Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Report: US FCC to allow payments for speedier traffic
China working on Linux replacement for Windows XP
FCC adds $9 billion to broadband subsidy fund
Raspberry Pi alternatives emerge to fill need for speed
It's now possible to wirelessly charge 40 smartphones from 16 feet away
Ex-FCC commissioner to head CTIA in latest Washington shuffle
Go time traveling with Google Maps
While Heartbleed distracts, hackers hit US universities
Survey respondents shun much-hyped mobile shopping technologies
Survey respondents shun much-hyped mobile shopping technologies
7 Ways to Advance Your Project Management Career
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Apple kicks off public OS X beta testing
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
BlackBerry Releases BES 10 Security Update to Address 'Heartbleed' Flaw
Verizon: Web apps are the security punching bag of the Internet
Cisco announces security service linked with new operations centers
Dell launches virtual storage accelerator, aims to boost SAN performance
Free OS X Mavericks now powers half of all Macs

Top Web services worry: Security

Today's breaking news
Send to a friendFeedback

SAN FRANCISCO - The absence of security and reliability is proving to be a major stumbling block in convincing companies that Web services can thrive outside of corporate firewalls.

IT executives are finding that Web services technology can ease internal application integration. But for business-to-business integration, the technology is lacking key standards for enterprise-class transactions, according to experts attending last week's Next Generation Web Services Conference, which drew about 700 participants. Informal polls showed security was the top issue among those considering Web services.

Work is under way to develop protocols and mechanisms to strengthen the security, reliability and workflow capabilities of Web services, but some experts argue that they might not be robust enough or may overlap, and cause interoperability or integration problems down the road.

"It is foolish now to build Web services that run outside the firewall," says John Studdard, CTO at VirtualBank in West Palm Beach, Fla. "We don't know what level of exposure that represents." VirtualBank developed a set of Web services interfaces to integrate data to produce fraud ratings for a credit fulfillment service.

"It's just like in the days of putting up Web sites, Studdard says. The complexity was not putting up the site but getting the data to the Web. With Web services, the complexity is getting the data behind the Web service."

Web services technology is being touted for its ability to transform application logic housed in disparate systems into components with XML-based interfaces. Those components can be integrated or aggregated into complex business applications or processes. The vision is that Web services from any number of sources could be dynamically combined over the Internet into hybrid applications for business-to-business commerce.

"The reality is way behind the vision at this point," says Bob Marcus, CTO of consulting firm Emerging Technology Strategies.

And to underscore the issue, Microsoft's Bill Gates declared last week that "trustworthy computing" would become the top priority for the software giant, in large part to ease fears over the viability of .Net, the company's Web services initiative.

"If you want to do real business processes, the keys are security, nonrepudiation and reliable messaging," says Tim Hilgenberg, chief technology strategist for Hewitt Associates, which has built its own security mechanisms for a Web services interface it uses to provide data on corporate benefits. "You need guaranteed delivery. You need exception handling. The more complex the business process, the more security and guarantees you need."

But with Web services, that scenario isn't enterprise-ready.

"The issues become exponential and you open a Pandora's box when you begin to connect Web services to multiple partners outside the firewall," says Dana Gardner, an analyst with Aberdeen Group.

When corporations execute business-to-business commerce, which often involves machine-to-machine communication, certain behaviors are required. There must be assurances as to the identity of the systems, that messages are delivered once and only once, and that all business processes are completed.

Web services specifications that begin to solve those problems are being developed now, including the Extensible Access Control Markup Language (XACML), Security Assertions Markup Language (SAML), XML Key Management (XKMS), XML Encryption, Web Services Flow Language, XML Digital Signature, Business Transaction Protocol and extensions to the Simple Object Access Protocol (SOAP).

Meanwhile, IBM has proposed HTTP-R for reliable transport of SOAP messages. And Microsoft is working on a Global XML Architecture, which includes proposed standards called WS-Security and WS-Routing. The Organization for the Advancement of Structured Information Standards is developing ebXML, which includes models for security and standardizing electronic business processes.

Others are proposing extensions to SOAP, which can carry directives in the header fields of its messages.

"By midyear you will see proposals for the next generation of SOAP that include a standard model for reliability and security," says Adam Bosworth, vice president of engineering for BEA Systems, which develops the WebLogic application server. Bosworth says BEA is working with several major vendors, which he declined to name, on a "correlation" extension to SOAP that uses unique IDs in SOAP headers to ensure one-time message delivery.

But doubts remain.

"There is not an acceptable complete security model for Web services," says Eduardo Fernandez, a professor in the Department of Computer Science and Engineering at Florida Atlantic University. "Right now, you have all these protocols for individual things, but how does it all come together."

Fernandez says XACML and SAML don't follow classic maps for security and might eventually produce errors, and XML Encryption and XKMS overlap in many places.

In the interim, a handful of vendors, including IBM, Microsoft, Kenamea, Sonic, Iona, Tibco, Flamenco Networks and Grand Central, are using a collection of standard and proprietary technology in middleware software or services that use security, reliable delivery of messages and transactional integrity of business processes exposed using Web services. However, most of that technology is still used between corporations that have already established a trusted relationship.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.