Getting serious about Web security

Usually we juxtapose the terms Web and security only to get a laugh, seeing as one seemingly can't go for more than a few days without reading about yet another Web security fiasco. But the sorry state of Web security hasn't stopped companies from rushing to make goods and services available via the Web, and many of these efforts are thriving despite the general implosion of the dot-bomb sector. The next few years are going to see dramatic changes in the way businesses use Web technologies, and security standards are already evolving to meet the new requirements.

It's none too soon, considering that our readers have identified unresolved security issues as an important factor inhibiting the adoption of Web services. Exactly 71 percent of respondents to our InfoWorld Web Services Survey cite security problems as an obstacle, edging out concerns over incomplete standards and integration issues, which were shared by 68.2 percent and 57 percent, respectively.

By and large our respondents don't hope for improved security by way of implementing Web services. Of our 10 named benefits -- integration, efficiency, and code recycling were the top three -- security finished last, with only 31.8 percent reporting that they expect Web services to increase security.

Those are hardly encouraging statistics, and the immaturity of Web security technology is the root of the problem. To date, much of Web security is built around encryption through SSL (Secure Sockets Layer). Although that's adequate for hiding a credit card number while the transaction is being processed, it's not enough to protect supply-chain operations and other b-to-b transactions. To play in the big leagues, businesses need better tools than the ones that currently exist for Web security.

XML the key

As do other pieces of the Web services puzzle, security stands to gain from XML. Recent efforts by OASIS (Organization for the Advancement of Structured Information Standards), the W3C (World Wide Web Consortium), and others are leading to enhancements in XML's capability of powering secure Web services.

One security technology that has so far failed to meet its potential may get a new lease on life thanks to XML. PKI (public key infrastructure) tools have been notoriously difficult to implement and use, but that situation may improve if the W3C adopts something similar to the XKMS (XML Key Management Specification), a proposed standard supported jointly by Microsoft Corp., VeriSign Inc., and webMethods Inc.

There's a lot of momentum behind this proposal: VeriSign and Entrust Technologies Inc. are already offering XKMS-enabled services, XKMS has already been published by the W3C as a technical note, and VeriSign offers a developer's kit for free download. Although ratification before 2003 is doubtful, the proposed XKMS standard does provide developers a way to use XML-based transactions as a medium for exchanging public keys, which are used in digital signature and encryption applications.

Another proposed standard complements the key-management functions of XKMS by offering XML schema extensions controlling authentication and authorization functions. SAML (Security Assertion Markup Language) combines two earlier efforts, AuthXML and S2ML (Security Services Markup Language), both of which were early tries at stretching XML's capabilities into the security space. By providing businesses with easier, Web-based PKI and authorization schemes, SAML and XKMS go beyond merely encrypting a customer order, for example, and provide a nonrepudiable record of the transaction.

Fortunately the foundations for these technologies already exist. XML is no longer the new kid on the block, while the schema extensions to XML that enable digital signature technology, known as XML Signature, are already a Candidate Recommendation, the second phase of the W3C standards adoption process. Entrust, IBM Corp., NEC Corp., and VeriSign all have XML Signature tools available today. Central to the XML Signature standard is support for specialized functions such as coping with transformed data within a signed document, recognizing multiple signatures per document, and supporting the signing of partial documents.

Back to basics

It's clear from the events of recent months that many of the security problems companies face through the Internet could be solved by remembering the basics such as making sure all the servers are patched, training remote users on the danger of bypassing corporate security policies, and so on. It's obvious that when your Web servers aren't secure, your Web services aren't going to be secure either.

But realizing value from Web services is going to require more than just maintenance work. It will take time for XML-based security standards such as SAML and XKMS to evolve and be tested in real applications. But the pace of development is such that we expect to see these proposed standards take the form of real products within the next year so that businesses can put them to work.


Web services security

Executive Summary: Internet security issues and immature security standards are among the important factors retarding the adoption of Web services. Proposed XML security extensions hold the hope of bridging both gaps, adding authentication and authorization to encryption in the protection of Web services.

Test Center Perspective: XKMS and SAML complement each other in support of XML-based authentication, authorization, and PKI. These XML-based security standards should find their way into products by the end of 2002.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about EntrustEntrust TechnologiesEvolveIBM AustraliaMicrosoftNECOrganization for the Advancement of Structured Information StandardsVeriSign AustraliaW3CWebMethods AustraliaWeb SecurityWorld Wide Web Consortium

Show Comments