Bug watch: Web services

What is in essence a framework for designing, developing and building a new generation of applications around web standards and protocols, web services promises to make it far easier to integrate applications across disparate hardware and software platforms - a constant gripe with existing technology.

Backed by all of the major IT vendors - Microsoft, IBM, Sun, Oracle, etc. - web services certainly will not suffer from a lack of effort or exposure, but will it take off, and what are the issues?

The web services framework, by its very nature, increases the ability of software to be exposed to the web. As confidential information, such as credit card details, is passed around more widely between different systems and applications, it will be more important than ever to implement a sound security platform for online business.

The good news is that the authentication and authorisation mechanisms being put forward by vendors such as Microsoft's Passport and Sun's Liberty systems, are building upon existing proven technologies such as public key digital signatures and certificates, Kerberos and web access control. In other words, it is evolution rather than revolution.

The area to watch out for is the degree of standardisation of new web services security specifications. Most organisations will be forced to operate multiple authentication and authorisation mechanisms to satisfy the full range of their business risks, but all will want to keep the number of different mechanisms to a minimum. It makes absolute sense, therefore, to deploy those mechanisms that have the broadest appeal through open standards.

The next 18 months will see major progress on firming-up of standards such as XKMS, which will cover the registration and distribution of XML-based public keys, and the associated XBulk standard for bulk key registration (which is of particular importance in areas such as smartcards and mobile devices).

Other emerging web services standards include the XML Encryption standard, the XML Digital Signature Standard (XML-DSig) and the Security Assertions Markup Language (SAML), which allows users to maintain their authentication and entitlement credentials over multiple websites.

Concerns over security issues with Simple Object Access Protocol (Soap - the web Services transport layer) are also being addressed through an initiative called WS-Security, which has been jointly developed by Microsoft, IBM and Verisign. You should insist on strong support for web services security standards from your vendors in their forthcoming product releases.

Further good news lies in the fact that the web services framework helps to alleviate some of the challenges that have dogged the implementation of security over the last few years. Securing the internet is not a trivial task and has necessitated the introduction of many complex processes into applications and systems in order to provision, manage and enforce security credentials.

Building these capabilities into applications can greatly increase the cost and time of security deployments and has led to criticism of technologies such as Public Key Infrastructure (PKI) in the past. Web services means that new applications will be able to offload all the complexity and 'heavy lifting' of the security processes to backend servers which will deliver the required security services.

A server-centric model for your security infrastructure brings many benefits. Developers do not have to deal with programming complex security processes into their applications and can simply put 'pointers' to the appropriate sources of the required security functionality.

In addition, security officers can more easily manage and enforce security policies across multiple applications through a single server. IT managers can also significantly reduce the cost and administrative burden of supporting lots of functionality on each desktop and end-users get a more transparent experience.

You may not subscribe to the hype around what web services can do. But the capability is going to be built into the coming versions of standard platforms from Microsoft, IBM, Oracle, Sun and others, whether you want it or not.

So at a pragmatic level, why not take advantage of the many benefits of web services in improving the efficiency and effectiveness of how you deploy your online business systems - just remember to tackle the security issues seriously before you turn it on.