In-Depth

Where management and security collide

• By Johanna Ambrosio
• July 1, 2004

Web services security is being built into everything from major Web app development platforms to integration and other software. Some Web services management vendors, including Westbridge Technology, make security a priority; others do not.

For its part, management software maker AmberPoint Inc. provides some native security features like allowing customers to implement fine-grained policies -- say, to inspect some types of incoming SOAP requests or outgoing responses. But for the most part, the majority of customers “want us to interface with existing security systems from Oblix, Netegrity or VeriSign, or they want us to work with LDAP or Active Directory,” said Ed Horst, vice president of marketing at the Oakland, Calif.-based firm.

Most customers are using their overall security software to help protect Web services too, all within the context of their larger security policy and infrastructure.

From a security perspective, Web services are not like other systems because of the nature of federated requests. Web services combine in unforeseen ways with other services and go into numerous -- and sometimes unknown -- databases and other types of systems to be able to answer queries. As Tom Welsh, senior consultant in the enterprise architecture practice at Cutter Consortium, Arlington, Mass., points out, “the great thing about Web services is that they can get your applications to operate freely with those of anyone. But just who is that anyone, and what do they want? Who owns the machines that your application hops across, and who operates those machines? Who has access? You’re talking with programs of people you don’t know.”

To help solve those problems, many of the dedicated Web services security systems employ XML-aware firewalls. These sit behind conventional firewalls and check incoming SOAP packages. These special types of firewalls or gateways hail from the likes of Vordel, Quadrasis, Forum Systems, Layer 7 Technologies, Reactivity, Sarvega and others. Entrust competes with market leader Netegrity to sell a single sign-on solution for Web services.

But be aware: These systems are typically more expensive than traditional firewalls because they include sophisticated algorithms. And they are pretty resource-intensive, too, Welsh said.

Another issue is that the most important security standard -- Web Services Security (also called WS-Security) -- was ratified by OASIS in April and is only now making its way into products in its final form. Stamford, Conn.-based research firm Gartner suggests that customers require all Web services products to implement this standard because it will allow them to more “easily modify the security profile of deployed Web services in the future.” But Gartner also notes that Web services deployments will continue to be at risk if old code bases — those that do not support WS-Security and Security Assertion Markup Language (SAML) at the very least — are connected to Web services interfaces.

Another important thing to remember is that “standards are important, but they won’t do everything,” said Frank Kenney, research analyst at Gartner. “It gives you a common way of looking at things, but a lot of this is being driven by the vendors. The jury, to me, is still out.”

Please see the following related stories:

“Is now the time to manage Web Services?” by Johanna Ambrosio

“A tale of two surveys” by Johanna Ambrosio