The road to Web services nirvana is littered with some sticky security issues, which a panel of vendors explored here on Friday at the InfoWorld Next-Generation Web Services II: The Applications conference.
Because Web services introduce enterprises to a new level of interoperability and openness, new security challenges are arising.
Security is driven not so much by new implementations, such as Web services, as by a company's existing architecture and business model, according to Gilbert Pilz, chief security architect at E2Open LLC. This means that implementing Web services does not necessarily pose a radical shift to existing security models, he said.
"If you are using Web services to replace what you have but not changing how you do business, those existing [ security] solutions can be extended to Web services," he said.
However, because Web services can bring a new level of openness to an enterprise, the issue of security is exasperated, according to another panelist.
" Web services are a standardized way to open up your enterprise," said Max Levchin, CTO of PayPal Inc. "With Web services people are rushing to open up their enterprises but at the same time opening security holes. The problems are not that different but the results are just more drastic."
In addition, certain vertical industries, such as financial services and business-to-business trading, face intensified needs around Web services security, said Pilz.
Furthermore, because Web services involve passing information among multiple vendors, they pose particular challenges to security, identity management, authorization, and authentication, the panelists agreed.
In the coming age of Web services, there is a newfound need for technology that can glue multiple incompatible security point products together, said Bret Hartman, CTO of Hitachi. "It is a combo of existing infrastructure plus new technology to connect them together and deal with interoperability," he said.
"The promise of Web services is all about heterogeneous [environments]: different platforms, different vendors, and that means different security platforms have to be heterogeneous and interoperable," Hartman said. "The interoperability of security has been a problem forever."
The issues of authentication and identity management are particularly thorny with Web services because applications are connecting to multiple other applications across corporate boundaries, Hartman said.
"A human being can authenticate nicely to the first server on the hop, [but] the problem is the technology switch as you go from company to company. How do you represent that person as they travel from company to company?" he said.
Also, because Web services transactions typically span multiple applications and organizations, it is a difficult job to trace and respond to an attack across different Web servers, applications, and lines of business, Hartman said.
"To recognize an attack is very tricky in Web services, and there is no uniform response you can rely on," he said.
Suggestions for improvement include better development tools that can take out some of the heavy lifting and leave developers to focus on business process, according to Brooks.
"From development perspective the tools could be better. If there were better tools, we could just focus on the business process. But it is not preventing us from doing anything today," he said.
Brooks expressed hope that standards efforts such as WS-I ( Web services Interoperability) and WS-Security will ease the pain by "factoring out" authentication and authorization issues.