty of his people, good laws, and good weapons. "Therefore the best fortress is to be found in the love the people, for although you may have fortresses they will not save you from the hatred of the people." The loyalty of customers, shareholders, and employees are no less important to enterprise security than that of a robust SOA-S.

Machiavelli's Scaffolding for SOA-S

Here are applications from Machiavelli's thought as they apply to SOA-S.

  1. Good security rests on a clear assessment of human nature, threats, intentions, and capabilities.
  2. Good security must buttress technology, or what Machiavelli called fortresses, with universal values.
  3. Good security is transient and perfect security is an illusion.

Our Scaffolding for SOA-S

A SOA-S theory might consist of the following:

  1. SOA-S Objectives
  2. SOA-S Threats
  3. SOA-S Standards
  4. SOA-S Appliances
  5. SOA-S Trends
  6. What Shall I Do?
  7. We Must Learn

SOA-S Objectives

  1. SOA-S must promote confidentiality. Confidentiality protects the privacy of the message. It must prevent the unintentional exposure of information, sniffing, or keystroke monitoring.
  2. SOA-S must promote privacy. There must be no unwanted intercepts while transmitting a message. It should protect personally identifiable information (PII), digital identity, and credentials from disclosure.
  3. SOA-S must promote integrity to ensure that data and data access is consistent and it has not been altered in transit.
  4. SOA-S must promote availability and availability history to ensure reliable and timely access to authorized data and resources. An example of a loss of availability is a denial of service (DoS) attack.
  5. SOA-S must promote federated authentication the process of ensuring that users are who they say they are.
  6. SOA-S must enforce authorization. It defines roles such as "manager" and membership of groups.
  7. SOA-S must provision services based on group membership or specific attributes. Access management qualifies a consumer for access to an application or service.
  8. SOA-S must support legal mandates and compliance requirements.
  9. SOA-S must enforce enterprise audit policies. It must state business rules that govern execution.
  10. SOA-S must express identification. For a service request to access a secure service provider, it must first make a claim that expresses its origin and ownership.

Figure 2 – SOA-S Reference Model

SOA-S Threats

  1. Entities outside of the local trust domain consume services. Confidential data passes the domain's trust boundaries. Authentication and authorization data is communicated to external trust domains. Readable XML introduces new threats. XML flexibility is also its primary defect.
  2. Every new technology creates new security concerns. Threats are implicit in mobile data, such as palmtops and other mobile devices, and hardware, such as impacts from the loss or theft of laptops. The greatest threat comes from people-- weak passwords, sloppy administration, and insider sabotage.
  3. Web service threats include the following :
Message alteration
Loss of confidentiality
Falsified messages
Man in the middle
Forged claims
Capture-replay of message
Replay of message parts
Denial of services
XML external entity attacks
XPath, field, or SQL injection
Harmful SOAP attachments
XML dereference attacks
XML recursion attacks
XML document size attacks
XML flooding
Dictionary attack
Cookie poisoning
Data tampering
Message snooping
WSDL enumeration
Routing detour
Schema poisoning
Malicious morphing
XML external entity attack
Memory barrier breach
XML virus
Falsified message
Buffer overflows
Recursive elements
Resource hijacking
Cross site scripting
Malicious file execution
IP spoofing
Malicious programs
Identity theft
XML parser attacks
Jumbo payloads
...and many more

Figure 3 – Attacks from the Global Village [REF-2]

  1. SOA is generally through web services. Thus, SOA-S is generally about web services security. The WS-*Security framework fulfills Quality of Service (QoS) requirements that enables enterprises to realize service oriented solutions for the processing of data and restrict service access as required. WS-*Security extensions complement single sign on and other forms of centralized security.
  2. We must consider what the standard does not do. Compliance to standards is not a provider responsibility.
  3. WS-Security, XML-Signature, and XML-Encryption are the three core WS-* specifications. Related SOA security specifications include WS-Privacy, WS-Federation, WS-Provisioning, XACML, XML Key Management, SAML, .NET Passport, Secure Socket Layer, and WS-I Basic Security Profile.

