The Web Services Advisor
(To receive this column in your inbox,
click Edit your Profile and subscribe.).
Continued from Part One
The latest solution to the never-ending problem of Web services security are hardware-based devices that specifically target Web services. They offer protection against attacks, establish secure identities and accelerate security techniques such as encryption.
The market is a nascent one and the devices have yet to be widely deployed. In this second part of a two-part column, we'll look at the companies that make the devices, the market for them and see whether the hardware is a long-term or short-term solution to the problem.
No clear leaders
The market for hardware-based Web services security is still new and in the words of Randy Heffner, vice president of Forrester Research, "There is no real clear leader yet." Several months ago Heffner authored an extensive report about XML-specific security devices, titled "Forrester Wave™: XML Security Gateways," and in it, he notes that "the market for XML security gateways is only now starting to build momentum."
The report concludes that there are no "big players" in the market yet; all the vendors are startups and most have only a handful of actual paying customers. Additionally, the market segment itself is not yet well-established.
That being said, some vendors are further along than others and many have staked out claims to different parts of the new market. Heffner's report cites DataPower for its strength in integrating with both security and management. The firm's SX40 XML Security Gateway can delegate part of its tasks to other products, making it particularly effective in an enterprise-wide environment. It can, for example, delegate authentication and authorization to other identity management products, including Netegrity SiteMinder, Tivoli Access Manager and Sun Identity Server. In addition, it has APIs for custom integration, as well as a standards-based SNMP implementation. The reports notes, "It also integrated with upstream devices, such as load balancers, to block malicious traffic before it even gets to the gateway. All of this adds up to the strongest overall current feature set."
DataPower isn't alone in the market, though. It has plenty of competitors. Forum Systems sells a variety of hardware-based Web services security products, including one with an interesting twist -- one of its products is, in essence, a Web services firewall-on-a-card. It's a PCI card that can be piggybacked onto an existing piece of hardware, instead of being a standalone device.
Westbridge Technology's XML Message Server offers Web services management capabilities as well as security. Vordel's VordelSecure includes an API that is particularly well-suited for integrating with Web services endpoints. Sarvega is further along than other vendors in adhering to the alphabet soup of Web services security standards, such as WS-Addressing, WS-Routing, XKMS, WS-Policy, the Liberty Web Services Framework and many others. Reactivity focuses more than others on attack protection and so has multiple ways of detecting denial of service attacks. And Layer 7 Technologies, the newest of this group to the market, does a good job of security in end-to-end integration.
How to choose among them
So if you're interested in hardware-based Web services security, how can you choose among what's out there? Because the market is so new, with no clear leader, it can be tough to decide.
First, make sure that the vendor you choose specializes in the technology that you need. As outlined earlier in the column, they're different enough so that you should target your choice toward the hardware device most suited for the problems you face. So if you're using encryption, for example, make sure that your choice includes one that include encryption acceleration.
Secondly, find out which Web services and security standards each of the vendors adheres to and make sure they match the ones you're using today, and the ones you plan to use tomorrow. Standards are a moving target, of course, so don't buy based on what the vendor tells you they'll support in the future. Buy based on what they support today.
Finally, try and get a sense of the financial health of the vendor. Find out how many customers they have, and get basic information about funding. None have significant track records as of yet, and many are venture-funded. That means that they all likely won't be around for the long term. So do your best due diligence before buying.
What the future holds
The question remains whether these devices will be around for the long haul, or whether their features will ultimately be built into all-purpose firewalls, so that you can just buy one firewall for all your security needs, rather than having one for Web services, one for general security, and so on.
DataPower founder and Chief Technology Officer Eugent Kuznetov argues that only hardware with its own embedded software for the specific task is good enough for the job -- and he also says that the hardware can do double-duty, for tasks such as XML acceleration. So he believes that XML hardware is here to stay.
It's hard to know whether that will, in fact, be the case. And in any event, there will most likely be a consolidation of Web services hardware vendors, with not all surviving. So your best bet is to buy what makes sense today, but not assume the vendor will be around well beyond the next four years.
For related Articles and Commentary:
About the Author
Preston Gralla, a well-known technology expert, is the author of more than 20 books, including "How the Internet Works," which has been translated into 14 languages and sold several hundred thousand copies worldwide. He is an expert on Web services and the author of a major research and white paper for the Software and Information Industry Association on the topic. Gralla was the founding managing editor of PC Week, a founding editor and then editor and editorial director of PC/Computing, and an executive editor for ZDNet and CNet. He has written about technology for more than 15 years for many major magazines and newspapers, including PC Magazine, Computerworld, CIO Magazine, eWeek and its forerunner PC Week, PC/Computing, the Los Angeles Times, USA Today, and the Dallas Morning News among others. He can be reached at firstname.lastname@example.org.