|
Many analysts, as well as software and IT services companies, are touting the power and indomitable future of Web services. And with new Web services development tools on the market, it is becoming easier for companies that are willing to experiment to deploy inexpensive Web services. But in a report published this month, research company Forrester notes that "novices are easily building and deploying Web services interfaces to critical data and unknowingly exposing their firms to security risks."
Web services, as a concept, has gathered steam over the last year, promoted by companies including Irish firms Cape Clear, Vordel and Iona.
Essentially Web services is the name developers have given to a way of making all applications on a corporate network interoperable and available over the Internet. Web services provide a standard way to discretely package any piece of data, (such as information on a database, a specific query, business logic) and make that data accessible to anything else (such as another database, a mobile handset or an external partner's system).
Forrester said back in December 2001, in a report entitled "Start Using Web Services Now," that companies need to jump on the Web services bandwagon immediately, in part because the technology can cut down on costs, but also because rolling out the technology will be less expensive for early adopters.
But in its latest report "Securing Web Services," the research firm warns that without security, Web services will remain hidden in the back office. Forrester also points out that security is the top concern companies have when considering the deployment of Web services.
"The vast majority of our customers aren't that concerned about security because most of their Web services are deployed internally," explained PJ Murray, product manager with Cape Clear. "But as soon as the stuff goes out over the Internet, they suddenly become very concerned about security."
Traditional network applications may each have their own security mechanisms that companies can manage on an individual basis. But with Web services, maintaining a different security protocol for each module will make managing overall network security impossible, Forrester claims, because firms will have hundreds, or thousands, of Web services.
All of this leads to an impasse. Large firms are being urged to roll out Web services, but the security that comes with them is either feeble, or it will eventually be so complex it will be unmanageable. "In the short run, it's possible to build one-off security for each Web service -- in much the same way as firms do with any other application," explained Forrester. "But this approach won't work beyond the first few Web services -- soon enough, firms will need a better way."
The solution is to build a security abstraction layer, Forrester recommends. A security abstraction layer (SAL) sits over an entire array of Web services in a company's network and consists of a collection of users that are controlled by the same authentication policy. Using a SAL, system administrators can assign security permissions to each employee, controlling that person's ability to access data and administration functions from a central point.
The whole point of Web services is that they eliminate dependence on which underlying technologies firms choose to use and "the same holds true for Web services security," Forrester said in the report. "Firms can choose whichever security products meet their needs best...but must ensure that the products can speak the security standards highlighted here -- like WS-Security or SAML."
But Murray and Cape Clear are somewhat more pragmatic. He counters Forrester's argument by saying, "We really like SAML...but customers are just too nervous about ripping out all of their existing security infrastructure, only to replace with untested technology." He added, "When it comes to Web services we are really cutting edge, but when it comes to security we are quite conservative because that's what they (the customers) demand."
|
