Security rears its ugly head

For all the pro-Web services enthusiasm here at Forrester Research Inc.'s conference, serious security- and trust-related concerns emerged as a common theme.

Citing worries about investing trust in third-party identity providers such as RSA Security Inc. and VeriSign Inc., conference attendees and speakers at the conference on Monday and Tuesday focused on security standards and issues, with PKI (public key infrastructure) surfacing as one of the most significant hurdles to enterprise Web services adoption.

"The trouble with PKI is it slows down [transaction] performance," noted an executive from a large financial services provider, who asked not to be named. Directing her comments at an executive from VeriSign during informal discussions, the executive said third-party identity providers can slow down Web transactions to the point where service providers risk losing online customers.

Greg Papadopoulos, chief technology officer at Sun Microsystems Inc. in Santa Clara, California, addressed the issues of user identity, context, privacy, and trust during his keynote, commenting that the industry needs to agree on fundamental standards governing their use. "The biggest issue in my mind is how to manage authenticity," he said.

According to Papadopoulos, the process of building a reliable PKI infrastructure needs to be "as easy as http."

"Fundamentally, we need to go way beyond the Passport model," said Richard Taggart, director of enterprise technology architecture integration and standards at General Motors Corp.

Taggart's concerns revolve around the problems inherent in the existing Internet infrastructure he described as offering "lousy security," inadequate privacy, anonymity, and borderlessness: "It's actually too open."

Boasting an annual IT budget of US$5 billion, Taggart admitted GM has significant influence over IT vendors. "We beat them mercilessly," he said. In that context he commented that he was "delighted" to hear Microsoft recently renewed its focus on security with the appointment of Scott Charney as the company's chief security strategist.

"[Security] has been a big issue that has cost them enterprise leverage," he said.

As such, he's working closely with Sun as part of GM's participation in the Liberty Alliance, and to some degree Microsoft.

"We are trying to experiment with Web services in virtually every area of our business," he commented, noting that GM is moving toward a position of looking at vehicles "as a bunch of IP addresses."

John Leggate, BP's group vice president of digital business, also expressed concern over security, noting that the company is currently "nailing down" its security standards and is moving closer to selecting a set of partnerships with companies including Vitrea and Tibco.

IBM and Microsoft also weighed into the debate.

Rod Smith, vice president of emerging technologies at IBM's software group, said during a Q&A after his keynote that he expects to see wider adoption of industry standards in 2002. "We need to make sure everyone agrees to a security standard," he said of the vendor community.

Microsoft's representative at the conference, .Net architect John Shuchuk, reiterated the company's recent proactive stance on security. Citing reliable messaging as a significant concern, he said instead of promoting existing "channel-level" encryption techniques, Microsoft is developing technology to leverage XML signatures and XML encryption.

A signed SOAP (Simple Object Access Protocol) packet would be more secure as it avoided exposure at intermediary technology, he argued.

Forrester's group director of research, John McCarthy, said the long-term vision for security is to bake it into the Web services standards.

Where privacy is concerned, McCarthy believes the problem is as much a business issue as it is technical.

"The biggest issue with privacy is working out your [company's] escalation procedure for a privacy brouhaha," he said.

For one conference attendee, it was all good news because demand for security solutions spells sales opportunities.

"I look at this conference for what is the hottest technology I can sell," mused Leo McDermott, a senior sales representative at startup integration vendor CrossWeave in Scottsdale, Arizona.

McDermott's take-away from the conference reflected the sentiment of many speakers who pushed the message that despite challenges like security, now is the time to start implementing Web services.

"I can now go start selling Web services products; it's no different from anything else I've done," he said with regard to distributed applications.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Forrester ResearchHolden- General MotorsIBM AustraliaLiberty AllianceMicrosoftRSA, The Security Division of EMCTibco

Show Comments