Figure 4 – The SOA-S Standards Stack

SOA-S Appliances

  1. An appliance is a closed and sealed dedicated hardware that supply a specific function. SOA appliances simplify, accelerate, and improve security, scalability, performance, and integration. Appliances secure, transform and routes web services calls to the appropriate service providers, facilitates scaling and stability with multiple serves and JVMs, provides a content-based load balancing solution, and filter and validate incoming XML traffic.
  2. Appliances capture events to facilitate web services management, enable business visibility, and support WS-Security standards. XML appliances include XML accelerators and gateways.
  3. Machiavelli would say that such security devices provide the illusion of security. As a thought experiment, consider a system with Director of Central Intelligence Directive (DCID) certified appliances, biometric identification, and no internet access. Would we have a secure network? Stuxnet, a computer malware worm that may have been designed to debilitate Iran's nuclear program penetrated such environments. "There has been widespread fear about attacks that jam or damage large financial networks, the electronic power grid, power plants, transportation systems or any of the modern infrastructure underlying industrial economies. In many cases, the first step in securing these systems has been to ensure that they are entirely separated from the Internet. However, even if they are separated from the Internet, in many cases they use the internal networks based on the Internet protocol, as well as common computing equipment, like Microsoft and Intel-based computers. That means they remain potentially vulnerable to a "sneaker-net" attack, in which a malicious program is physically carried into an isolated network either accidentally or by an intruder" [REF-3].

Figure 5 – SOA-S Deployment Scenario

SOA-S Trends

  1. SOS- S is moving to dedicated hardware, bolt-on identity appliances, and clouds.
  2. Well-funded ideologically-motivated state-sponsored cyber-terrorism and financially-motivated organized crime are the future.
  3. We are in an arms race between threat capabilities and trust capabilities.

What Shall I Do?

Figure 6 – The Execution of Lady Jane Grey, Paul Delaroche, 1833
Wikimedia Commons

The painting above shows the last moments of the doomed sixteen year old, who was beheaded for high treason in 1554. "What shall I do? Where is it?" were Lady Jane Grey's penultimate words as she groped for the executioner's block. The same pathetic words could apply to disoriented enterprises under security attack. "Only the paranoid survive," was the name of a book published by Andrew Grove, former chairman and CEO of Intel. "When it comes to business, I believe in the value of paranoia. Business success contains the seeds of its own destruction," Grove writes in the preface. "The more successful you are, the more people want a chunk of your business and then another chunk and then another until there is nothing left. I believe that the prime responsibility of a manager is to guard constantly against other people's attacks and to inculcate this guardian attitude in the people under his or her management" [REF-4]. For Grove, companies are constantly teetering on the cusp of what he calls strategic inflection points that could either take profitability to new levels or down to zero. One such point is the kinds of threats that face SOAs.

While I get Grove's point, I cannot endorse paranoia as a viable business model. Paranoia is not realism. It's a psychological term reflecting a level of fear and anxiety that denotes delusion and irrationality. Stalin, for example, gave his countrymen the Great Purge and the Berlin Wall. Yet, he marginalized NKGB intelligence for Operation Barbarossa, the invasion of the Soviet Union in 1941. Analogously, decision makers sometimes respond in ways that are similarly disconnected to reality. Expanding staff and increasing funding won't always mean a better SOA-S.

Machiavelli rejection of security as a static state teaches us that we must discern between what is and how we need to think when it comes to SOA-S. A SOA versus an intruder game is a non-cooperative, asymmetric, non-dyadic, non-zero-sum, simultaneous, continuous game of imperfect information, analogous to the relationship between nations and terrorist entities. Games, such as contract bridge and stud poker, where there is bluffing and uncertainty, are reflected in the conflict between businesses or nations. But what if we changed the premise of SOA-S so it becomes a game of perfect information? Such a premise is not paranoia but it is a way of looking at security from a war gaming perspective. For example, we might ask ourselves: What are the security implications if attackers knew all of our system passwords?

