What you need to know about Web services security

The Web Services Advisor
(To receive this column in your inbox,
click Edit your profile and subscribe.)

What you need to know about Web services security
What's the biggest problem with Web services and the most likely reason that the technology won't become widely accepted?

In a word, security. Without adequate ways to protect privacy, verify identity, secure data and stop Web services from being used as a hacker platform, Web services will end up as nothing more than a technology footnote, along with other much-hyped but forgotten phenomena.

Security is particularly important when Web services will be used outside a company firewall and when they're used for business-to-business transactions, or business-to-consumer transactions. Without basic assurances about the identity of the people and systems involved in a transaction, whether messages are delivered, whether the business processes are completed and guarantees that personal and financial information won't be stolen, Web services simply won't be used.

So it's no surprise that a survey of 400 enterprise development managers by the Evans Data Corporation found that the biggest obstacle to Web services, from the managers' point of view, was security. Over 45 percent said that security was their top concern - more than double the second-most cited worry.

Where the problems lie
The very thing that makes Web services so attractive is the thing that makes then so vulnerable. XML is simple and portable - its strength - which means that it can easily expose data. It doesn't include any built-in security mechanisms. And transactions done via Web services mean that documents are altered and inspected en route -- this constant alteration and inspection means that security needs to be built in at every point of the process. The heart of the problem is that it's not good enough to secure data and information when it's b

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Platforms and Servers Tracking down managed memory leaks Handling exceptions in .NET .NET Compact Framework graphics The Data Access Application Block Decision time: .NET or J2EE? A great .NET resource: .Net2TheMax Delegates vs. interfaces in .NET Project structure best practices Working with PDFs in a .NET environment Displaying errors with the error provider The Web Services Advisor Use SoaML to facilitate Model Driven Architecture Enterprise mashup patterns act as API enablers XQuery learns to write using XUF Descriptive Languages for RESTful Services Notable Python language update on view Try XML-based Extensible Business Reporting Language (XBRL) for accounting reports Whatever happened to ''X''? The technology of Web Service Security Thrift: A pragmatic approach to service integration What's new at the W3C XML National Weather Service policy supports XML XML and democracy at work: The Election Markup Language (EML) For interesting interface access, check out Xamlon Royalty-free, revolutionary UBL Altova strikes again with MapForce 2005 Beating the RSS crunch with aggregation/bloglines Voice, speech, SIP, and XML: ECMA-269 Microsoft Baseline Security Analyzer and XML An open source, native XML database: dbXML 2.0 Second-generation XML security preview: SAML

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

eing sent out across the Internet. A complete end-to-end solution needs to be built that takes into account securing data even after it's stored on a network or server. And since the data will be examined, altered and used by many people en route, it also must allow some parts of an XML document to be encrypted and signed -- but not others -- and must specify who has access to what parts of the document and who doesn't.

Making things even more problematic is that the SOAP protocol includes no security. In the SOAP standard from the W3C at http://www.w3c.org/TR/SOAP/, the only mention of security comes under the "Security Considerations" heading, and consists of two simple sentences: "Not described in this document are methods for integrity and privacy protection. Such issues will be addressed more fully in a future version(s) of this document."

In other words, you're on your own.

Do-it-yourself security
As I'll detail later in this column, there are some standards and techniques on the horizon for securing Web services. But for now, when it comes to security, Web service pioneers are rolling their own solutions. For example, when i-Deal, a New York-based company, created a Web-service-based platform for the securities industry, security concerns were paramount. Because there weren't any widely accepted security standards when the service was being built, the company came up with its own security measures, using SSL, PKI, and a token-based system using SOAP.

Similarly, the Dollar Thrifty Automotive Group's Dollar Rent-A-Car Systems Inc. subsidiary in Tulsa, Oklahoma, built a Web service that links its reservation system to an airline partner's reservation system. Again, there were no widely accepted security standards to fall back on, so the company built its own internal solution, establishing a direct connection between the two systems, without going out over the Internet. That way, the security issues raised by building a Web service over the Internet were circumvented.

But officials in charge of both projects believe they've built only temporary solutions and that ultimately, standards such as XML Signature will need to be used.

What the standards are The good news is that there are a number of standards in various stages of development that can ultimately help solve the security problem. In future columns, I'll take a closer look at them. Here, though, are capsule descriptions of some of the important ones:

These standards aren't quite "cooked" yet and are in various stages of being approved. But together, they'll most likely determine the future of Web services security. In my next column, I'll take a look at security standards in more detail.

About the Author

[IMAGE]Preston Gralla, a well-known technology expert, is the author of more than 20 books, including "How the Internet Works," which has been translated into 14 languages and sold several hundred thousand copies worldwide. He is an expert on Web services and the author of a major research and white paper for the Software and Information Industry Association on the topic. Gralla was the founding managing editor of PC Week, a founding editor and then editor and editorial director of PC/Computing, and an executive editor for ZDNet and CNet. He has written about technology for more than 15 years for many major magazines and newspapers, including PC Magazine, Computerworld, CIO Magazine, eWeek and its forerunner PC Week, PC/Computing, the Los Angeles Times, USA Today, and the Dallas Morning News among others. As a well-known technology guru, he appears frequently on TV and radio shows and networks, including CNN, MSNBC, ABC World News Now, the CBS Early Show, PBS's All Things Considered and others. He has won a number of awards for his writing, including from the Computer Press Association for the Best Feature in a Computer Publication. He can be reached at preston@gralla.com.

For More Information

Rate this Tip To rate tips, you must be a member of SearchSOA.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.