Web Services Projects Pose Challenges for IT Managers - 2

... and cite potential security problems

Web services deployments can pose a potent security risk for companies that don't implement the technology correctly, according to analysts and experienced users.

IT managers who are building Web services "really need to look at what it is you're planning to do" from a security perspective, said Peter Osbourne, manager of the advanced technology group at Dollar Thrifty Automotive Group Inc.'s Dollar Rent A Car Systems Inc. subsidiary in Tulsa, Okla.

Dollar used Microsoft Corp.'s Simple Object Access Protocol (SOAP) tool kit to set up a link last May between its reservation system and Southwest Airlines Co.'s Web site, enabling users of the site to rent cars. But because Southwest was concerned about the safety of using SOAP to directly link applications between the two companies, a middle layer comprised of a so-called socket connection and listener was added, Osbourne said.

The middle tier translates requests from Southwest's site into SOAP messages, which call into a Dollar Web server and then go through firewalls and integrity checks before they reach the car-rental reservation system. Return messages go back the same way, Osbourne said, adding that more firewalls between Dollar's Web server and the rest of its network prevent unauthorized access.

The technical requirements for securing Web services aren't fundamentally different from what it takes to protect almost any other Internet-based application. But such services can still pose a serious security risk because they typically involve linking internal corporate applications with external ones, said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.

That's especially true because many of the tools that support the development of Web services are based on largely untested technologies such as XML and SOAP, Pescatore said. For example, SOAP is designed to send Web services requests via HTTP. Pescatore said that lets it pass easily through firewalls, making it possible for intruders to use SOAP tunnels to launch attacks against networks.

Controlling the Process

Pete Lindstrom, an analyst at Hurwitz Group Inc. in Framingham, Mass., said security considerations shouldn't stop companies from using Web services to share services or application functionality. But extensive authentication, credentialing and access control technologies are needed to ensure that only valid users can access Web services, he said. Measures must also be taken to guarantee the confidentiality and integrity of the information that flows through Web services links.

Take New York-based i-Deal LLC, which has developed an XML-based Web service that lets loan originators such as auto companies and mortgage lenders get information on the availability of financing.

Basiru Samba, chief software architect at i-Deal, said the company uses two firewalls: one to separate its Web server from its back-end systems and one between the Web server and the Internet. Any data requested from the back-end system has to pass through both firewalls before users can access it. I-Deal also uses public-key infrastructure services and passwords, Samba said.


Security Allowances

Requirements for securing Web services include the following:

Authentication tools that let companies offering Web services verify the identities of users.

Authorization and access control features for ensuring that only legitimate users can access services.

Session-level confidentiality mechanisms to stop unauthorized users. from viewing information.

Session-level integrity capabilities that prevent service-request data from being modified.

Source: webMethods Inc., Fairfax, Va.

Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon