Kelly Adams doesn't need to be told that Web services need protection. As the former manager of the prime services...
group at Deutsche Bank, he oversaw a Web services architecture that integrated information from several back-office applications into a common portal interface.
Because keeping the bank's financial information secure was a top priority, Adams quickly found that drawing information from complex applications, like securities lending systems, and then keeping that data safe was easier said than done.
"The openness of Web services is such that you can't really deploy them, especially going out of the intranet cloud, without some security mechanism in place," Adams said.
Perhaps the biggest misconception about Web services security is in understanding the nature of the problem. It's not a matter of preventing outsiders from sneaking in the IT department's back door; it's a matter of preventing the key from falling into the wrong hands after you've given keys to all of your friends.
When people think of Web services security issues, they tend to think of hacking or other forms of traffic snooping, said Ron Schmelzer, founder and senior analyst of Waltham, Mass.-based consulting firm ZapThink LLC. But those problems are solved easily, he said, using SSL at the protocol layer, and encrypting SOAP messages.
Schmelzer said the most significant external Web services security problems lie in the realm of authentication and identity management, because Web services transactions are conducted between two computers.
For instance, Schmelzer said, many companies, like Deutsche Bank, are building portals that call on Web services to gather data from back-end applications. The problem is that those applications don't know where the request is coming from.
As a Web services provider, Schmelzer said, "you're not providing access to a human; it's another system. If we expose an interface to our SAP system, how do we know whoever is making that Web service request is authorized to make it?"
So how can a requester's identity be verified? It's tricky, Schmelzer said, because there's a lack of context in public, machine-to-machine communication, making it difficult to track what company or system is initiating a Web service call. "Plus, the request may not be made directly," he said. "It may be made through a portal or other composite application. It gets complicated very quickly."
While there's no easy answer, standards groups are working to mitigate the issues. This summer, both the Liberty Alliance Project and the Web Services Interoperability Organization (WS-I) introduced specifications to enable federated identity beyond the walls of a company's own data center, effectively setting the ground rules for how Web services present themselves to one another.
However, Schmelzer said, even the best standards are ineffective unless vendors latch onto them and build useful products. "Creating specs is one thing, but how do you get digital certificates and identity management to work? You can't build an identity management system on your own," he said.
Adams, who is now a director with New Delhi-based financial services consultancy Indus Valley Partners, said Deutsche Bank's answer was to implement third-party authorization software from Westbridge Technology Inc. of Mountain View, Calif.
The Westbridge software imposed rules on authorization, giving Adams the option to verify only certain types of Web service requests. It also provided a transaction audit trail, making it easier to identify where requests originated.
Without the third-party application, Adams said, he would have probably been forced into hard-coding rules for many different types of requests, which would have been "cumbersome work."
"With a tool like Westbridge's, it's just a matter of setting up your rules. That way, Application A can be pre-approved to talk to Application B, instead of having to figure out what Application B wants and then granting the request," Adams said.
Schmelzer said there are a host of other vendors, including Netegrity Inc., VeriSign Inc., RSA Security Inc., and Oblix Inc., offering identity management products for use with Web services.
Looking at the big picture, Schemelzer said, Web services aren't going away, and companies need to develop comprehensive identity management strategies to deal with the security implications of Web services.
"We've done a lot of research, and we've found you can't implement Web services in any widespread way without identity management," Schmelzer said. "Things break very quickly when you have no idea who is accessing your applications."
FOR MORE INFORMATION:
Read why ZapThink says competing identity standards are a good thing.
Dig Deeper on Software Security Test Best Practices