The Web Services Advisor
(To receive this column in your inbox,
click Edit your Profile and subscribe.).
It's long been known that security is the Achilles Heel of Web services. Unless some way can be found to increase security and guarantee authentication and identity management, it will remain a useful, if minor, technology footnote.
So how best to provide the right protection? The newest twist in armoring yourself is to use hardware-based protection, hardware firewalls and other devices that are targeted specifically at providing Web services security.
In this first part of a two-part column, we'll take a look at what those devices are and how they provide protection. In the next column, we'll more closely examine the companies that make them and see whether the hardware is a long-term or short-term solution to the problem.
What is hardware-based protection?
The idea of using hardware-based protection for Web services is certainly not a new idea; networks have been protected by hardware solutions such as firewalls and proxy servers for quite some time. The difference here, though, is that these new hardware devices for Web services are special-purpose devices. They're designed specifically for Web services, not general network protection.
The devices are so new that there's no general agreement about how they should work, or even what kind of services they should provide. But Randy Heffner, vice president of Forrester Research, several months ago finished an extensive report about XML-specific security devices, titled "Forrester Wave: XML Security Gateways." He notes that generally, the devices provide some combination of these three types of security services:
- Attack protection: The hardware can be targeted to fight XML attacks. Heffner notes that it's entirely possible for valid XML to be an attack. That means that applications would have no way of knowing they were under attack; if the XML is valid, it runs, even if it's malicious. However, he says, hardware devices can be built that can identify Web services attacks at the application level.
- Trust enablement: Key to Web services is being able to work with trusted partners and to securely establish identities. Think of trust enablement as the opposite of attack protection. Attack protection keeps out hackers and other "bad guys." Trust enablement lets in people who you want inside the system, by authenticating identities, authorizing requests, administration, audit/logging and security integration.
- Acceleration: Encryption is commonly used for Web services security. Encryption slows down applications and so hardware can be used to accelerate encryption and decryption, as well as accelerate the XML itself.
Why use hardware?
Much of this work, such as attack protection, can be done via software. So the question remains, why buy a hardware-based solution, when software sitting on top of a server might do the job?
Eugent Kuznetov, founder and Chief Technology Officer of DataPower, which makes hardware-based Web services security devices, says there are several reasons. First is that hardware simply does a better job, he claims. A hardware device includes its own operating system and has embedded technology specifically designed for special-purpose processing, such as cryptography. That means it's faster and more effective than software, he says. And because the hardware is built from the ground up to handle Web services security, it won't be prone to attacks that can foil software, such as buffer overruns.
Additionally, hardware-based devices can do double-duty. So a device that does cryptography acceleration can also accelerate XML processing.
An overriding concern is also that "companies have a bad history of implementing security inside applications," he contends. "Each application might protect against only from one to twenty threats and each application was built for a specific purpose." So if security is handled inside applications, that will necessarily lead to security loopholes.
"You need to handle security outside of applications," he contends. "You need corporate-wide policies and can't do it on a per-application basis. And you need a scalable model as well, as companies get more serious about Web services and increase the number that they use. You also have to give the security control to a central security department, not to the application builders, if you want to be as safe as possible."
And the best way to do that, he says, is to use hardware-based Web services security.
He notes that years ago, enterprises used software-based firewalls to protect their intranets, but recognized over time that a more heavy-duty hardware-based solution was required. In the same way, he says, Web services security will move to hardware-based solutions as well.
It's still early
The market for hardware devices for Web services security has not really developed yet; it's still a nascent one. Heffner notes in his Forrester report that there are no big players yet, and the market segment isn't yet well-established. At the moment, according to Heffner's report, the two leading vendors are DataPower and Forum Systems, but there are others as well, including Westbridge Technology, Vordel, Sarvega, Reactivity, and Layer 7 Technologies. Next column, we'll take a closer look at them and at the future of their hardware.
For related Articles and Commentary:
About the Author
Preston Gralla, a well-known technology expert, is the author of more than 20 books, including "How the Internet Works," which has been translated into 14 languages and sold several hundred thousand copies worldwide. He is an expert on Web services and the author of a major research and white paper for the Software and Information Industry Association on the topic. Gralla was the founding managing editor of PC Week, a founding editor and then editor and editorial director of PC/Computing, and an executive editor for ZDNet and CNet. He has written about technology for more than 15 years for many major magazines and newspapers, including PC Magazine, Computerworld, CIO Magazine, eWeek and its forerunner PC Week, PC/Computing, the Los Angeles Times, USA Today, and the Dallas Morning News among others. He can be reached at firstname.lastname@example.org.