Security and Web Services

What is in essence a framework for designing, developing and building a new generation of applications around web standards and protocols, web services promises to make it far easier to integrate applications across disparate hardware and software platforms - a constant gripe with existing technology. Backed by all of the major IT vendors (Microsoft, IBM, Sun, Oracle, etc.), web services certainly will not suffer from a lack of effort or exposure, but will it take off and what are the issues?

In the wake of the dot-com meltdown, the global economy could be forgiven for slapping a "handle with care" sticker on the latest and greatest thing to emerge from the world of high-tech. The prevailing mood amongst many organizations is one of caution for all things Internet-related and there is little appetite for experimentation with new technologies in the current climate.

That is not to say that business people do not recognize the tremendous benefits to be gained from converting traditional paper-based, physical-contact processes (whether it's voting, banking, tax returns, order forms, etc.) into web-based electronic ones; clearly they do. The real question is not if, but how best, to use the web for business purposes.

The important thing to remember is that business, whether paper-or web-based, physical or electronic, is still business and the same rules apply.

Security is a fundamental cornerstone for enabling business to function effectively, whether public sector or commercial. Commonsense dictates that to generate the maximum levels of business activity, the appropriate levels of security must be in place to minimize risk.

Security has been and remains a central challenge for conducting business on the web. Exposing organizational networks and data to the Internet is necessary to allow employees, customers, partners and suppliers to interact more conveniently and productively with each other, but the risks of such exposure are obvious. Web-enablement means that more and more traditional 'outsiders' are becoming 'insiders.' Authentication and authorization, therefore, are two critical security issues to ensure that the bona fides and access/action rights of users (and indeed data and devices) can be enforced to the appropriate degree in line with organizational policy.

Web services both accentuates and helps to alleviate these security issues.

The web services framework, by its very nature, increases the ability of software to be exposed to the web, making it more important than ever to implement a sound security platform for online business. Authentication and authorization of users, data and devices will be critical to facilitate the seamless aggregation of applications from distinct re-usable components of logic distributed across servers that may or may not be within the organization's protected domain. A variety of authentication and authorization mechanisms for web services are being put forward by the major vendors, such as Microsoft (e.g., Passport) and Sun (e.g., Liberty).

The good news is that these mechanisms are building upon existing proven technologies such as public key digital signatures and certificates, Kerberos and web access control, so it's evolution rather than revolution. The area to watch out for is the degree of standardization of new web services security specifications. Most organizations will be forced to operate multiple authentication and authorization mechanisms to satisfy the full range of their business risks, but all will want to keep the number of different mechanisms to a minimum. It makes absolute sense therefore to deploy those mechanisms that have the broadest appeal through open standards.

The next 18 months will see major progress on firming up of standards such as the XML key management specification (XKMS), which will cover the registration and distribution of XML-based public keys to encrypt and decrypt documents, and the associated XBULK standard for bulk key registration (which is of particular importance in areas such as smartcards and mobile devices). Other emerging web services standards include the XML encryption standard, which will govern the encryption and decryption of digital content such as XML documents, the XML digital signature standard (XML-DSig), which will define how to digitally sign an XML document, and the security assertions markup language (SAML), which allows users to maintain their authentication and entitlement credentials over multiple web sites. You should insist on strong support for web services security standards from your vendors in their forthcoming product releases.

Concerns over security issues with SOAP (the web services transport layer) are also being addressed through an initiative called WS-Security, which has been jointly developed by Microsoft, IBM and Verisign, and describes how to protect SOAP messages using the underlying XML encryption and digital signature standards. In essence, it is assumed that the WS-Security layer will be able to connect seamlessly to a suite of web-based security services for the required level of protection and assurance.

Further good news lies in the fact that the web services framework helps to alleviate some of the challenges that have dogged the implementation of security for the web to date. Securing the Internet is not a trivial task and has necessitated the introduction of many complex processes into applications and systems in order to provision, manage and enforce security credentials. Building these capabilities into applications can greatly increase the cost and time of security deployments and has led to criticism of technologies such as PKI in the past. Web services means that new applications will be able to offload all the complexity and 'heavy lifting' of the security processes to backend servers which will deliver the required security services.

A server-centric model for your security infrastructure brings many benefits:

  • developers do not have to deal with programming complex security processes into their applications and can simply put 'pointers' to the appropriate sources of the required security functionality;
  • security officers can more easily manage and enforce security policies across multiple applications through a single server;
  • IT managers can significantly reduce the cost and administrative burden of supporting lots of functionality on each desktop;
  • end-users get a more transparent experience.

Web services is approaching. You may not subscribe to the hype around what it can do, but the capability is going to be built into the coming versions of standard platforms from Microsoft, IBM, Oracle, Sun and others, whether you want it or not. So at a pragmatic level, why not take advantage of the many benefits of web services in improving the efficiency and effectiveness of how you deploy your online business systems? Just remember to tackle the security issues seriously before you turn it on!

Peter Doyle is vice president of Baltimore Technologies (


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.