With thousands of disparate IT systems permeating the federal government and the financial services market, it's...
hardly a surprise that Web services are quickly becoming a preferred integration option for those agencies.
"It's the latest option. In fact, they're not talking about other options," said Gartner Inc. research director Ray Wagner. "Most of the deployments I see are EDI replacements, or doing something with the supply chain or partners. And there's reason to believe it's going to pick up where companies and government agencies are doing signed transactions."
Vendors are quickly discovering, however, that stringent government security requirements like Common Criteria and Federal Information Processing Standards (FIPS) certification will be extended to Web services security-specific software and appliances.
DataPower Technology Inc., of Cambridge, Mass., is trying to beat the rush from other Web services vendors to Common Criteria. It has submitted its XS40 XML Security Gateway network device for evaluation, and expects certification to be complete by year's end.
DataPower vice president of worldwide sales Mark Taber said many of the vendor's government and financial services customers handle sensitive information on a daily basis. Eventually, Common Criteria certification will be a differentiator for DataPower and other vendors, he said.
"These organizations want to establish a Web service with an outside partner, and their security groups won't let them do so unless it's secure," Taber said. "Most will do their own penetration testing, but as a way of providing additional levels of comfort, Common Criteria is universally recognized."
Common Criteria is a set of criteria by which the security of a mission-critical software product is evaluated. Certification is a seal of approval that is recognized by government agencies and enterprise IT professionals. Countries that recognize Common Criteria include the U.S., Canada, the United Kingdom, Australia, New Zealand, Germany, France and Japan.
DataPower is in pursuit of Evaluation Assurance Level (EAL) 4 certification, a lofty certification level. EAL7 is the highest certification level possible, but few if any products have earned this level of security. IBM Z/Series mainframes, for example, are EAL5 certified.
DataPower is working with a National Institute of Standards and Technology-certified laboratory to prepare for certification, which begins as a paper process where products are reviewed, Taber said. Actual live testing is a relatively short two-week process, he added.
While DataPower may be the first Web services security vendor to pursue Common Criteria certification, Taber said it won't be the last.
"NCES and the NSA are adopting Web services in a rapid fashion. If anyone is serious about working with the DOD [Department of Defense] or large financial institutions, they are going to end up doing it," Taber said. "We're ahead of the game, but others are going to have to do it."
Common Criteria will eventually open more doors for DataPower in the government and perhaps some day within the financial services market, should it ever require certification for the security products it uses.
Web services, meanwhile, are gaining favor as the government and financial services markets attempt to preserve data investments by integrating disparate legacy systems.
"They are trying to connect systems that were not connected before," Taber said. "Web services are an open, easy way to do that. This is one of the most compelling places for Web services you could find -- and until now, security has been stopping adoption from happening faster."
Wagner said security is less of an inhibitor than it was because established standards and mature tools enable enterprises and government agencies to build relatively secure Web services infrastructures.
"What is holding it back is not having a complete understanding of the standards involved," Wagner said. "Web services are not interoperable yet, though that's the selling point. You just can't drop in Web services and have interoperability. It takes a lot of work, like any integration project. That's what's holding adoption back, more so than security."