May 20, 2002 (Computerworld) -- Security is the No. 1 factor keeping many IT managers from deploying Web services. But don't tell that to Matt Hird, director of IT at Superior Information Services LLC.
Hird relies on well-known, proven security protocols, such as virtual private networks (VPN) and Secure Sockets Layer (SSL), to protect bankruptcy, real estate and other public information Superior provides to its customers using Web services. Hird says the Trenton, N.J.-based information broker considered more elaborate security safeguards but decided "the business risk isn't there to justify the investment."
Many IT managers afraid to expose their Web services to the outside world until new security standards are firmly in place are deploying Web services only within their firewalls. But some IT managers are moving Web services beyond the firewall, especially to handle relatively low-risk transactions with trusted business partners. Other Web services pioneers are very large companies that need to provide secure access to critical systems and can afford the specialized tools and skills required to secure Web services before standards-based Web security tools emerge sometime next year.
Web services refers to the use of Web-based standards such as XML; Universal Description, Discovery and Integration; and Simple Object Access Protocol to link applications running on different platforms.
Unlike previous approaches that required custom coding or expensive middleware to link individual applications, Web services aim to expose key functionality within applications (such as the ability to see the balance in your checking account or to place an order from a factory) to other applications as required when business needs change.
But this ease of integration also brings risks. When a Web service connects you to a business partner, you rely on that business partner to properly authenticate, or vouch for the identity of, users at their end of the transaction. That means an intruder who has gained access at a supplier, for example, could use that improper authentication to invade systems of the supplier's customers.
To prevent such break-ins, Web services architects must look beyond application-level security measures and create access control, authentication and encryption capabilities, which can follow queries and responses as they cross system and corporate boundaries.
Web services security standards aim to do that by building security into key Web services protocols such as XML. The XML Key Management Specification will define how to register and distribute XML-based public keys to encrypt and decrypt documents, even if the sender and recipient have never done business with each other before.
The Security Assertion Markup Language will use XML to exchange information about which users have been authenticated and what data they are authorized to see.
Risks vs. Benefits
John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc., argues that such standards, along with development tools and applications, "will be immature from a security perspective" until the second half of next year. For that reason, he recommends that all but the most aggressive firms run Web services only within the firewall until then.
Others take a more flexible view. Rather than use the inside-the-firewall rule, Pete Lindstrom, an analyst at Hurwitz Group Inc. in Framingham, Mass., recommends that companies deploy Web services wherever they or trusted business partners have provided enough security to the required networks, applications and databases that the business benefits outweigh the risks.
Consider Networkcar Inc., which uses a wireless transmitter in cars and trucks to send real-time location and performance information to customers such as fleet managers, dealerships and auto clubs. The San Diego-based company uses Web services based on San Jose-based BEA Systems Inc.'s WebLogic Server to share data with its customers.
It relies on the well-known SSL and the HTTP over SSL encryption protocols to protect content in transit, as well as a firewall around its database to handle authentication and authorization, says Wade Williams, a senior developer at Networkcar.
This is about the same level of security as on many conventional Web applications, which is fine, says Williams, because the data he's providing over Web services is the same the company used to provide over its intranet.
But if Networkcar were to share more sensitive data, such as customers' credit card numbers, it would have to revisit whether Web services are secure enough and what other security mechanisms, such as public- and private-key encryption, to add to the mix, he says.
Superior went through a similar process in deciding that SSL and VPNs were good enough to secure the Web services it's providing using BEA's WebLogic. While a central authentication server would do a better job of keeping out unauthorized users, "the worst that can be done is that someone else could imitate" one of Superior's customers, Hird says. Superior would learn of the fraud when it billed the actual customer for the transaction and the customer refused to pay.
Even then, according to Hird, Superior would have lost only potential revenue rather than actual cash. "It's an acceptable risk because of what we're doing," he says. "If we were the CIA, that probably wouldn't be acceptable."
Hird also weighed the risks against the benefits. By using Web services, he says, Superior can develop new applications 100% faster and expand into new business areas, such as syndicating its data to business partners.
E2open LLC, a global collaboration network formed by global electronics giants such as IBM, Matsushita Electric Corporation of America, Lucent Technologies Inc. and Nortel Networks Ltd., is one of the advanced companies that both needs and can afford secure Web services today.
E2open handles and even stores trade secrets such as new product designs for its customers, so "security is No. 1," says Greg Clark, chief technology officer at the Belmont, Calif.-based organization. But without Web services, he says, the cost to integrate applications for its founders "was way too high."
