Standardization key to Web services security
It is time to move beyond the pre-Web services model for security systems,
contends Kerry Champion, president of Westbridge Technology Inc., a Mountain
View, Calif.-based start-up builder of XML firewalls.
The old model calls for separate security for networks and applications,
including different password setups for different applications. That model
cannot work in a Web services environment, said Champion in an interview with
'XML Report.' Because Web services are vastly more complicated with a variety of
systems and end users interacting, he said, firewall standardization is
'We believe that providing a shared, standardized application-level security
infrastructure is a very significant need that people are starting to wake up
to,' he said.
For example, in a recent Forrester Research report, analyst Laura Koetzle
wrote that 'inventing security for every SOAP interface from scratch is a
nonstarter. Instead, firms need a logical place to set security policies and
create security services for their Web services to consume -- a security
abstraction layer that provides multiple levels of authentication,
authorization, and encryption.'
Westbridge Technology's Champion noted that security systems are coming on
the market with vendors giving them a variety of labels, including XML
Application Firewalls, SOAP Security Gateways, Services Firewalls and XML
Firewalls. But whatever the category is eventually called, he believes that Web
services security will have to provide the functionality outlined by the
'She [Koetzle] argues that you need a security abstraction layer,' Champion
said. 'You need to abstract out from the individual Web services this common
kind of security mechanism -- authentication, authorization and encryption. We
think that's right on the mark.' He argues that the old paradigm for firewalls
is not workable in the Web services world.
'If you have to reinvent your security for every SOAP interface,' he said,
'it's not going to work. The whole point of Web services is to reduce the
friction involved in integrating software components. If you have to revisit
security policies and security implementation mechanisms for each individual
component that you're trying to make take part in this XML data network, it's
just too much overhead, too repetitive and too hard to manage.'
Developers should not be reinventing the wheel by trying to set up 'a
separate security model, separate account provisioning, separate audit trails
and separate malicious attack protections for each app that goes up,' Champion
said. 'Each individual system may be dealing with many more apps than it did
before [in the implementation of Web services], and each app will be supporting
many more service requestors. Having them all be different is much less
In Champion's view, security standardization will allow organizations to
determine the levels of authentication, authorization and encryption for various
types of Web services. Those involving financial transactions would require
developers to employ the highest-level standard firewall, while a Web service
providing sports scores to WAP devices might need more modest protection.
As he envisions the XML firewall, the Web services developer would simply
apply the standard rules and policies to the application based on criteria set
by his organization. New Web services would inherit pre-determined security
Offering an example of how this would work, Champion said: 'If there's a
security committee that's decided that all top security data always needs to go
encrypted, have very strong passwords and always have all transactions recorded
in an audit trail, they can define that. Then when I go and publish a new Web
service, I don't have to redefine and I don't have to remake those decisions, I
just have to go: 'These operations fit that description, go in that category'
and they'll inherit those rules.'
Champion said this philosophy guided the year-and-a-half development effort
for XML Application Firewall technology in his company's first product, the
Westbridge XML Message Server (XMS), released this week.
For more information, click on http://www.westbridgetech.com.
Rich Seeley is Web Editor for Campus Technology.