Games such as chess where victory and defeat rests on the last move and all information is transparent is not reality but it is a more realistic security construct as it assumes that knowledge between opponents is equitable and that only forward strategic thought and counter-thought remains. For SOA-S, this means that we must assume that whatever tools and skills we have, they must be equal to the tools and skills of the attackers.

Machiavelli doesn't suggest we publish our passwords, schematics, or plans. To the contrary, much of the opprobrium The Prince has received over the centuries comes from Machiavell's use of lies as a bodyguard for truth and subterfuge as a bulwark for security. But he does insist that we cannot be complacent by assuming that we are fortune's favorite, as ruin can turn on seemingly trivial events: "I hold it to be true that Fortune is the arbiter of one-half of our actions, but that she still leaves us to direct the other half, or perhaps a little less. I compare her to one of those raging rivers, which when in flood overflows the plains, sweeping away trees and buildings, bearing away the soil from place to place; everything flies before it, all yield to its violence, without being able in any way to withstand it; and yet, though its nature be such, it does not follow therefore that men, when the weather becomes fair, shall not make provision, both with defenses and barriers, in such a manner that, rising again, the waters may pass away by canal, and their force be neither so unrestrained nor so dangerous."

The Open Web Application Security Project (OWASP) suggests a manage, model, assemble, and deploy SOA-S approach. A subject of this importance is a deep, ever-deepening current of concepts and technology. Like Machiavelli, I've tried to translate information and experience into an outline of a plan. But my paper "passes no judgments, and expresses no preferences. It merely tries to explain; and the explanations-all of them theories-are in the nature of suggestions even when they are stated in a categorical tone. I can do no better than quote Montaigne: "All I say is by way of discourse, and nothing by way of advice. I should not speak so boldly if it were my due to be believed" [REF-5].

Figure 7 – OWASP [REF-6]


  1. Leadership. On topics other than security, I might be tempted to advise the formation of yet one more committee. Here's a better idea. Let's not form a committee. This topic begs for intelligent top-down intentionality from a decision maker. The impetus for heightened security must come from someone who has the authority to make SOA-S happen.
  2. Governance. As SOA-S commences, put in place SOA-S governance (SOA-SG). A SOA-AG would establish decision rights, design services, manage assets, measure effectiveness, provides security and credential mapping to ensure proper use of services, decide cross-jurisdictional issues, apply security policies consistently, check for compliance across products and tools, and establish policies that relate to firewall filtering, access control, and privacy. Exact penalties for security non-compliance and litigate all security intrusions. Put fresh eyes on security by giving security consultants the freedom and the incentives to find enterprise vulnerabilities from both the intranet and extranet. Enforce contractually the penalty of non-performance or intrusion by an unlimited liability clause for clouds.
  3. Psychological Set and the Myopia of Brilliance. Of particular importance is the need to break psychological set. This is the phenomena in which we are inclined to believe what we expect to believe. The most catastrophic security failures that occur in an enterprise arise not from a lack of knowledge or failures in software or hardware, but because of a character flaw where people think they know but they do not know. The myopia of brilliance is a condition where intelligent people make stupid mistakes. The problem is that these people are reluctant to re-examine their assumptions, considering that a sign of weakness. They may also be afraid to challenge group norms¡§C an assumed consensus. Thus begin the mutual pressuring to conformity as the illusion of invulnerability and the rationalizing away of doubts grips the organization. Machiavelli's solution: "With these councilors, separately and collectively, he ought to carry himself in such a way that each of them should know that, the more freely he shall speak, the more he shall be preferred; outside of these, he should listen to no one, pursue the thing resolved on, and be steadfast in his resolutions. He who does otherwise is either overthrown by flatterers, or is so often changed by varying opinions that he falls into contempt." These blinders persuade us that walls of titanium surround our systems while overlooking the worm holes formed by personal affiliation and a narrative of shared history and values. People don't join "syndicates", "cults", "gangs", and "terrorists". They hang out with family and friends. Love for self, clan, tribe, and country may indeed make the world go around, but it can also bring a SOA-S to its knees. For love when reciprocated by trust and when it spans security domains, can be an enterprise's Achilles' heel. We are born to trust, but trust can be our death. It is this certitude that imperils as nothing else our SOA-S.


