Safer than you think?

Security is the No. 1 factor keeping many IT managers from deploying Web services. But don’t tell that to Matt Hird, director of IT at Superior Information Services LLC.

Hird relies on well-known, proven security protocols, such as virtual private networks (VPN) and Secure Sockets Layer (SSL), to protect bankruptcy, real estate and other public information Superior provides to its customers using Web services. Hird says the Trenton, N.J.-based information broker considered more elaborate security safeguards but decided “the business risk isn’t there to justify the investment.”

Many IT managers afraid to expose their Web services to the outside world until new security standards are firmly in place are deploying Web services only within their firewalls. But some IT managers are moving Web services beyond the firewall, especially to handle relatively low-risk transactions with trusted business partners. Other Web services pioneers are very large companies that need to provide secure access to critical systems and can afford the specialized tools and skills required to secure Web services before standards-based Web security tools emerge sometime next year.

Web services refers to the use of Web-based standards such as XML; Universal Description, Discovery and Integration; and Simple Object Access Protocol to link applications running on different platforms.

Unlike previous approaches that required custom coding or expensive middleware to link individual applications, Web services aim to expose key functionality within applications (such as the ability to see the balance in your checking account or to place an order from a factory) to other applications as required when business needs change.

But this ease of integration also brings risks. When a Web service connects you to a business partner, you rely on that business partner to properly authenticate, or vouch for the identity of, users at their end of the transaction. That means an intruder who has gained access at a supplier, for example, could use that improper authentication to invade systems of the supplier’s customers.

To prevent such break-ins, Web services architects must look beyond application-level security measures and create access control, authentication and encryption capabilities, which can follow queries and responses as they cross system and corporate boundaries.

Web services security standards aim to do that by building security into key Web services protocols such as XML. The XML Key Management Specification will define how to register and distribute XML-based public keys to encrypt and decrypt documents, even if the sender and recipient have never done business with each other before.

The Security Assertion Markup Language will use XML to exchange information about which users have been authenticated and what data they are authorized to see.

Risks vs. Benefits

John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc., argues that such standards, along with development tools and applications, “will be immature from a security perspective” until the second half of next year. For that reason, he recommends that all but the most aggressive firms run Web services only within the firewall until then.

Others take a more flexible view. Rather than use the inside-the-firewall rule, Pete Lindstrom, an analyst at Hurwitz Group Inc. in Framingham, Mass., recommends that companies deploy Web services wherever they or trusted business partners have provided enough security to the required networks, applications and databases that the business benefits outweigh the risks.

Consider Networkcar Inc., which uses a wireless transmitter in cars and trucks to send real-time location and performance information to customers such as fleet managers, dealerships and auto clubs. The San Diego-based company uses Web services based on San Jose-based BEA Systems Inc.’s WebLogic Server to share data with its customers.

It relies on the well-known SSL and the HTTP over SSL encryption protocols to protect content in transit, as well as a firewall around its database to handle authentication and authorization, says Wade Williams, a senior developer at Networkcar.

This is about the same level of security as on many conventional Web applications, which is fine, says Williams, because the data he’s providing over Web services is the same the company used to provide over its intranet.

But if Networkcar were to share more sensitive data, such as customers’ credit card numbers, it would have to revisit whether Web services are secure enough and what other security mechanisms, such as public- and private-key encryption, to add to the mix, he says.

Superior went through a similar process in deciding that SSL and VPNs were good enough to secure the Web services it’s providing using BEA’s WebLogic. While a central authentication server would do a better job of keeping out unauthorized users, “the worst that can be done is that someone else could imitate” one of Superior’s customers, Hird says. Superior would learn of the fraud when it billed the actual customer for the transaction and the customer refused to pay.

Even then, according to Hird, Superior would have lost only potential revenue rather than actual cash. “It’s an acceptable risk because of what we’re doing,” he says. “If we were the CIA, that probably wouldn’t be acceptable.”

Hird also weighed the risks against the benefits. By using Web services, he says, Superior can develop new applications 100 percent faster and expand into new business areas, such as syndicating its data to business partners.

E2open LLC, a global collaboration network formed by global electronics giants such as IBM, Matsushita Electric Corporation of America, Lucent Technologies Inc. and Nortel Networks Ltd., is one of the advanced companies that both needs and can afford secure Web services today.

E2open handles and even stores trade secrets such as new product designs for its customers, so “security is No. 1,” says Greg Clark, chief technology officer at the Belmont, Calif.-based organization. But without Web services, he says, the cost to integrate applications for its founders “was way too high.”

To keep those Web services secure, the consortium is using Austin, Texas-based Tivoli Systems Inc.’s Access Manager (formerly Tivoli Policy Director) to store the access control rules for users, Clark says. Access Manager also provides a single sign-on capability, which allows an E2open user to sign on once and access the appropriate information through different applications at multiple E2open companies.

Using the Right Tools

Clark acknowledges that a tool such as Tivoli Policy Director is appropriate today only for organizations where the need to integrate business partners justifies the current cost of securing Web services. Other leading players in the Web services security market include Netegrity Inc. in Waltham, Mass., Novell Inc., Entrust Inc. in Dallas, and Oblix Inc. in Cupertino, Calif.

Major vendors promoting Web services are also banding together to form Web services security standards. Last month, Microsoft Corp., IBM and Mountain View, Calif.-based VeriSign Inc. announced that they will create a new standard for Web services security called WS-Security. But a Microsoft spokesman says it will take 12 to 18 months to complete all the specifications called for by the standard.

Until more standards-based security tools hit the market, IT managers should weigh the risks of deploying Web services against the benefits. “To the extent you have a controlled environment across the firewall, then go for it,” says Lindstrom, “as long as you’re constantly evaluating and re-evaluating the risks.”

Securing Web Services

Until more tools and standards are available for Web services security, IT managers should: