As more businesses deploy Web services, applications that dynamically interact with other applications and data sources, the issue of how to secure them from hackers and other threats becomes more important. Security also becomes more difficult as Web services expand from being internal applications to ones that interact with outside systems, applications, and data under the control of suppliers, partners, and customers.
Those factors help to explain why Web services are viewed as less secure or more vulnerable to attack than other types of IT services and systems. The lack of a standard approach to Web-services security doesn't help with that perception. There are dozens of industry efforts under way to develop Web-services security standards and technologies, but none have taken hold as the preferred method.
Only 5% of businesses completed Web-services projects in 2002, research firm IDC says. But the majority will have deployed Web services over the next several years, and the overall market should be worth $21 billion by 2007, IDC says.
Standards are emerging, and they're starting to pay dividends. The growing use of standards such as WS-Security, the Security Assertion Markup Language, and WS-Trust can help companies confirm the identity of companies and applications requesting access by monitoring and managing the exchange of tokens and credentials, ensure that data is encrypted, and require that information is exchanged in a standard format.
There are two concerns regarding Web services: encryption and authentication, says Christopher Crowhurst, VP and principal architect at Thomson Learning.
Crowhurst says there are two key concerns when it comes to Web services: encryption and authentication. Data that moves via Web services between applications must be encrypted to reduce the chance that unauthorized people intercept, read, or manipulate it, he notes. And strong authentication is necessary, especially in E-commerce applications, to ensure that the person placing an order or the app seeking data really is who or what it claims to be.
Thomson Learning has deployed an appliance from Reactivity Inc. that handles authentication and encryption using standard protocols for all messages involved in Web services. "With our business-to-business integration, the appliance helps us cut down the project time from months to days," Crowhurst says.
Security needs have changed as more businesses expand their use of Web services from internal applications to business-to-business applications, says Andrew Nash, chief technology officer at Reactivity. "As soon as companies get success from Web services, they rapidly move into a much more sophisticated network and take on multiple partners," he says. "Every one has slightly different ways to manage Web services."
Web-services interoperability can be an ongoing challenge, even within a company. James McKenney, information security officer at Security Bank of Kansas City, owned by holding company Valley View Bancshares Inc., confronts that problem every day, which makes it difficult to provide a standard form of security for all six banks in the company. And banks are required to provide proof that their systems are secure to comply with federal regulations.
"We try to have a single policy," McKenney says. "But each entity customizes for its own operation." Security Bank uses many standard security practices. "We use PIN numbers, watch amounts [being withdrawn], and know our customers' behavior," he says. "If we see a $25,000 check and a strange location, we're investigating that."
But the community bank, which has more than 134,000 customers, also is expanding its Internet banking options, which rely on Web services. While security is a concern, competition is forcing it to move fast to offer more automated Internet banking services--perhaps too quickly for the bank's operations and security personnel. "We found we were jumping in really quick with systems, and departments like fraud were really behind," McKenney says. "We were struggling to audit these systems, looking for something to maximize time and improve efficiency."
Security Bank deployed security management, auditing, and compliance software from OpenService Inc. to support the online banking effort. "We can go in and see when systems have completed audits," he says. "And this should dramatically improve time for our audit staff."
Banks aren't the only ones that must comply with a variety of regulations governing personal data. The University of Missouri, like many schools, must protect data on student identities, student loans, and other information.