  1. Risk Assessment. Conduct a risk assessment, including an inventory of applications or services. A risk assessment will help engage business process owners and to inventory existing systems and may lead to the discovery of redundant efforts for authenticating access to services.
  2. Security Analysis. Write business oriented SOA-S use and abuse cases. A successful identity infrastructure requires stepping outside of the departmental and divisional silos used for applications and thinking holistically about identities and the interdependencies that exist.
  3. Best Practices. Require in procurement requests for proposals that service providers can integrate to federated identity authorization services. Avoid tight coupling to policy. Separate business logic and security logic, so that changes in security policy do not require client integration.


  1. Identity Management System. Commercial vendors can provide useful starting points for developing an IMS. Enable external access through federation to support authentication for remote requests for trust services by working to link providers with (for example) SAML and Shibboleth.
  2. Decouple and Reuse. Decouple security from business processes. Design reusable interceptors and security logic for all services and clients. Transform intents into concrete security configurations. Generate security configurations by model transformation.
  3. Performance. Plan for performance, scalability, and availability. Security services should be implemented without any compromise as to performance. The SOA-S must be able to scale as content and as the user base grows. As network calls to confidentiality, integrity, authentication, and cryptography security services increase, performance and availability degrade. XML induces overhead. XML accelerators and firewalls try to solve those problems. Performance monitoring is a safeguard against denial of services, where an attacker causes the system to expend resource disproportionately such that valid requests cannot be met.


  1. Separate Concerns. Consider separating regulated and non-regulated environments. Mixing regulatory and non-regulatory and the technical architectural layer increases security complexity.
  2. Data Mining. Use data mining to predict attacks to SOA web services. Based on the time to parse a message, we can predict a message alteration attack. Based on message size, we can predict a message eavesdropping attack. Validate the federated identity management requirements, notional architecture, and services polices before deployment.
  3. Measure. Establish baselines metric and retain a measurement history. It's a truism that we cannot manage if we cannot measure. The corollary however is that management of measures is not the measure of management. Just as SOA is not technology, security is much more than technology, as is SOA-S. To properly secure our SOA, we must look at our enterprise holistically, continuously, broadly, and deeply.

We Must Learn

Machiavelli warns us that attacks on our security are inevitable. If we regard such intrusions as one-offs, the band aid we apply and the hand wringing we do is no remedy for the cancer that will permit intrusions to happen again. The best approach is to regard every virus or denial or service incident as an opportunity to look anew at the security that rings our SOA. We must learn. We must find out all we can about the nature of the attack and the nature of the vulnerabilities that span our organization and then methodically address those vulnerabilities at the enterprise level. "Knowing is not enough," said Goethe. "We must apply. Willing is not enough. We must do." Sources for ongoing education and guidance on understanding and resolving security issues include the following:

Organization How They Can Help
Security Education and Collaboration
The SysAdmin, Audit, Network, Security Institute

SANS is a cooperative information and computer security research and education organization.

The Open Web Application Security Project

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.

The Center for Internet Security

CIS is a non-profit enterprise that helps organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls.

Project Higgins

Project Higgins an open source identity framework designed to integrate identity, profile, and social relationship information across multiple sites, applications, and devices that work with all popular digital identity protocols, including WS-Trust, OpenID, SAML, XDI, LDAP, and so on.

The Globus Alliance

The Globus Alliance is an international collaboration that conducts research and development to create fundamental grid technologies.

Standards Development
PKIX Working Group

The PKIX Working Group was established with the goal of developing Internet standards to support X.509-based Public Key Infrastructures (PKIs).

The Institute for Security and Open Methodologies

ISECOM is an open, non-profit collaborative community dedicated to providing practical security awareness, research, certification and business integrity.

