Overcoming Web Services Insecurities

Computerworld - British Columbia's Ministry of Attorney General has a database with secret witness information. DaimlerChrysler Services North America LLC runs business applications with sensitive dealer and partner data in them. Lydian Trust Co. holds private financial information about its wealthy clients in its data files.
All these organizations have something in common: They expose those systems to the wild and often dangerously insecure World Wide Web. And they confidently secure any access to or transactions on those systems through Web services.
But none of them stepped blithely into Web services development. That's because the state of Web services security standards remains in flux. Only one of the proposed standards, Web Services Security, has been completed, and it hasn't been officially adopted by a standards body. The other initiatives are still in development by various vendors, prompting concern that competing approaches will emerge.
Third-party products are filling the standards gap for now. Most suppliers claim that they will adopt the standards that do emerge. But any IT shop that's attracted to the power and flexibility of Web services must do its homework.
No Room for Compromise
"We spent several months trying to solve the problem of giving real-time access to our database without compromising the security of the information," says Robert McDonald, director of application management services at the Victoria-based Ministry of Attorney General.
Tony Lyons, a senior IT manager at DaimlerChrysler in Farmington Hills, Mich., echoes the concern for caution, saying he was "absolutely" nervous about Web services security at first. Lyons recalls that throughout his company's 10-month project, which concluded in late summer, security was "paramount because people outside the network were getting access." Developers had to submit their designs and code to multiple, rigorous security reviews by corporate standards committees.
These weren't rubber-stamp exercises. His team was more comfortable building security into client/server software, where they had loads of experience with middleware tools that used Common Object Request Broker Architecture, Component Object Model (COM) and other methods. Now they had to defend their use of XML, SOAP and other Web services standards. It was "a challenge," Lyons acknowledges.
John Studdard, chief technology officer at VirtualBank, a division of Lydian Trust in Palm Beach Gardens, Fla., also dismisses using technology "from the old days," despite the comfort level developers have with it. "DCOM, COM and such are complex to maintain and complex to secure," he says.
Luckily, the multitier model of Web services has matured fast enough to make it possible to implement secure software for a broad base of