Thought for the day:Protect and survive Web services

Iain Franklin gives his personal take on the hot issue of the day.Believe it or not, we have been talking about Web services...

Iain Franklin gives his personal take on the hot issue of the day.Believe it or not, we have been talking about Web services since 2000. Now it has become the hot topic again, excitement is in the air and everyone is talking about it. But are your butterflies caused by a fear of the security issues you face implementing the technology in your organisation?

Your worries are probably justified but not for the obvious reason. On a technical level, Web services pose no greater threat of a security breach than any other Web-based technology. Let me explain.

Eventually Web services will permit the free flow of traffic across an unbounded network, although initial deployments are likely to be internal rather than external.

Your company will be able to offer packaged applications across the Internet, effectively outsourcing different parts of the application to specialists in each field. An application looking to perform a specific function would access an Internet-based registry to find organisations that provide the functionality as a Web service.

However, the more complex the application becomes, the harder it is to track how the services are being sourced and by whom.

This raises questions. How do you know which machine your system is communicating with at any one time? How do you know that all parties in the chain have adequate security?

As with any outsourced function, a clear understanding of where the responsibilities lie has to be agreed in a service-level agreement between the customer and supplier. In a similar way to the ASP model, the supplier has control over the company's data and the process under which it is accessed and, therefore, the responsibility.

The main danger with Web services lies in the multiplication of risk by combining Web applications along with what is, effectively, an outsourced model, while at the same time using public-facing servers.

This will, no doubt, strike fear into the hearts of IT managers, and rightly so as the odds of being hacked are greatly increased over an in-house application. So what can you do that will give you the benefits of Web services without making your security look like Swiss cheese?

Protecting your public-facing servers and applications must start at the source - your data. Maximum intrusion prevention will need to be deployed. Messages passed between co-operating processes are also at risk of attack and must be protected.

Accepted practice will be to safeguard messages written in XML by sending them over secure HTTP. However, this does not get around the issue of protecting the application itself and the data. Any hacker worth his salt attacks at the core, often hiding code within secure HTTP.

The importance of comprehensive server protection cannot be overstated, especially during a time when Web services are in their infancy.

What's your view?
Do Web services give you the security collywobbles? Let us know with an e-mail >> reserves the right to edit and publish answers on the Web site. Please state if your answer is not for publication.

Iain Franklin is European vice-president of Entercept Security Technologies

Read more on Web software