World Wide Web Consortium

The W3C is an international community where member organizations, a full-time staff, and the public work together to develop Web standards.

Organization for the Advancement of Structured Information Standards

OASIS is a consortium that drives the development, convergence and adoption of open standards for the global information society.

Object Management Group

OMG's mission is to develop enterprise integration standards that provide real-world value.

Industry Specific Standards Organizations
Financial Information eXchange

The FIX protocol is a series of messaging specifications for the electronic communication of trade-related messages. It has been developed through the collaboration of banks, broker-dealers, exchanges, industry utilities and associations, institutional investors, and information technology providers from around the world.

Health Level Seven

Health Level Seven International (HL7) is a ANSI-accredited standards developing organization dedicated to providing a comprehensive framework and related standards for electronic health information that supports health services.

Association for Cooperative Operations Research and Development

ACORD is a standards development organization serving the insurance industry and related financial services industries.


Any theory of security has its limits, as suggested by this story about the greatest icon of security ever made, the 5,500 mile long Great Wall of China. A great mathematician, the sage Sen Chu believed that numbers could explain the pattern of human life. He compiled long columns of figures to prove China could never be invaded. His figures were right, but his answer was wrong. Sen Chu, his brilliant calculations before him, was choked to death by the hands of an invading Tartar-who could not add. Perhaps the most outstanding example of a technological security failure of the 20th century was France's Maginot Line that melted in the blitzkrieg of panzers and stukas of the Third Reich. As much as we would like to have a unified theory of SOA-S, it can never be. Always will there be something crucial that eludes us, lemmas we miss, technologies that fail, and people that find yet new ways to break our SOA.

Machiavelli writes that "since it is necessary for the prince to use the ways of beasts, he should imitate the fox and the lion, because the lion cannot defend himself from snares and the fox cannot defend himself from wolves. Therefore, it is important to be a fox in order to understand the snares and a lion in order to terrify the wolves." Machiavelli asks us to look to both the lion and the fox-the lion for strength and the fox for cunning. In business terms, perhaps this can be SOA technical mastery combined with situational astuteness.

History has weighed Machiavelli's genius and has rendered a positive verdict. He reminds us that we can be fooled by our sentimentality and our simplicity. It is no small thing to see things as they really are. Fortresses, be they of bricks or of appliances, are no final answer to the problem of security, and the real answer must lie in our vigilance. Machiavelli gave the rules of modern statecraft and also rules for guiding us in our design of a SOA-S. And, as the father of political science and Italy's first patriot, it is therefore fitting that these words are inscribed on his tomb in the Church of the Holy Cross, along those of Florence's most famous sons: "So great a name no praise can hallow."


[REF-1] The Prince, Niccolò Machiavelli, 1532. I used the Project Gutenberg e-book translation for this article, consisting of an extended page of HTM.

[REF-2] Thomas Friedman uses the flatness of the earth as the title of his best selling 2005 book and as a metaphor for viewing the world as a level playing field in terms of the challenges and opportunities of world commerce. The expression "global village" from Marshall McLuhan goes back to the mid 1960s, and is a metaphor of the interdependency and social immediacy that technology imposes. McLuhan predicts that the Global Village creates conditions for increasing conflict and crime.

[REF-3] John Markoff. "A Code for Chaos". The New York Times, October 3, 2010, 5.

[REF-4] Andrew Grove, Only the Paranoid Survive: How to Exploit the Crisis Points That Challenge Every Company, Crown Business, 1999.

[REF-5] Eric Hoffer, The True Believer: Thoughts on the Nature of Mass Movements, TIME, Inc., 1951, xxix.

[REF-6] Iris Levari, "SOA Security", OWASP, December, 2007.


I wish to thank the following individuals who reviewed and critiqued my paper: Steve Wisner, Director, IT, Genworth Financial, Robert Peters, Principal Systems Engineer, Choice Hotels International, Brian Mericle, Principle Systems Engineer, Choice Hotels International, and Stephen Gill, Chief Scientist, Team Cymru.