Fears about Web services security shouldn't dissuade organizations from implementing the technology, experts say.
Yet security should be a consideration right from the beginning of any Web services project, said Jason Bloomberg, a senior analyst with ZapThink, a Waltham, Mass.-based analyst firm that specializes in Web services and XML.
"You can't be a little bit secure. It's like you have 10 doors and you only lock eight of them," Bloomberg said.
Although still in their infancy, Web services are expected to explode in the next few years. The technology allows companies to link different systems together without the pain that often accompanies traditional integration projects.
Web services send and receive data in the form of Extensible Markup Language (XML) messages, which travel via Simple Object Access Protocol (SOAP). In essence, Web services are like written correspondences; XML serves as the common language in each message and SOAP is the envelope.
Despite the technology's growing popularity, security concerns have hobbled some Web services projects. A number of companies have limited their Web services experiments to those within the firewall because of security fears.
Pete Lindstrom, director of security strategies at the Hurwitz Group, Framingham, Mass., said that secure Web services -- even outside the firewall -- are possible today if companies understand the risks and take appropriate steps to address them. There
First, the XML message can be tampered with en route. Data within the transaction can be changed. (Attaching a signature would address this problem). Data can also be "sniffed" from transactions, which means data is pulled out, but encrypting transactions would address that issue, Lindstrom said.
Transactions could be "spoofed" or made to appear from legitimate sources, a threat that could be addressed by validating transactions. People lodging attacks could also "replay" transactions so the same data is submitted over and over again. Validation and auditing would catch such attacks.
Second, each data source that a Web service pulls data from should be examined to make sure it is secure. This is important, as the application will only be as secure as each individual component. The real power of Web services is the ability for systems to pull information from each other without user intervention, Lindstrom said.
At this point, companies would need to evaluate the safety of their own internal systems and also external systems, if data will be coming from them, Lindstrom said. For example, a company may set up a travel expense report application that can send and receive information from Web services set up by airlines, car rental companies and restaurants.
When evaluating the security of systems, companies will need to assess their own risk comfort level for information paths, Lindstrom said. For example, an e-commerce site that allows resellers to use Web services would be very concerned about security. Security may not be as important for an internal application.
Another consideration for Web services is getting a firewall that can scan XML traffic. "Most traditional firewalls would be inadequate for this purpose," Bloomberg said.
Yet Web services can be used to improve an organization's security. For instance, a company can use them to give end users permission to access certain systems. When an employee quits the company, then all their permissions can be revoked with a simple command, Bloomberg said.
A powerful use of Web services is the ability to pull data from a variety of systems, including legacy systems, without having to integrate them transitionally.
For example, a company could use Web services to grant users access to payroll information stored on a mainframe. "Web services are a secure way to access the data without having to do a lot of programming on the mainframe," Bloomberg said.
Now, the theory behind Web services is nothing new. Technologies that offer applications via networks such as CORBA have been around for a while. "Web services are not revolutionary, they are more evolutionary," Bloomberg said.
MORE INFORMATION ON THIS TOPIC:
Check out SearchWebServices.com's Best Web Links on security.
Read the featured column, "What you need to know about Web services security" on Click here for more information.
This was first published in September 2002