When it comes to Web services security, I've heard this analogy: Right now, it's like having to get 50 separate drivers' licenses to drive across all fifty states in the United States. But, nobody's at the point yet where he or she is doing a lot of driving outside of their own jurisdiction.
But we're ready to cross boundaries into other servers and systems to access or provide services. It's not just a business-to-business matter, either, Eugene Kusnetzov, Chairman and CTO of DataPower, observes in this recent overviewon ZDNet. "From e-business transactions over the Internet to logins for theemployee HR portal, uniform access control and robust management toolsare required to securely enable connectivity for customers, partnersand employees.of the issues around federated identity."
Single sign-on capabilitiesacross multiple sites and servers, enabled with Security AssertionMarkup Language, or SAML, may resolve some of these issues. As Kusnetzov puts it, "Federated identity management applies the concept of a federal systemto the ever-present problem of access control, and by using Webservices standards makes secure connectivity universal. In turn, Webservices use federated identity management technology to securebusiness transactions."
In a project for WebServices.Org, Colin Adam and I recently had the opportunity to chat with Kusnetzov, and a transcript of our conversation is posted here. Kusnetzov, who provides hardware that processes and secures Web services messages, warns of "bad" XML that may compromise transactions.
Bad XML is "XML without service attackprotection and schema validation," he explains. "Good" XML, on the other hand, is built on "fine-grainauthorization, in terms of who can call which SOAP method call." Expect to see incidents involving unsecured XML over the next few years, he warns. "When it does, it will be very ugly and very public because unlike the days of Web sites where some credit cards werestolen the compromise of back-end systems could shut down assemblylines or initiate multi-billion-dollar fund transfers."