One of the keys to the success of Web services will be the ability to make them secure—and to convince people that they indeed are safe to use, said Anne Thomas Manes, research director for the Burton Group. So far, the adoption of Web services has been spotty. "My view is that one of the primary reasons Web services are not used more today is because most people think it is an insecure approach," said Manes, who appeared recently at the CeBIT America conference in New York City.
Amit Yoran, vice president of managed security services for Symantec and a co-panelist with Manes, thinks that those who feel that security is not as good as it should be have a good point. "I think that most Web services being deployed do not have a well thought out and defined security strategy," he said. "If you are relying on existing security deployments—meaning a traditional firewall and intrusion detection—and you are deploying a Web services infrastructure, you probably need to reevaluate your design."
Today vs. tomorrow
The difference between security to this point and what is necessary in the future can be summed up as the transition from scenarios in which the enterprise is secured from various points to one in which security permeates the enterprise, the data flowing through it, and the links between it and other networks. Yoran, who refers to this as "defense in depth," said that such an approach will not only secure Web services, but improve security for other applications and services. "A much more layered approach to security needs to be applied," he said. "It needs to be at the perimeter network-based controls, host-based controls and protections, and service-based controls. The appropriate solution depends on the right mix for the particular applications and network, he said.
Progress is being made, Manes said. In most cases, applications flowing over the Internet use secure socket layer (SSL) technology for protection. This is a well understood and useful protocol, but the demands of Web services mean that a more sophisticated, granular, and finely controlled security must be developed and implemented. "The problem is that Web services are likely to get more complex," she said. "There may be multiple intermediaries en route, or the Web services will actually be comprised of a number of other Web services. SSL cannot service those requirements."
WS-Security is in the works
Manes said that efforts are well underway to develop these approaches. The ultimate goal is the creation of a middleware layer that enables security to be handled in a manner that occurs "under the covers"—without intervention by users. One of the main Web services security initiatives is WS-Security. It's being developed by the Organization for the Advancement of Structured Information Standards (OASIS), which is made up of an industry consortium. WS-Security, according to Manes, is a means of using the extensible markup language (XML) to encrypt and digitally sign Simple Object Access Protocol (SOAP) messages. It also provides a mechanism for passing security tokens for authentication and authorization for the SOAP message. SOAP is a way to use XML and HTTP to communicate between operating systems, even if the two OSs are different. The WS-Security effort comes on the heels of a related endeavor at OASIS. The Security Assertions Markup Language (SAML), which became a standard last year, provides a way to create the tokens used in WS-Security.
WS-Security can also be implemented as an add-on to existing platforms, either through a management product or as an element of an XML firewall. This approach, which Manes calls the Web services management extension category, is supported by AmberPoint, Westbridge, Reactivity, Vordel, and others. "What they do is intercept messages and add support for WS-Security," Manes said.
Manes said five platform companies already are implementing WS-Security: BEA, Microsoft, IBM, Systinet, and The Mind Electric. She said that as many as 50 platform companies eventually may follow suit. She also expects WS-Security to become a standard by the end of the year.
Much work to be done
The bottom line of this confusing mix of organizations and committees—as well as others that are vying to secure Web services—is not just to provide security, but to do it in a way that can be adopted on a universal basis. This must demand, at best, limited involvement by end users. Now, Manes said, they still need to do quite a bit of programming to make it work. By the end of next year, it will be much more transparent.