Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Addressing critics who cite Web services security concerns, part two

How do you respond to critics who say that Web services security hasn't yet reached the point where it's safe for organizations to implement Web services? I've been hearing that a lot lately.
Click to read part one of this answer.

An example of an extranet scenario would be a major company interacting with its suppliers using Web services. In the extranet situation, the overall risk generally increases since there are one or more disparate companies involved, even though the business relationship is firmly established. In this situation, digital signature and possibly encryption might also be a required component of the Web Service security. These are also available today in the aforementioned WS-Security sdk's. Therefore, extranet transactions can usually be carried out securely using today's implementations of Web Services security and traditional security.

In the internet scenario, the ability to establish and maintain security policy agreements and security data, such as user credentials, with potentially unknown customers is not firmly established. Consequently, I would say that, except for low value transactions, the infrastructure is not yet in place for secure, general internet transactions. I believe that we first need to get experience with secure intranet and extranet Web services transactions before we move to secure internet transactions. Note that I am not saying that the basic security tools and algorithms are not available - they are. What is not established is the higher-level constructs and experience with these constructs, although there is significant work being done in this sphere.

In summary, as you move from intranet, to extranet, to internet Web services, the capability of securing these transactions progresses from straightforward to difficult using today?s security products and procedures. Rephrasing the thrust of the original question as, "*can* we safely implement Web services", the answer is yes, we know how. However, the final determination depends on a well thought out risk analysis and a tradeoff with the cost/effort that is required to implement the solution. This has been and will always be true since security, at its core, is risk management. My answer was predicated on the use of available middleware to make the problem relatively straightforward to implement for user companies. Please note that space precluded me from going into many of the nuances of the various situations and mention of additional security products that are available. (After all, my co-authors and myself took over 400 pages to describe Web services security in our book -J. On the positive side, note that some eleven plus vendors of Web services security will be participating in a Web Services Interoperability test on June 9 & 10, 2003.) We will dig into many of the detailed nuances of Web Services security in future answers to the great questions that I expect from all of you.

Dig Deeper on Topics Archive

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.