Project Management

Smart planning can eliminate security risks with Web services

Web services have great potential, but security concerns are preventing many organizations from taking advantage of the technology. Here are several suggested policies that CIOs can follow to develop a solid Web services plan.


IT executives spend a lot of time these days thinking about how to lower costs, improve security, and deliver IT as a business service. New development tools and infrastructure technologies that can help fulfill these goals are in high demand in spite of the current recession.

But what should IT do when a technology innovation helps improve some goals while it hinders others? CIOs are struggling with this paradox with a very visible new IT technology—Web services.

First, let’s examine the positives. Web services are flexible and reusable—attributes that help IT develop applications quickly while simultaneously reducing costs. In a software development project using Web services, Motorola Corporation reduced its development project cycle and costs by 30 percent. Those are metrics that every CIO wants to achieve.

Now let’s review the downside. Web services-specific security is nonexistent. Standards bodies like the W3C and OASIS are working diligently toward a solution, but Web services on the Internet today are completely defenseless against cyberterrorists and hackers. This level of exposure is far too risky for most IT executives.

Do the current risks of Web services outweigh the benefits? Should CIOs eschew Web services until hardened security technologies and standards arise? No! As the Motorola example illustrates, Web services offer benefits today regardless of their security profile. What’s more, IT shops that delay Web services development today will face skills deficits and steep learning curves as security matures.

A plan is needed
CIOs need a plan that promotes Web services benefits while minimizing security risks. Smart IT executives will take an aggressive but pragmatic approach to Web services by adhering to the following policies:

Policy #1
Start Web services efforts on corporate projects. The best place to begin Web services is within IT itself. Choose a project, such as integrating management tool data, that will result in an immediate payback and give the staff a chance to learn Web services technology in their own backyard.

Once IT gets the hang of Web services project subtleties, move on to business requirements, such as improving business processes or sharing data between groups. These internal Web services efforts provide a low-risk classroom for IT to enhance its proficiency, accelerate projects, and decrease costs.

Policy #2
Prepare internal systems. To ease future application development efforts, CIOs should look at their existing applications inventory and decide how to expose it to Web services development.

Packaged applications from vendors such as PeopleSoft, SAP, and Seibel already support Web services interfaces, while software infrastructure providers such as Iona, Tibco, and Vitria are adding new Web services features to ease application integration. Homegrown applications should also be added to the list. Once you understand how to extend applications with Web services, determine which ones should come first. This planning effort will help IT set priorities so it can get the highest return on Web services and also determine how much work to anticipate over the long-term. The IT staff can also begin to explore creative ways to exploit Web services to drive new revenue, automate business processes, and cut costs.

Policy #3
Keep the security group involved. Rather than deal with Web services security in isolation, IT managers must keep the security team informed about Web services applications, security standards progress, known bugs, and future plans.

The security team can then assess whether Web services projects meet with business requirements, government regulations, and its own technology agenda. Open communication and collaboration with the security team will ensure that Web services applications will be included in the enterprise security plan and minimize any future surprises.

Policy #4
Get involved with Web services security standards. Security-conscious CIOs should have their developers and security managers review security standards proposals to see if they meet their business requirements.

Will the XML Key Management Specification (XKMS) scale to meet the volume needs of the financial services industry? How will XML encryption be implemented? What’s included in WS-Security? Make sure to receive regular reports from IT staff and technology vendors. If you’re not satisfied, push on partners such as IBM, Microsoft, and Sun to advance your cause. They, too, have a vested interest in getting Web services security right—as soon as possible.

Policy #5
Cooperate with outsiders. Just as developers should share their Web services plans with the security and business teams, make sure that your company is sharing its Web services plans with trusted business partners, suppliers, and large customers.

Be cautious and keep this number small and selected to minimize your own security risk. Find out what types of applications would be most beneficial to them. Which of their systems will they enable with Web services interfaces? What are their security requirements? Collaborative planning with external constituencies will help set budget requirements, project schedules, and overall goals, and will also reveal opportunities where Web services can accelerate business processes, improve customer service, or cut costs. Remember that you can always secure Web services to a partner through existing network security technologies such as VPNs, PKI, and digital certificates.

Policy #6
Anticipate management and operations needs. As development and security matures, Web services will become mission-critical applications with extensive management and operations requirements.

Will Web services require sophisticated management tools from vendors such as BMC, Dirig, or HP? (The answer is probably yes.) Will you need specific processes and procedures to deal with Web services that touch your business partners’ systems? (The answer here is probably also yes.) To anticipate these needs, add management and operations to your planning now.

The bottom line
IT executives need to ignore all the hype to get moving ahead on Web services. The Internet technology boom is dead and gone, and Web services won’t do a thing to change this fact. But don’t make the mistake of dismissing Web services outright because of immature security.

By taking a pragmatic approach, CIOs can benefit from Web services, lower costs, and minimize risk. Now, that ought to keep the CEO and CFO happy.

Editor's Picks