Web services changes the security game

Peter Judge: People don't want to wait for Web services - so the security industry is going to have to shift a generation pretty quickly.

No one is quite sure how quickly Web services are taking off, but three things are very clear. Firstly, security is the biggest obstacle to people adopting Web services. Secondly, they are right to be nervous -- because the work is not yet done. But thirdly, the industry -- users and vendors -- will not let this stop the spread of Web services.

So we are going to see some very fast work in security over the next year or so.

"The main barrier to the wholesale adoption of Web services is security and trust," said David Sprott, chief executive and principal analyst at CBDi, a Web services consultancy.

This shows up in how people are using them. "Web services are mostly taking off internally," said Mark Greatorex, director of .Net for Microsoft UK. "People want to get it right internally, before they expose their Web services externally."

Not everyone agrees though. "People are immediately doing Web services outside the company," said Andrew Nash, director of technology and standards at RSA Security. "People are doing way more than I would have expected."

People who talk to the director of technology at trust specialist RSA will be very leading edge users. But the rate of adoption has taken Nash by surprise. As far as he was concerned, Web services were still climbing up the early slope of the Gartner hype curve -- somewhat earlier in its life than Gartner itself seems to think.

Nash thinks Web services are in their infancy, because he is familiar with how good security is in IT generally, and how good it will have to be for sensible companies to trust Web services on interactions between companies. "I expected to see IT guys kicking the tyres, and not much more," he said.

But people want to do more, and are asking the IT guys to deliver, because they see what Web services can offer. He talks of a big financial information provider that wants to rush ahead with external Web services: "XML is wonderful for them," he said. They have high value information, and XML gives it its own intelligence, allowing them to deliver it in more ways to customers.

Security and trust has painstakingly built up for IT services where humans interact with applications. But Web services involves applications, or components, interacting directly with each other. And this requires a whole new level of trust.

A person can spot that levels of raw materials are low in the warehouse stock system, and order more from an ordering application, maybe using passwords nd encryption. But for the stock system to order directly, when it sees the level has fallen (a typical in-house Web services application) would require something more. The components at each end of the Web services link are dumb, and need to be protected from making dumb mistakes (the spin off is that doing this may make the Web safer for dumb people too). This requires transactional security, said Nash.

In fact, Greatorex's "internal services only" customers should not feel too safe, because the difference between internal and external is irrelevant. Unlike previous attempts at automating business transactions, such as EDI and CORBA, Web services will be very easy to set up and consume. And they are happening at a time when the boundaries of the company have become porous.

If someone makes a Web service in the company -- say an order tracking application -- what's to stop another employee deciding it is just the ticket to help out one of his clients, and make it available to them, through port 80? Encrypted Web services can tunnel in and out of the corporation -- exposing them to hackers.

So it is not surprising to see the Web services world working hard on security. XML is being given the use of digital signatures, and a key management system. Microsoft and IBM have produced WS Security, a standard format for passing credentials.

There are toolkits for security and -- surprisingly enough -- there is some evidence that they work together. CBDI has carried out a test building a Web service from components based on Microsoft's WSE security and IBM's WSTK, and it worked. "It was dead easy," said Sprott. "Any problems are not with the toolkits, but with the utilities." So there will be a job for WS-I, the interoperability group, to make sure that the details of the implementations work together.

Applications are becoming aware of security -- not the infrastructure: "You don't ask the postman to sign your cheques," said Sprott.

The Web services security movement will have to build a consistent security layer across all platforms -- and also set up inspection points where all SOAP messages are checked. "This may take two or three years to develop completely," said Nash.

More enterprise IT news in ZDNet UK's Tech Update Channel.

For a weekly round-up of the enterprise IT news, sign up for the Tech Update newsletter.

Let the editors know what you think in the Mailroom.