Developer Advice as Unity over Security Emerges
Developers trying to find the best way to implement security for their XML-based web services projects will have a bit easier time defining projects and choosing products if they keep the overall landscape in mind -- and know how to navigate it.
That's one of the key conclusions from a study from ZapThink on web services security just released entitled XML and Web Services Security. Just as the study is made public, the titans of web services -- Sun, Microsoft and IBM -- appear to be poised to reach an agreement on some levels of security for emerging Web Services.
The study's author, Jason Bloomberg, notes that web services projects offer a mixed picture for developers -- where part of their jobs actually can "open up new problems and security risks," but that for other elements, XML-based web services might actually make some pieces of their deployment easier.
Despite such signs of progress, Bloomberg says that for projects that require communicating outside the firewall -- such as B2B, B2C or even remote access over wireless -- developers' lives for the time being are now more complicated. The lack of a cohensive B2B security standard is one big reason, Bloomberg said, why external web services projects have been slow to catch on.
"With web services, the challenge is that applications might need to go through [firewall] ports other than [Ports] 80 and 443 [Secure Sockets Layer]. So, we feel that we'll need smarter firewalls that can look at the content of traffic and do content level filtering." However, there are places where B2B web services are being undertaken today -- even without standards.
"Where the company has very defined relationships with partners, and they know each other's system requirements and business rules, we see quite a lot of web services activity taking place," he said. "The key is that the company has some control over both ends of the transaction."
The Good News
On the other hand, Bloomberg said, his work suggests that XML-based web services will actually make it easier for developers to set up "Identity" and/or token-based authentication servers.
"In the world of PKI, there is a lot of custom coding and professional services integration needed to get all the applications talking securely to all the clients" through public key/private key encryption and token assignments, etc." In contrast, Bloomberg said that emerging XML web services standards are aimed at allowing the browser "to issue keys, certificates and such, behind the scenes," which will take the complexity away from developers. "In the future, PKI-like security for web services will be much easier than they are today."
Other key findings from ZapThink's XML and Web Services Security include:
- Simply securing all of a company's Web Services alone can only provide a false sense of security.
- Despite the "on demand" target for web services, enterprises must institute policies that apply to their entire enterprise network (including participants invited from outside), and administer that security in a hierarchical fashion.
- Near-term, the efforts to create multi-vendor standards and agreements on XML and Web Services security solutions will be characterized by a period of turbulence, as companies struggle to clarify their messages and shake the kinks out of their product offerings.
- The best positioned companies to be profitable in the XML and Web Services security space are those companies that already have deep technical knowledge of application level security technologies, coupled with a solid customer base.
- Next-generation firewalls must be capable of looking at the content of XML streams, and the security mechanisms for such data must be part of that content.
- The combination of adequate funding, solid business models, seasoned management teams, and high quality engineering staff leads some startups to offer surprisingly robust XML and Web Services security solutions.