Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Where's my gigabit Internet, anyway?
Americans cool with lab-grown organs, but not designer babies
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested

Top Web services worry: Security

Today's breaking news
Send to a friendFeedback

SAN FRANCISCO - The absence of security and reliability is proving to be a major stumbling block in convincing companies that Web services can thrive outside of corporate firewalls.

IT executives are finding that Web services technology can ease internal application integration. But for business-to-business integration, the technology is lacking key standards for enterprise-class transactions, according to experts attending last week's Next Generation Web Services Conference, which drew about 700 participants. Informal polls showed security was the top issue among those considering Web services.

Work is under way to develop protocols and mechanisms to strengthen the security, reliability and workflow capabilities of Web services, but some experts argue that they might not be robust enough or may overlap, and cause interoperability or integration problems down the road.

"It is foolish now to build Web services that run outside the firewall," says John Studdard, CTO at VirtualBank in West Palm Beach, Fla. "We don't know what level of exposure that represents." VirtualBank developed a set of Web services interfaces to integrate data to produce fraud ratings for a credit fulfillment service.

"It's just like in the days of putting up Web sites, Studdard says. The complexity was not putting up the site but getting the data to the Web. With Web services, the complexity is getting the data behind the Web service."

Web services technology is being touted for its ability to transform application logic housed in disparate systems into components with XML-based interfaces. Those components can be integrated or aggregated into complex business applications or processes. The vision is that Web services from any number of sources could be dynamically combined over the Internet into hybrid applications for business-to-business commerce.

"The reality is way behind the vision at this point," says Bob Marcus, CTO of consulting firm Emerging Technology Strategies.

And to underscore the issue, Microsoft's Bill Gates declared last week that "trustworthy computing" would become the top priority for the software giant, in large part to ease fears over the viability of .Net, the company's Web services initiative.

"If you want to do real business processes, the keys are security, nonrepudiation and reliable messaging," says Tim Hilgenberg, chief technology strategist for Hewitt Associates, which has built its own security mechanisms for a Web services interface it uses to provide data on corporate benefits. "You need guaranteed delivery. You need exception handling. The more complex the business process, the more security and guarantees you need."

But with Web services, that scenario isn't enterprise-ready.

"The issues become exponential and you open a Pandora's box when you begin to connect Web services to multiple partners outside the firewall," says Dana Gardner, an analyst with Aberdeen Group.

When corporations execute business-to-business commerce, which often involves machine-to-machine communication, certain behaviors are required. There must be assurances as to the identity of the systems, that messages are delivered once and only once, and that all business processes are completed.

Web services specifications that begin to solve those problems are being developed now, including the Extensible Access Control Markup Language (XACML), Security Assertions Markup Language (SAML), XML Key Management (XKMS), XML Encryption, Web Services Flow Language, XML Digital Signature, Business Transaction Protocol and extensions to the Simple Object Access Protocol (SOAP).

Meanwhile, IBM has proposed HTTP-R for reliable transport of SOAP messages. And Microsoft is working on a Global XML Architecture, which includes proposed standards called WS-Security and WS-Routing. The Organization for the Advancement of Structured Information Standards is developing ebXML, which includes models for security and standardizing electronic business processes.

Others are proposing extensions to SOAP, which can carry directives in the header fields of its messages.

"By midyear you will see proposals for the next generation of SOAP that include a standard model for reliability and security," says Adam Bosworth, vice president of engineering for BEA Systems, which develops the WebLogic application server. Bosworth says BEA is working with several major vendors, which he declined to name, on a "correlation" extension to SOAP that uses unique IDs in SOAP headers to ensure one-time message delivery.

But doubts remain.

"There is not an acceptable complete security model for Web services," says Eduardo Fernandez, a professor in the Department of Computer Science and Engineering at Florida Atlantic University. "Right now, you have all these protocols for individual things, but how does it all come together."

Fernandez says XACML and SAML don't follow classic maps for security and might eventually produce errors, and XML Encryption and XKMS overlap in many places.

In the interim, a handful of vendors, including IBM, Microsoft, Kenamea, Sonic, Iona, Tibco, Flamenco Networks and Grand Central, are using a collection of standard and proprietary technology in middleware software or services that use security, reliable delivery of messages and transactional integrity of business processes exposed using Web services. However, most of that technology is still used between corporations that have already established a trusted relationship.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.