New online services standards will alleviate businesses' security fears

The Web services framework, by its nature, increases the ability of software to be exposed to the Web. As confidential...

The Web services framework, by its nature, increases the ability of software to be exposed to the Web. As confidential information such as credit card details are passed around more widely between different systems and applications, it will be ever more important to implement a sound security platform for online business.

The good news is that the authentication and authorisation mechanisms being put forward by suppliers such as Microsoft (Passport) and Sun (Liberty) are building upon proven technologies such as public key digital signatures and certificates, Kerberos and Web access control. This is evolution rather than revolution.

The area to watch out for is the degree of standardisation of new Web services security specifications. Most organisations will be forced to operate multiple authentication and authorisation mechanisms to satisfy the range of their business risks, but all will want to keep the number to a minimum. It makes sense, therefore, to deploy those mechanisms that have the broadest appeal through open standards.

The next 18 months will see major progress on firming up standards such as XKMS, which will cover the registration and distribution of XML-based public keys, and the associated XBulk standard for bulk key registration (of particular importance for smartcards and mobile devices).

Other emerging Web services standards include the XML Encryption Standard, the XML Digital Signature Standard (XML-DSig) and the Security Assertions Markup Language (SAML), which allows users to maintain their authentication and entitlement credentials over multiple Web sites. Concerns about security issues with Soap (the Web services transport layer) are also being addressed through an initiative called WS-Security, which has been jointly developed by Microsoft, IBM and Verisign. You should insist on strong support for Web services security standards from your suppliers in any new product releases.

Further good news lies in the fact that the Web services framework helps to alleviate some of the challenges that have dogged the implementation of security over the past few years. Securing the Internet is not a trivial task and has necessitated the introduction of many complex processes into applications and systems in order to provision, manage and enforce security credentials. Building these capabilities into applications can greatly increase the cost and time of security deployments and has led to criticism of technologies such as PKI in the past. Web services mean that new applications will be able to offload all the complexity and "heavy lifting" of the security processes to back-end servers which will deliver the security services.

A server-centric model for your security infrastructure brings many benefits. Developers do not have to deal with programming complex security processes into their applications and can simply put "pointers" to the appropriate sources of the required security functionality. In addition, security officers can more easily manage and enforce policies across multiple applications through a single server. IT managers can also significantly reduce the cost and administrative burden of supporting lots of functionality on each desktop, and end-users get a more transparent experience.

You may not subscribe to the hype about what Web services can do, but the capability is going to be built into the coming versions of standard platforms from Microsoft, IBM, Oracle, Sun and others, whether you want it or not. So at a pragmatic level, why not take advantage of the many benefits in improving the efficiency and effectiveness of how you deploy your online business systems - just remember to tackle the security issues before you turn it on.

Peter Doyle is vice-president at Baltimore Technologies

Read more on Web software