The Web Services Advisor
(To receive this column in your inbox,
click Edit your profile and subscribe.)
What you need to know about Web services security
In a word, security. Without adequate ways to protect privacy, verify identity, secure data and stop Web services from being used as a hacker platform, Web services will end up as nothing more than a technology footnote, along with other much-hyped but forgotten phenomena.
Security is particularly important when Web services will be used outside a company firewall and when they're used for business-to-business transactions, or business-to-consumer transactions. Without basic assurances about the identity of the people and systems involved in a transaction, whether messages are delivered, whether the business processes are completed and guarantees that personal and financial information won't be stolen, Web services simply won't be used.
So it's no surprise that a survey of 400 enterprise development managers by the Evans Data Corporation found that the biggest obstacle to Web services, from the managers' point of view, was security. Over 45 percent said that security was their top concern - more than double the second-most cited worry.
Where the problems lie
The very thing that makes Web services so attractive is the thing that makes then so vulnerable. XML is simple and portable - its strength - which means that it can easily expose data. It doesn't include any built-in security mechanisms. And transactions done via Web services mean that documents are altered and inspected en route -- this constant alteration and inspection means that security needs to be built in at every point of the process. The heart of the problem is that it's not good enough to secure data and information when it's being sent out across the Internet. A complete end-to-end solution needs to be built that takes into account securing data even after it's stored on a network or server. And since the data will be examined, altered and used by many people en route, it also must allow some parts of an XML document to be encrypted and signed -- but not others -- and must specify who has access to what parts of the document and who doesn't.
Making things even more problematic is that the SOAP protocol includes no security. In the SOAP standard from the W3C at http://www.w3c.org/TR/SOAP/, the only mention of security comes under the "Security Considerations" heading, and consists of two simple sentences: "Not described in this document are methods for integrity and privacy protection. Such issues will be addressed more fully in a future version(s) of this document."
In other words, you're on your own.
As I'll detail later in this column, there are some standards and techniques on the horizon for securing Web services. But for now, when it comes to security, Web service pioneers are rolling their own solutions. For example, when i-Deal, a New York-based company, created a Web-service-based platform for the securities industry, security concerns were paramount. Because there weren't any widely accepted security standards when the service was being built, the company came up with its own security measures, using SSL, PKI, and a token-based system using SOAP.
Similarly, the Dollar Thrifty Automotive Group's Dollar Rent-A-Car Systems Inc. subsidiary in Tulsa, Oklahoma, built a Web service that links its reservation system to an airline partner's reservation system. Again, there were no widely accepted security standards to fall back on, so the company built its own internal solution, establishing a direct connection between the two systems, without going out over the Internet. That way, the security issues raised by building a Web service over the Internet were circumvented.
But officials in charge of both projects believe they've built only temporary solutions and that ultimately, standards such as XML Signature will need to be used.
What the standards are The good news is that there are a number of standards in various stages of development that can ultimately help solve the security problem. In future columns, I'll take a closer look at them. Here, though, are capsule descriptions of some of the important ones:
- XML Signature This allows XML documents to be digitally signed. Key to the standard is that it will allow for an entire document to be signed, or only portions of documents to be signed, an absolute necessity since XML documents are altered during Web service transactions.
- XML Encryption This is a companion to XML Signature. It can handle encryption and decryption of entire XML documents as well as individual sections of XML documents.
- XKMS (XML Key Management Specification) This defines how Public Key Infrastructure (PKI) can be used to manage digitally signed or encrypted XML documents. Its purpose is to register and distribute public keys used in XML-based encryption. It's designed to solve the problem of how keys can be managed in instances in which parties in a transaction don't know one another. It is made up of two specifications: the XML Key Information Service Specification (X-KISS) and the XML Key Registration Service Specification (X-KRSS).
- SAML (Security Assertion Markup Language) This is an XML-based standard for authentication and authorization. It will provide a "single sign-on" so that people can be authenticated once and then be able to access multiple Web services.
These standards aren't quite "cooked" yet and are in various stages of being approved. But together, they'll most likely determine the future of Web services security. In my next column, I'll take a look at security standards in more detail.
About the Author
Preston Gralla, a well-known technology expert, is the author of more than 20 books, including "How the Internet Works," which has been translated into 14 languages and sold several hundred thousand copies worldwide. He is an expert on Web services and the author of a major research and white paper for the Software and Information Industry Association on the topic. Gralla was the founding managing editor of PC Week, a founding editor and then editor and editorial director of PC/Computing, and an executive editor for ZDNet and CNet. He has written about technology for more than 15 years for many major magazines and newspapers, including PC Magazine, Computerworld, CIO Magazine, eWeek and its forerunner PC Week, PC/Computing, the Los Angeles Times, USA Today, and the Dallas Morning News among others. As a well-known technology guru, he appears frequently on TV and radio shows and networks, including CNN, MSNBC, ABC World News Now, the CBS Early Show, PBS's All Things Considered and others. He has won a number of awards for his writing, including from the Computer Press Association for the Best Feature in a Computer Publication. He can be reached at firstname.lastname@example.org.
For More Information
- For the Best Web Links for Web services security, click here.
- What do you think about this column? If you'd like to send feedback, you can E-mail the Editor.
- Post your technical questions, or help out your peers by answering questions, in our Discussion Forums.
- Ask the Experts! Our Web Services, XML, .NET, Java, EAI, and App Server gurus answer your toughest questions.
This was first published in April 2002