Double Your Pleasure, Double Your Fun
Double down all you who uttered "security is an enabler" with a straight face, it's time to see if you were bluffing. Do it now, for we are the lucky ones -- we win with Web Services, not once but twice. Not only can we make use of a Web Services infrastructure to further security, but we are the critical piece of that Web Services infrastructure. Say it with me, "There is no way Web Services can be deployed successfully without enhanced security."
The need for security in this new world of Web Services is obvious. Information and applications can come from multiple sources and be served to multiple destinations; data can be repackaged on the fly; never before has information been so ephemeral. It's enough to make "old school" security pros shudder.
Whereas this environment may seem full of complexity, security has never been simpler. No longer saddled with the burden of native operating systems, databases, and even applications, security can finally take on its own "infrastructure," which provides a common service of authentication in multiple forms, confidentiality and integrity of information, and verification or proof of receipt.
And what shall we make of Web Services for ourselves? We already have a head start in the OASIS -- SAML initiative begun by Securant, Netegrity, and others to share user account and profile information across sites, platforms, and companies. Verisign leads the way with its XML standards for key management (XKMS) and business partner trust assertions (XTASS).
THE HURWITZ TAKE: You may have guessed by now that the big winners in all this will be the never-say-dead public key infrastructure (PKI) vendors and their supporting cast with digital signatures and encryption at the heart of our "new world order." Finally, the promise of PKI will be realized.
Even more exciting are the opportunities for other security vendors to step on each other's toes and jockey for position in the Web Services world. Consider some of the possibilities:
Authentication requirements go through the roof with the need to authenticate sources in the form of people and devices.
Firewalls become fluent in the language of XML and encryption as they migrate toward user-aware access control gateways for legacy systems. Or will some other gateway device step in?
Intrusion detection sensors become OCSP responders to signal "intrusions" in the form of unauthorized certificates. Somewhere buried under the covers is also a better way to update signature databases.
Transaction security devices join the fray to specialize in Web Services and compete against the spaces above. With no legacy limitations, they can push far ahead technologically.
So, while the paranoid pundits tremble and the left-behind Luddites say Web Services is just too insecure, we at Hurwitz Group say to all security professionals, "Step up or be gone forever. Take this opportunity to demonstrate the true value of security. Be the first to dive in and express your support for the radical new business model that is Web Services. Design and define your security architecture in a way that anticipates and leverages the uses of Web Services."
It can't happen without us.
Copyright 2002 Hurwitz Group Inc. This article is excerpted from TrendWatch, a weekly publication of Hurwitz Group Inc. - an analyst, research, and consulting firm. To register for a free email subscription, click here.
For More Information:
- Looking for shortcuts and helpful tips? Visit our Tip Exchange for time-saving and informative tips.
- Visit our Best Web Links for Web Services for quality resources selected by our editors.
- Discuss this article, voice your opinion or talk with your peers in our Discussion Forums.
- Visit Ask the Experts for Web services, SOAP, WSDL, XML, .NET, Java and EAI answers.