Companies should rely on suppliers' proprietary technology until web security standards reach maturity. That could take three years, says Raymond Wagner.
As web services become more complex and involve interaction between multiple parties, users will require more versatile security.
Simple, point-to-point web services can be secured in much the same way as interactive web sessions are secured today, by using Secure Sockets Layer. However, for situations in which security must be preserved throughout a series of cascading web services - operations such as supply chain, transaction brokering, and multi-party fulfilment processes - the key security specification is WS-Security.
WS-Security defines the core facilities for protecting the integrity and confidentiality of a message, as well as mechanisms for associating security-related claims with the message. It establishes a security model that brings together formerly incompatible security technologies, such as public key infrastructure, Kerberos, XML Digital Signature and XML Encryption.
Although WS-Security is the security cornerstone, it is only the beginning and must be extended with additional specifications that deal with policy, trust and privacy issues.
Unfortunately, the progress towards establishing a set of standards that work together is being slowed by political battles between suppliers.
In the area of web service security, IBM and Microsoft are usually aligned, but Sun proposes specifications independently. IBM and Microsoft work with specialists (such as VeriSign for WS Federation) and other large suppliers (for example, BEA Systems), but Sun works through consortia, such as the Liberty Alliance.
Companies that are ahead of the curve may have started to investigate the use of the WS specifications but they should only do so if they:
- Need to expose functionality to a large number of business partners as web services
- Are implementing complex, multiparty web services
- Have programmers capable of implementing the appropriate security
- Work with trading partners that are capable of using the same security technologies.
The WS standards will not be used widely for at least the next three years. Until they are, the vast majority of companies should rely on suppliers' proprietary technology, which may not comply with standards to provide security for web services transactions.
Most WS Security products provide some level of standards compliance, and suppliers will continue to work on stronger compliance. For organisations committed to web services, tools like these are a better fit than trying to code strong security into the services themselves.
What do you think?
Are you ready to consider WS Security? Tell us in an e-mail >> ComputerWeekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.
Raymond Wagner is research director, information security strategies at Gartner