A dizzying array of specifications being produced this year by standards bodies and other groups will fill glaring security and reliability gaps in nascent Web services technology.
In rapid-fire succession over the next six to eight months, network executives could see up to 30 new protocols emerge designed to advance Web services as a way to support secure and reliable interconnection of transaction-based business applications.
The protocols will help mitigate risk, enforce access and use policies, ensure nonrepudiation and guarantee execution and exception handling by defining authentication, authorization, trust, reliable messaging, transactional integrity and workflow. Standards for XML-based digital signatures and encryption already exist.
Standards bodies focused on XML include the Organization for the Advancement of Structured Information Standards (OASIS) and the World Wide Web Consortium (W3C). Vendor alliances such as the IBM, Microsoft and VeriSign trio, developed the recent WS-Security proposal.
The groups will be heavily active in the coming months on standardizing recommendations, introducing new specifications, hammering out guidelines for security requirements and focusing on creating consistency across a palette of security initiatives.
Getting the work done is imperative to providing the kind of security network executives need when they develop or deploy sophisticated Web services, which typically involve computers talking to one another without human intervention.
"This year is going to be pretty overwhelming in terms of standards," said Bob Sutor, director for e-business standards strategy at IBM at a meeting with Network World editors last week. "Standards will be coming at a fast and furious pace. Last year standards development was focused on connections. This year it will be focused on security, reliability, transactions and workflow. Soon it's going to be very difficult to keep track of what does what." He says there will be 20 to 30 specifications relatively soon. Currently there are six major security protocols either approved or in the draft stage. The WS-Security alliance has proposed seven others.
Network executives are bracing for the onslaught but say they hope it will not erode the simplicity of Web services.
"I would hate to see Web services get lost in the security forest," says John Studdard, senior vice president and CTO for the Virtual Bank in Palm Beach Gardens, Fla. "We are hoping for a simple security model as opposed to something that sounds good but has no chance of ever being implemented."
Studdard runs a dozen Web services internally to integrate banking systems, but says because of security concerns he has yet to run them outside his organization.
"Web services security is still the wild, wild West," Studdard says. "What we are seeing now is a reaction more than a well thought out security plan."
That may be true, according to a recent Hurwitz Group study, which among other issues showed that security was the No. 1 inhibitor to Web services adoption.
"We were surprised to see how quickly people were adopting the Web services development tools, but there is an immaturity level that is quickly being realized as people seek security, reliability and quality of service," says Tyler McDaniel, director of application strategies for Hurwitz. "As a result, there is a pressure on vendors and standards bodies to get security moving faster."
Existing security standards from the W3C - XML Signature (XML-Sig) and XML encryption, protocols for ensuring integrity and authorization - are creating the support for that movement. The W3C also is working on the XML Key Management Specification for distributing and registering public keys.
At OASIS, the Security Assertion Markup Language (SAML), Services Provisioning Markup Language (SPML) and the XML Access Control Markup Language (XACML) are all security proposals in line for approval.
"Security today is being done willy-nilly," says Terri Kouba, a systems developer at the University of California at Berkeley. "But as a whole under Web services it needs to be defined. Not just the transport but the whole authentication and reliability piece."
Work is under way to tie it all together for use in Web services development tools and other software.
Last week, OASIS created the Security Standards Joint Committee (SSJC), an oversight group to ensure consistency among its security working groups. Next month, OASIS will begin work on final approval of SAML and XACML. The SPML specification is set for standards review at year-end, and a fourth focused on digital rights management had its first committee meeting last week.
"If you can show me a PowerPoint slide that describes how security standards tie together, I'll give you a million bucks," says Darran Rolls, director of technology for Waveset and the co-chair of the SSJC. "We need common terms and a way to prevent overlap in the specs."
The W3C last month published the first draft of its Web Services Architecture Requirements, including a foundation for security based on accessibility, authentication, authorization, confidentiality, integrity and nonrepudiation. The final draft is due early next year, and the group is working on a proposal to create an umbrella security group that would work on security extensions to SOAP and examine new security proposals, says Philippe Le Hégaret, a member of the W3C technical staff.
One such effort to create new protocols is being led by IBM, Microsoft and VeriSign, which by year-end plan to introduce six specifications to extend the WS-Security specification they introduced last month (see graphic). The trio says it hopes to submit WS-Security, which is built on XML-Sig and XML encryption, to a yet-to-be determined standards body this fall.
IBM and Microsoft are at work independently on specifications - Web Services Flow Language and Xlang, respectively - for standardizing workflow, the process of managing the execution of Web services in business processes. IBM's Sutor says the company also is working on a specification for guaranteed delivery of messages, although he would not provide details.
But no matter how fast such efforts develop, securing Web services will be a complex undertaking for network executives.
"To think the complexity in the designing, developing, deployment and maintenance of secure distributed applications will go away with Web services is a cardinal sin," says Bernhard Borges, managing director of the advanced technology group at PricewaterhouseCoopers Consulting.
Others say Web services security is just a new set of protocols to address tried and true security tenants of today: Secure data where it resides, and secure it as it moves between two or more end points.
"The scary part is that we are starting to talk about linking up the whole Internet," says Pete Lindstrom, director of security strategies for the Hurwitz Group. But Lindstrom says the basics for getting started are there today.
Senior Writer Ann Bednarz contributed to this report.