Addressing critics who cite Web services security concerns, part two |
 |
|
| > |
QUESTION POSED ON: 03 June 2003
How do you respond to critics who say that Web services security hasn't yet reached the point where it's safe for organizations to implement Web services? I've been hearing that a lot lately.
|
|
| > |
Click to read part one of this answer.
An example of an extranet scenario would be a major company interacting with its suppliers using Web services. In the extranet situation, the overall risk generally increases since there are one or more disparate companies involved, even though the business relationship is firmly established. In this situation, digital signature and possibly encryption might also be a required component of the Web Service security. These are also available today in the aforementioned WS-Security sdk's. Therefore, extranet transactions can usually be carried out securely using today's implementations of Web Services security and traditional security.
In the internet scenario, the ability to establish and maintain security policy agreements and security data, such as user credentials, with potentially unknown customers is not firmly established. Consequently, I would say that, except for low value transactions, the infrastructure is not yet in place for secure, general internet transactions. I believe that we first need to get experience with secure intranet and extranet Web services transactions before we move to secure internet transactions. Note that I am not saying that the basic security tools and algorithms are not available - they are. What is not established is the higher-level constructs and experience with these constructs, although there is significant work being done in this sphere.
In summary, as you move from intranet, to extranet, to internet Web services, the capability of securing these transactions progresses from straightforward to difficult using today?s security products and procedures. Rephrasing the thrust of the original question as, "*can* we safely implement Web services", the answer is yes, we know how. However, the final determination depends on a well thought out risk analysis and a tradeoff with the cost/effort that is required to implement the solution. This has been and will always be true since security, at its core, is risk management. My answer was predicated on the use of available middleware to make the problem relatively straightforward to implement for user companies. Please note that space precluded me from going into many of the nuances of the various situations and mention of additional security products that are available. (After all, my co-authors and myself took over 400 pages to describe Web services security in our book -J. On the positive side, note that some eleven plus vendors of Web services security will be participating in a Web Services Interoperability test on June 9 & 10, 2003.) We will dig into many of the detailed nuances of Web Services security in future answers to the great questions that I expect from all of you.
|
|
|
|
|
|
|
|
Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and
answer pairs from more than 250 TechTarget industry experts.
|
|
|
|
|
|
|
|
|
|
|
|
