The security standards within the Web Services Framework (WSF) have made significant progress, and a wide variety of products support Web Services Security (WS-S), the foundation of the WS-* security architecture.
Since security is frequently an afterthought, the fact that security standards are being hammered out early in the Web services and SOA deployment stage is promising, Kelley said, but she stressed that standards are only one part of a security strategy.
"It's encouraging to see security being thought about seriously and early in the process, but standards can only do so much," she said. "Companies have to go the extra mile to put in appropriate security. At the end of day I could buy a product with rich security and opt not to use any of it."
In her recent report, "Web Services Security Standards 2006: Where Are We Now?" Kelley traces the history and progress of the WSF security stack, which IBM and Microsoft first described in 2002. Today the specifications, which include WS-S, Web Services Secure Exchange (WS-SX) and WS-Policy, are in different stages with a variety of standards bodies, with WS-S the furthest along. Version 1.1 of WS-S was ratified by OASIS in February, WS-SX is with OASIS and WS-Policy was submitted to the World Wide Web Consortium (W3C) in April.
According to Kelley, WS-S provides end-to-end encryption and granular control of message security. However, she said many organizations have not implemented that level of security yet despite the availability of products that support WS-S. Instead, she said, organizations use HTTP authentication, Secure Sockets Layer (SSL) authentication and SSL encryption for protecting SOAP message traffic.
"For a lot of companies that were just testing or prototyping and planning, many went out with an easier approach, using pure SSL and point-to-point security," she said. "We haven't seen the complexity of WS-S being applied as universally as the simpler [solutions], but that trend seems to be changing" as deployments get more sophisticated.
The drive is "a combination of building out their service-oriented architecture, getting more comfortable with it, and then looking to increase the security of it. It's a fairly common trend in IT -- we put something out there and then we secure it later. It hasn't been quite that way with Web services, but as companies are deploying they're going from less sophisticated [security] to more sophisticated."
While WS-S looks to gain traction, the other specs are not as far along. The three WS-SX specifications, which extend the security functionality of WS-S, are WS-Trust, WS-SecureConversation and WS-SecurityPolicy. According to the Burton report, final specification revisions are not expected until June 2007.
WS-Policy, which is in the hands of the W3C, is more complicated and ambitious, according to Kelley. It provides a framework for describing and exchanging information about the rules and policies associated with using a Web service. However, Kelley stressed that organizations still need to determine their own policies.
"These standards do what they set out to do quite well, but we need to understand what they do. WS-Policy and WS-SecurityPolicy are not actually stating policy that has to be adhered to; they don't say this is the right thing, this is the wrong thing," Kelley said.
"When we think about policies inside organizations, we think granular controls around a piece of data, and we ask questions like how long does a cryptokey need to be? WS-Policy and WS-SecurityPolicy are meant as a way to express and share that kind of information. The final policy decisions are up to the organizations implementing the Web services themselves," she said.
Specs waiting to be published
Two other security specs, WS-Authorization and WS-Privacy, have not been published yet, and Kelley said they have "the potential of going stagnant." WS-Federation, meant to enable identity, attribute, authentication and authorization sharing across trust realms, is not on a standards track. However, she said, "Some feel Federation is critical and will be important moving forward; some feel it's dead. It is in the Microsoft Active Directory [Windows Server 2003 R2.], so I don't think it's going away."
In general, Kelley said significant progress has been made with the Web services security specifications, but she said she wants organizations to realize "this is still new, it's still being worked on, and don't expect to find everything done and baked."
The focus on SOA security is part of an overall increased focus on application security, Kelley said. "Be it a Web application or part of a SOA, application awareness and data protection and management are becoming more critical with higher visibility. Where SOA will come into mix is if there is an access layer to back-end data, you've got to make sure access to that is protected appropriately."
But just implementing WS-S and related security specs won't be enough, she said. Organizations will still need layered security. "It doesn't mean if you put security into the SOA itself that we can forget about things like perimeter firewalls -- and you still have host security to worry about. Just using standards or products to implement standards doesn't make all of your security decisions for you."