Top Web services worry: Security

By John Fontana
Network World, 01/21/02

SAN FRANCISCO - The absence of security and reliability is proving to be a major stumbling block in convincing companies that Web services can thrive outside of corporate firewalls.

IT executives are finding that Web services technology can ease internal application integration. But for business-to-business integration, the technology is lacking key standards for enterprise-class transactions, according to experts attending last week's Next Generation Web Services Conference, which drew about 700 participants. Informal polls showed security was the top issue among those considering Web services.

Work is under way to develop protocols and mechanisms to strengthen the security, reliability and workflow capabilities of Web services, but some experts argue that they might not be robust enough or may overlap, and cause interoperability or integration problems down the road.

"It is foolish now to build Web services that run outside the firewall," says John Studdard, CTO at VirtualBank in West Palm Beach, Fla. "We don't know what level of exposure that represents." VirtualBank developed a set of Web services interfaces to integrate data to produce fraud ratings for a credit fulfillment service.

"It's just like in the days of putting up Web sites, Studdard says. The complexity was not putting up the site but getting the data to the Web. With Web services, the complexity is getting the data behind the Web service."

Web services technology is being touted for its ability to transform application logic housed in disparate systems into components with XML-based interfaces. Those components can be integrated or aggregated into complex business applications or processes. The vision is that Web services from any number of sources could be dynamically combined over the Internet into hybrid applications for business-to-business commerce.

"The reality is way behind the vision at this point," says Bob Marcus, CTO of consulting firm Emerging Technology Strategies.

And to underscore the issue, Microsoft's Bill Gates declared last week that "trustworthy computing" would become the top priority for the software giant, in large part to ease fears over the viability of .Net, the company's Web services initiative.

"If you want to do real business processes, the keys are security, nonrepudiation and reliable messaging," says Tim Hilgenberg, chief technology strategist for Hewitt Associates, which has built its own security mechanisms for a Web services interface it uses to provide data on corporate benefits. "You need guaranteed delivery. You need exception handling. The more complex the business process, the more security and guarantees you need."

But with Web services, that scenario isn't enterprise-ready.

"The issues become exponential and you open a Pandora's box when you begin to connect Web services to multiple partners outside the firewall," says Dana Gardner, an analyst with Aberdeen Group.

When corporations execute business-to-business commerce, which often involves machine-to-machine communication, certain behaviors are required. There must be assurances as to the identity of the systems, that messages are delivered once and only once, and that all business processes are completed.

Web services specifications that begin to solve those problems are being developed now, including the Extensible Access Control Markup Language (XACML), Security Assertions Markup Language (SAML), XML Key Management (XKMS), XML Encryption, Web Services Flow Language, XML Digital Signature, Business Transaction Protocol and extensions to the Simple Object Access Protocol (SOAP).

Meanwhile, IBM has proposed HTTP-R for reliable transport of SOAP messages. And Microsoft is working on a Global XML Architecture, which includes proposed standards called WS-Security and WS-Routing. The Organization for the Advancement of Structured Information Standards is developing ebXML, which includes models for security and standardizing electronic business processes.

Others are proposing extensions to SOAP, which can carry directives in the header fields of its messages.

"By midyear you will see proposals for the next generation of SOAP that include a standard model for reliability and security," says Adam Bosworth, vice president of engineering for BEA Systems, which develops the WebLogic application server. Bosworth says BEA is working with several major vendors, which he declined to name, on a "correlation" extension to SOAP that uses unique IDs in SOAP headers to ensure one-time message delivery.

But doubts remain.

"There is not an acceptable complete security model for Web services," says Eduardo Fernandez, a professor in the Department of Computer Science and Engineering at Florida Atlantic University. "Right now, you have all these protocols for individual things, but how does it all come together."

Fernandez says XACML and SAML don't follow classic maps for security and might eventually produce errors, and XML Encryption and XKMS overlap in many places.

In the interim, a handful of vendors, including IBM, Microsoft, Kenamea, Sonic, Iona, Tibco, Flamenco Networks and Grand Central, are using a collection of standard and proprietary technology in middleware software or services that use security, reliable delivery of messages and transactional integrity of business processes exposed using Web services. However, most of that technology is still used between corporations that have already established a trusted relationship.