Despite the nascent promise of XML and Web services, one issue continues to hinder widespread adoption of the technology, according to both market observers and vendors: security.
"Clearly, security is a roadblock. Nobody in their right mind is going to create a Web service without security," said Ron Schmelzer, senior analyst at XML and Web services research firm Zap Think, located in Waltham, Mass.
A handful of companies are attempting to bridge this gap with software, but on Wednesday a new company added its name to the list of hopefuls when Forum Systems Inc. announced its Sentry hardware security appliance.
The Sentry is a device built around an Intel processor and stocked with both nCipher Corp. Ltd. and Broadcom Corp. encryption processing chips, said Wes Swenson, president of Forum Systems, based in Salt Lake City. The box sits in a network, with traffic flowing through it, and only applies security measures to that traffic based on user-defined policies, Swenson said.
The device supports SSL (Secure Sockets Layer) as well as digital certificates, XML encryption for both privacy and authentication, and XML processing for data validation, transformation, and archiving, Swenson said.
Though the Sentry applies standards-compliant XML security when traffic moves through it, a second appliance is not required to decrypt the secured traffic, he said. Instead, as long as the receiving system complies with XML security standards, the data can be decrypted, he said.
The encryption, digital signature, and other security measures added to XML documents by the Sentry can be applied to both the data included in the document, as well as to the XML tags that describe it, Swenson said. XML documents, like HTML documents, contain both the data to be transmitted or displayed and tags, information of how to display the data. The security travels with the documents over their lifetime, he said.
The device can handle up to 670 digital signatures per second and can be configured to block incoming documents that don't meet security criteria, to quarantine those documents, to perform packet-level inspection and more, Swenson said.
The Sentry is targeted at financial services firms, health-care companies, government agencies, and insurance companies, Swenson said. The device will be available worldwide on July 22 at a cost of US$34,995 per appliance.
Though there have been some attempts by more established players to offer XML security toolkits, Swenson dismissed those as too hard to use. But the lack of security isn't stopping everyone, he said.
"[Due] to the benefits gained from XML, most people are going to move forward with XML and Web services no matter what," he said. "They'd feel a lot better about it if they had a better security solution."
Since standards for secure Web services have yet to emerge, many application developers are considering building their own secure Web services environments from scratch. This would be an ill-advised move, say security analysts.
"The number of developers who think they need to develop their own security into Web services is frightening. What they need to do is use toolkits, software solutions, and appliances to incorporate security rather than try to build it themselves," said Pete Lindstrom, security strategies analyst for the Hurwitz Group Inc., based in Framingham, Mass.
In an effort to expedite that "learning curve" process, Forum Systems competitor Vordel this week launched an Early Access Program. The outreach research and development initiative allows qualifying organizations to test and bring in-house Vordel's forthcoming VordelSecure 1.1 XML security product free-of-charge for 30 days, said Mark O'Neil, CTO of Ireland-based Vordel.
"People are looking at Web services in the lab or behind the firewall, but they're not exposing the interfaces yet to partners because they realize they'll need security when they do that," O'Neil said. "It's interesting for people to see in front of them some SOAP [secure object access protocol] messages going through and some SOAP messages getting blocked."
As part of the program, Vordel offers organizations an install of its product using a Microsoft SOAP toolkit which exposes sample Web services through Microsoft IIS server. Various security policies are then incorporated into the testing environment for different types of Web services desired by developers or security staff.
O'Neil said financial services, insurance, and manufacturing clients -- many of whom that desire to link-in with resellers and stand-alone kiosks via Web services -- have agreed to test VordelSecure 1.1. Case studies regarding those installations will become available shortly after the expiration date passes, he said.
VordelSecure 1.1 is a software product that acts as a filter on a Web server in front of a Web service and applies security rules to incoming Web services messages. The messages are checked against schema, path, and integrity desirables by verifying the accompanying XML signature. The XML product also provides access control by examining digital signatures by presented by incoming SOAP requests and LDAP directory references.
However, Lindstrom notes that the appliance approach Forum uses performs faster than software by supporting a number of different network resources and tasks.
"Forum just makes everything easy. If you're playing with different Web services, you plug in a Forum box and you can see what this stuff looks like from an outside world," Lindstrom said. "Forum allows you to look at data and decide what you're going to do and [what to] encrypt."
Zap Think's Schmelzer agrees, saying that Forum is in a position to capitalize on the lack of Web services security, but also that it's still early to say whether it will.
"Today, they're at Step 1 of 10. [Companies in this space] all are," he said. "This is like 1995 for Check Point [the dominant firewall company founded in 1993]."
And just as Check Point has been met with competitors in its markets, Schmelzer expects that more competition will arise in the hardware XML security area.
"It would be safe to assume that some time in the not-too-distant future that the big guys [in hardware network security] are going to come in," he said. "We believe a whole class of vendors are going to be created by Web services."
Forum needs to move fast and keep up with XML developments as they come, he said.
"They're early, so I hope they have enough money to last," he said.