Secure Web services a moving target

If attendees at the panel discussion on securing Web services came to be reassured that their networks and data will be safe, they left the session, held at the InfoWorld (U.S.) Next-Generation Web Services conference Thursday, wiser and perhaps more troubled than ever.

Users must face the reality that Web services introduces three or four more layers that need to be secure, which makes the problem more complex, said Eduardo Fernandez, professor of Computer Science at Florida Atlantic University, in Boca Raton, Fla., and a former security expert for IBM Corp., summarizing the problem for all the panellists.

“Now a hacker has more layers to attack, more choices, and we have more to defend,” Fernandez said.

Ted Shelton, chief strategy officer at Scotts Valley, Calif.-based Borland Software Corp., supported Fernandez’s contention and added that Web services are too simple to design without considering security. “Web services need to have basic principles of security built in, and that will cost,” Shelton said.

Although some panellists talked of the future and what needs to be done, Doug Cavit, CIO at Sunnyvale, Calif.-based, said the problem is that “the train has already left the station.”

Even within an enterprise, individuals can create Web services for their colleagues because it has been made so easy to do. “It is going to be a major operation to try and contain these, and that is where policy comes in. A good security policy is as important as the right technology,” Cavit said.

Borland’s Shelton went even further and said that misuse of Web services is an “enormous threat.”

“As a CIO, I don’t want users to decide to upgrade their own software on their own. This creates a hole in the dyke,” Shelton said.

Threats increase once a company goes beyond using Web services internally and begins to deploy services to extranets or to the public Internet, all agreed.

They also did not see any immediate solutions. Most, in fact, agreed that widespread adoption of Web services will be slowed, if not put off, until security issues are resolved.

A poll of the audience indicated as much. The majority of the several hundred attendees said that their company’s first adoption of any Web service would be only for internal use.

But the panellists did make some predictions as to the technologies that will be used to make Web services more secure.

Marc Beadles, chief architect at SmartPipes, said SSL (Secure Sockets Layer) is still necessary but not enough. “If you didn’t encrypt your channel, you open yourself, but that is not sufficient,” Beadles said.

Beadles said SOAP (Simple Object Access Protocol) is a good start because it allows access in an “API-like fashion,” but he also warned the audience that although UDDI (Universal Description, Discovery, and Integration) has promise as a way for an application to describe itself and help insure reliability he added, “but remember, a description can also lie.”

Chad Dickerson, InfoWorld (U.S.) CTO and panel moderator, added, “Yes, and then it becomes like a Trojan horse.”

Kerberos, the panel agreed, will become a critical component for authentication and authorization. “Kerberos will be the lingua franca for authorization management,” said Cavit from McAfee.

But Cavit also believes that in order for companies to protect themselves, so-called “overlay networks” will spring up that separate business-to-business transactions from the public Internet.

Fernandez said that he has looked at some of the working security specifications coming out of Web services standards bodies. In some cases, he said, the specifications appear to be unaware of previous security issues that have been resolved but are not addressed in the new Web services specifications.

“I can’t criticize the specs because they are still not finished,” he said. “But from what I have seen, the standards themselves might end up as the problem.”

The discussion ended by holding up the dream of Web services next to the reality.

All agreed that although Web services used internally will be the first stage, its real benefits come from its ability to create an extended enterprise. For that to become a reality, a single authentication scheme must become a key component. The question is how to make each layer of an application that has dozens of distributed components secure.

“This is the difference between a grand vision and the reality that security has to be built into every layer of the infrastructure before you get more distributed applications,” Shelton said. “At the moment, security, at least on the public Internet, is the wild, wild West.”