News

Standardization key to Web services security

• By Rich Seeley
• September 25, 2002

It is time to move beyond the pre-Web services model for security systems, contends Kerry Champion, president of Westbridge Technology Inc., a Mountain View, Calif.-based start-up builder of XML firewalls.

The old model calls for separate security for networks and applications, including different password setups for different applications. That model cannot work in a Web services environment, said Champion in an interview with 'XML Report.' Because Web services are vastly more complicated with a variety of systems and end users interacting, he said, firewall standardization is required.

'We believe that providing a shared, standardized application-level security infrastructure is a very significant need that people are starting to wake up to,' he said.

For example, in a recent Forrester Research report, analyst Laura Koetzle wrote that 'inventing security for every SOAP interface from scratch is a nonstarter. Instead, firms need a logical place to set security policies and create security services for their Web services to consume -- a security abstraction layer that provides multiple levels of authentication, authorization, and encryption.'

Westbridge Technology's Champion noted that security systems are coming on the market with vendors giving them a variety of labels, including XML Application Firewalls, SOAP Security Gateways, Services Firewalls and XML Firewalls. But whatever the category is eventually called, he believes that Web services security will have to provide the functionality outlined by the Forrester analyst.

'She [Koetzle] argues that you need a security abstraction layer,' Champion said. 'You need to abstract out from the individual Web services this common kind of security mechanism -- authentication, authorization and encryption. We think that's right on the mark.' He argues that the old paradigm for firewalls is not workable in the Web services world.

'If you have to reinvent your security for every SOAP interface,' he said, 'it's not going to work. The whole point of Web services is to reduce the friction involved in integrating software components. If you have to revisit security policies and security implementation mechanisms for each individual component that you're trying to make take part in this XML data network, it's just too much overhead, too repetitive and too hard to manage.'

Developers should not be reinventing the wheel by trying to set up 'a separate security model, separate account provisioning, separate audit trails and separate malicious attack protections for each app that goes up,' Champion said. 'Each individual system may be dealing with many more apps than it did before [in the implementation of Web services], and each app will be supporting many more service requestors. Having them all be different is much less sustainable.'

In Champion's view, security standardization will allow organizations to determine the levels of authentication, authorization and encryption for various types of Web services. Those involving financial transactions would require developers to employ the highest-level standard firewall, while a Web service providing sports scores to WAP devices might need more modest protection.

As he envisions the XML firewall, the Web services developer would simply apply the standard rules and policies to the application based on criteria set by his organization. New Web services would inherit pre-determined security standards.

Offering an example of how this would work, Champion said: 'If there's a security committee that's decided that all top security data always needs to go encrypted, have very strong passwords and always have all transactions recorded in an audit trail, they can define that. Then when I go and publish a new Web service, I don't have to redefine and I don't have to remake those decisions, I just have to go: 'These operations fit that description, go in that category' and they'll inherit those rules.'

Champion said this philosophy guided the year-and-a-half development effort for XML Application Firewall technology in his company's first product, the Westbridge XML Message Server (XMS), released this week.

For more information, click on http://www.westbridgetech.com.