Overcoming web services insecurities

British Columbia's Ministry of Attorney General has a database with secret witness information. DaimlerChrysler Services North America runs business applications with sensitive dealer and partner data in them. Lydian Trust holds private financial information about its wealthy clients in its data files.

All these organizations have something in common: They expose those systems to the wild and often dangerously insecure World Wide Web. And they confidently secure any access to or transactions on those systems through Web services.

But none of them stepped blithely into Web services development. That's because the state of Web services security standards remains in flux. Only one of the proposed standards, Web Services Security, has been completed, and it hasn't been officially adopted by a standards body. The other initiatives are still in development by various vendors, prompting concern that competing approaches will emerge.

Third-party products are filling the standards gap for now. Most suppliers claim that they will adopt the standards that do emerge. But any IT shop that's attracted to the power and flexibility of Web services must do its homework.

No room for compromise

"We spent several months trying to solve the problem of giving real-time access to our database without compromising the security of the information," says Robert McDonald, director of application management services at the Victoria-based Ministry of Attorney General.

Tony Lyons, a senior IT manager at DaimlerChrysler in the US, echoes the concern for caution, saying he was "absolutely" nervous about Web services security at first. Lyons recalls that throughout his company's 10-month project, which concluded in late summer, security was "paramount because people outside the network were getting access." Developers had to submit their designs and code to multiple, rigorous security reviews by corporate standards committees.

These weren't rubber-stamp exercises. His team was more comfortable building security into client/server software, where they had loads of experience with middleware tools that used Common Object Request Broker Architecture, Component Object Model (COM) and other methods. Now they had to defend their use of XML, SOAP and other Web services standards. It was "a challenge," Lyons acknowledges.

John Studdard, chief technology officer at VirtualBank, a division of Lydian Trust, also dismisses using technology "from the old days," despite the comfort level developers have with it. "DCOM, COM and such are complex to maintain and complex to secure," he says.

Luckily, the multitier model of Web services has matured fast enough to make it possible to implement secure software for a broad base of online users. "Web services works well, especially when we work with our outside constituents," says McDonald.

The ministry assigned him the task of building an application that gave online access to court proceedings in the province. Until the application rollout, if anyone wanted to find out, say, a given trial date or the judge assigned to a particular case, they had to visit a courthouse. The access problem was compounded by the fact that all information related to provincial cases resided in a centralized Oracle database that included information about witnesses and other restricted data. And the data changed often, adding to the difficulty of the project.

"The information was sensitive and dynamic, with lots of last-minute changes," McDonald says. That meant he couldn't simply create a subset of the database and expose it to the Web.

Security through separation

McDonald hails the architecture of Web services as secure because he can "separate the client from the database and both from the security model."

In the ministry's Justice Information Systems project, called JUSTIN Public Inquiry, users sign on via a browser, and a Java-based Web services program sends the log-in information in XML-encrypted format to a gateway from Layer 7 Technologies. The SecureSpan gateway authenticates the user and reveals only authorized services to whoever logs on. For example, a lawyer in a financial corruption trial might have access to different services than a citizen checking on traffic-court dates would.

The system encrypts each message sent using 128-bit algorithms and can authenticate it to ensure that no one has hijacked a session. And the services that are exposed to users are written as Java stored procedures, so no other action can be taken except for the function of the procedures.

McDonald praises the tools Oracle has put into its Oracle9i database. He says the Web services tools greatly eased the creation of Java stored procedures, which enhance the application's security.

At VirtualBank, where Studdard oversees Web services development for all the divisions of Lydian Trust, credit and fraud checking is done using external credit bureaus over the Web. Because the data transferred between services is sensitive, such as Social Security numbers and account information, the messages follow the Web services security model for encrypting messages between sites.

Studdard also uses Directory Smart from OpenNetwork Technologies, which works with his Windows 2000 Active Directory Service to authenticate external users to access internal Web services and authorize their levels of access.

Two key benefits of the security model in Web services are that it can scale and that, because the security process exists outside the applications that use it, the technology supporting the process can change as needed without affecting the application, Studdard argues. Likewise, while OpenNetwork strives to work within the working specification being developed by Microsoft, IBM and other vendors for the Web Services Policy Framework, Web Services Trust Language and other emerging standards, Studdard says he's confident that if his vendors fall out of compliance, he can simply swap out the security services.

"We have a layer written to change out our security depending on where the standards evolve," he says.

Getting up to speed on the architecture, methodology and tools for writing Web services applications and then securing them remains the most common problem today, users say. Success, however, has spurred wider adoption, putting a greater emphasis on security.

Of the 26 projects on McDonald's to-do list for the next 12 months, "six or seven have an e-service component to them," he says. "And all here agree that Web services will be the architecture."

Join the newsletter!

Error: Please check your email address.

More about DaimlerChryslerEvolveGatewayIBM AustraliaMcDonald'sMicrosoftOpenNetworkOpenNetwork TechnologiesOracleVirtualBank

Show Comments