Web services: Useful but dangerous?

Web services promise to change the way we build applications but, as Daniel Murton argues, security poses a huge challenge.

Realizing the promise of web services has become a holy grail for most large enterprises. The return-on-investment argument seems compelling - reductions in application integration costs, simplification of supply chains and automation of business processes. But security remains a significant hurdle to the successful roll-out of web services.

Research company Gartner recently suggested that companies may have to be prepared to spend half of their web services investment on security. Central to this security challenge is effective cryptography and key management.

In simple terms, web services are enterprise applications that use languages and protocols, based on a universally ­ accepted standard called XML, to describe themselves not only to other applications but also to the outside world. Web services simplify the task of communicating - with devices, with people, and, most importantly, with each other ­ - using XML to describe what functions they perform, how they can be accessed and what kinds of data they require.

Even in the most technology-aware companies it is not unusual to find a billing application that cannot ask a shipping application whether a delivery has been made. Integrating such applications is one of today's most important business problems - one that will typically involve significant investment of time and resources to resolve.

Web services are expected to reduce application integration costs significantly. Where application-to-application data exchange is essential, web services can reduce costly custom integration work and allow applications to be leveraged for multiple purposes, making cost justification more straightforward. Furthermore, web services are being designed to aggregate information and services from multiple back-end systems, simplifying routine tasks and giving greater economies of scale

With new development platforms - including Microsoft .Net, BEA Web Logic, Sun ONE and IBM WebSphere - web services mechanisms, such as XML formatting and simple object access protocol (SOAP) messaging, are becoming an ubiquitous part of the application development environment.

This makes it faster, easier and more cost-effective to integrate heterogeneous resources, both within enterprises and between trading partners. XML provides the building blocks of web services and SOAP, the XML-based messaging protocol, provides a uniform way to exchange XML-formatted information across the internet, for example, using HTTP as a transport mechanism.

But, the availability of these new tools is a double-edged sword, as it has become relatively simple to build and deploy web services that interface to sensitive data, unknowingly exposing companies to a host of security risks. The challenges mirror those of standard internet communications.

Security for web services centers on protecting a widening set of resources against increasing points of vulnerability, often without any human intervention. This creates new challenges, as the roll-out of web services involves scalable machine-to-machine interaction that will often bridge the firewall, increasing vulnerability to attack.

Security technologies, most notably cryptography and PKI, provide tried and tested mechanisms for protecting data as it crosses public and private networks. In addition to safeguarding confidentiality through encryption, these technologies enable recipients to authenticate the sender, via digital signatures, and verify the integrity of information. The World Wide Web Consortium (W3C) has approved the XML signature specification, defining the rules for digitally signing XML documents and processing signatures.

A complex challenge

Web services present a more complex security challenge, as they will often aggregate information from multiple sources. This might require digital signatures and encryption to be applied by multiple parties to different sorts of information within a particular service and at different points within a multi-tier system. Different applications will also require different levels of security.

Public key infrastructure (PKI) plays an essential role in web services security, enabling end users and web services alike to establish trusted digital identities which, in turn, facilitate trusted communications and transactions. The XML key management services (XKMS) standard specifies a method for XML-based clients to securely access public key-related services - key generation, registration and revocation, and the validation of certificates and signatures. However, as the analyst group Gartner recently stated "Enterprises and vendors must still create the infrastructure for effective long-term management of keys and certificates within the enterprise."

The confidentiality of public and private keys used to implement signing and encryption underpins the security of cryptographic processes. This is particularly important as the value to the business of any specific key tends to increase over time, as the amount of information it protects grows. A cryptographic key is a self-aggregator of risk, since it transfers risk from the data that it protects to the key itself.

Frequently cryptographic processes are performed in the demilitarized zone (DMZ) near public parts of the ­ network, where threats from hackers are greatest. To support this, more and more cryptographic keys are being pushed out to sites at the edge of the network, where they are at a much greater risk of exposure and compromise. Cryptography ­ relies upon the relevant key being available only to appropriate and authorized parties and processes. Therefore, the ­ security and management of encryption and signing keys themselves is critical to the security of any business deploying web services.

The banking and finance world has long recognized that cryptographic keys must be protected by specialist cryptographic devices or hardware security modules (HSMs). For example, Visa and MasterCard mandate such protection in their 'Verified by Visa' and 'Secure Code' initiatives, which are designed to combat internet credit card fraud.

KPMG has advised (Key Management Policy and Practice Framework, January 2002) that industry best practice dictates that a ­ secret key should never become ­ exposed outside a specialist cryptographic hardware device. This is a vital security mechanism for web services that are handling high volumes of sensitive information. XKMS and other XML standards help define the use of cryptographic keys, but do little directly to describe the life cycle management of encrypting and signing keys. High availability and scalability requirements compound the problem.

From a security perspective, robust key management requires independent validation, with HSMs meeting the Federal Information Processing Standard (FIPS) 140, recognized as the world standard for hardware-secured cryptographic key management.

Enterprises implementing XML security should also consider how their systems will have the capacity to cope with ever-growing business loads, as cryptographic security comes at a price. Encryption, decryption and signing operations are computationally intensive, and designers of web services must ensure systems that digitally sign and encrypt XML messages can handle the resulting cryptographic processing load.

The penalty of getting it wrong is an exponential increase in message response times. This may cripple business, and undermine the benefits of the web service itself. For example, SSL, which provides confidentiality for data passing over the internet, places such large computational loads on web servers that specialist cryptographic accelerator hardware is required to deliver sufficient capacity.

Security from the ground up

Web services are opening up networks as never before. They promise a revolution in communication and integration that will result in significant cost savings, efficiencies and new business opportunities. But they also depend completely on trust: trust in the identity of the application or machine at the end of the line, trust in the integrity of communicated data, and trust that privileges and access rights have not been subverted. Web services security can provide the building blocks of this trust.

The development of standards for XML encryption and signatures is underway but enterprises need to consider carefully how these are implemented.

Cryptography underpins many of these initiatives, and best practice key management is vital to delivering effective security. Increasingly this means hardware-based key management, delivering the strongest protection for the encryption and signing keys used to underpin the trust in web services.

Daniel Murton is international marketing director, for nCipher Corporation ( 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.