To keep those Web services secure, the consortium is using Austin, Texas-based Tivoli Systems Inc.'s Access Manager (formerly Tivoli Policy Director) to store the access control rules for users, Clark says. Access Manager also provides a single sign-on capability, which allows an E2open user to sign on once and access the appropriate information through different applications at multiple E2open companies.
Using the Right Tools
Clark acknowledges that a tool such as Tivoli Policy Director is appropriate today only for organizations where the need to integrate business partners justifies the current cost of securing Web services. Other leading players in the Web services security market include Netegrity Inc. in Waltham, Mass., Novell Inc., Entrust Inc. in Dallas, and Oblix Inc. in Cupertino, Calif.
Major vendors promoting Web services are also banding together to form Web services security standards. Last month, Microsoft Corp., IBM and Mountain View, Calif.-based VeriSign Inc. announced that they will create a new standard for Web services security called WS-Security. But a Microsoft spokesman says it will take 12 to 18 months to complete all the specifications called for by the standard.
Until more standards-based security tools hit the market, IT managers should weigh the risks of deploying Web services against the benefits. "To the extent you have a controlled environment across the firewall, then go for it," says Lindstrom, "as long as you're constantly evaluating and re-evaluating the risks."
Scheier is a freelance writer in Boylston, Mass. He can be reached at rscheier@charter.net.
"This pilot fish brags that he's worked on a software project that finished on time, on budget and was just..."
Read more...
"It's IT Blogwatch: in which we review the reviews of a release candidate of a browser. Not to mention no..."
Read more... Read more Development posts or See all Blogs
Specialists have retrieved about 99% of the data on a disk drive on board the crashed space shuttle Columbia. Don't miss the photographs of the recovered drive.
Nearly 20 years after the first Internet worm, Steven J. Vaughan-Nichols takes stock of the malware/anti-malware landscape and spotlights how the two sides are approaching the battle.
Download this Computerworld report, free for a limited time, compliments of HP. (Source: Computerworld) Faced with growing demands, immature tools and a confusing array of technologies, IT decision-makers have to make some strategic choices. Learn how to avoid the pitfalls in this Computerworld report, a $49.95 value, available free for a limited time, compliments of HP.
Download this executive briefing
Transformational Analytics: Virtualizing IT Environments
Download this white paper, free, compliments of CiRBA. (Source: CiRBA) The overwhelming complexity of the modern data center compounds the problem of how to safely virtualize IT environments. This paper provides an in-depth guide to analyzing complex environments for virtualization opportunities, particularly within production environments where stability, service levels and performance are of the upmost performance.
Download this white paper
Rapid, Widespread Adoption of CMMI at Lockheed Martin with Application Lifecycle Management
Rapid, Widespread Adoption of CMMI at Lockheed Martin with Application Lifecycle Management
Get this webcast now
Go to the webcast
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Intercept Spam & Viruses With MessageLabs MessageLabs is offering a complimentary 30 day trial of its managed Anti-virus and Anti-spam security solutions. MessageLabs guarantees complete protection against all know and unknown email threats. By providing 24 hour support, your business can increase productivity and decrease risk. Register for a complimentary trial and receive a free datasheet. Download this white paper now!
AnalyzeAir software provides IT network professionals with the vision they need into the hidden world of RF, providing them with the ability to see the spectrum in a visible and intelligible format. AnalyzeAir software lets you see, monitor, analyze, and manage all the RF sources and wireless devices that influence your Wi-Fi network's performance and security, even if those devices are unauthorized or transient.
AnalyzeAir Trial Software v3.1 highlights the features found in AnalyzeAir Software using a set of saved spectrum files. Replay the data and experience the visibility that AnalyzeAir Wi-Fi Spectrum Analyzer provides. Note: The trial software is limited to a player version only. It does not communicate with an AnalyzeAir PC card so it does not collect actual spectrum data.
Subscribe to
Computerworld 
or
Other Development Stories
Download this Computerworld report, free for a limited time, compliments of HP.
Download this white paper, free, compliments of CiRBA.
Rapid, Widespread Adoption of CMMI at Lockheed Martin with Application Lifecycle Management
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
MessageLabs is offering a complimentary 30 day trial of its managed Anti-virus and Anti-spam security solutions. MessageLabs guarantees complete protection against all know and unknown email threats. By providing 24 hour support, your business can increase productivity and decrease risk. Register for a complimentary trial and receive a free datasheet.
Computerworld