Navigating through the maze of security protocols, standards and products can be a daunting task for organizations trying to secure their Web services. But while there's no silver bullet, security experts are offering plenty of sound advice on the best approach.
The extent to which an organization exposes its applications as services and the sophistication of its partner interactions are usually good measures of what security standards and technologies it should adopt.
"Most Web services communication is behind the firewall and is point-to-point," said Ray Wagner, an analyst at Gartner Inc., in a presentation at the recent Gartner Application Integration and Web Services Summit.
Security gurus advocate that for simple, point-to-point Web services interactions, transport layer security such as Secure Sockets Layer is usually "good enough." However, for high-value transactions, organizations usually need a lot more security firepower at the application and messaging layers.
Aiming to provide some of this firepower, the OASIS WS-Security standard defines how to use XML encryption and XML digital signatures, and provides a framework for using various security profiles such as Security Assertion Markup Language (SAML), X.509 and Kerberos, inside SOAP headers.
Members of the WS-Security technical committee marked the first anniversary of the standard last month with an interoperability showcase in which 14 vendors demonstrated the exchange of messages protected by WS-Security using X.509 certificates.
"WS-Security is a foundational standard for many other standards, but it doesn't quite do everything," Wagner said. To establish trust in terms of hand-shaking between organizations, "we still need lawyers and CEOs playing golf," he said.
Although WS-Security doesn't provide things like automated policy agreement, arbitration or policy representation, there are other standards-in-progress aimed at addressing these needs, such as WS-Federation, WS-SecurityPolicy, WS-Trust and others.
"The standards are a little ahead of the game," said Paul Lipton, senior architect at Computer Associates International Inc. "When you get into [WS-] Federation, it gets a little esoteric."
People are waiting for some of the parallel security standards to coalesce and tools just aren't there yet in terms of security standards support, Lipton said.
Security and management coalesce
Gartner predicts that by year-end, vendors will offer a single, policy-based Web services product encompassing security and management functionalities.
"I advocate the use of a security layer separate from the application," Wagner said. "A management layer that sits between [IT] and the business unit solves the problem of having security policies for every department, development team and environment."
Last fall, the industry saw rapid consolidation in the management and security spaces as Digital Evolution Inc. (now known as SOA Software Inc.) acquired Flamenco Networks Inc., Computer Associates International Inc. purchased Netegrity Inc. and Actional Corp. merged with Westbridge Technology.
Additionally, whereas traditional offerings put as many protections as possible into a single proxy or Web services firewall device, vendors are now starting to provide more specialized products that focus on different security problems, according to Gartner.
"Security is not about buying a big box," Wagner said. "You can look to Indigo and Java to provide security policy management. [Additionally], we're starting to see a product divide."
DataPower Technology Inc., Reactivity Inc., Sarvega Inc. and SOA Software are a few of the startups in the Web services security market, Wagner said. "Some are focused on generic attack problems such as XML DoS [denial of service] attacks and poisoned XML schemas."
Organizations are increasingly looking to XML firewall and proxy vendors to abstract security concerns out of their applications into more manageable Web services appliances.
Speaking at the OASIS WS-Security interoperability demonstration, a representative working in the retail architecture and integration group at Wachovia Bank said that their developers knew nothing about security and that they didn't want to have to deal with security concerns.
One of the bank's systems had a mutual authentication requirement in its Web services communications with one of its partners. The .NET and WebSphere applications had a mismatch in terms of their support for the WS-Security specification. To address this, Wachovia put a DataPower intermediary layer to manage its security.
Although a mismatch in standards support does hurt usability, experts advise that organizations should closely follow standards like WS-Security, SAML and the Liberty Alliance's Web services framework ,as these are the most important and still the most ubiquitous.
Later this year, OASIS plans to release WS-Security 1.1, which will focus on encrypting SOAP headers. Meanwhile, the Web Services Interoperability (WS-I) Organization, which met earlier this spring to discuss features in the upcoming WS-I Basic Security Profile, continues its work on bringing together Web services security standards.