Manage Learn to apply best practices and optimize your operations.

The coming invasion: Will XML overtake the enterprise network?

With the rise of Ajax an invasion of user-generated XML is upon us. In this tip, Andrew Nash outlines the necessary steps to ensure that enterprises will survive and thrive the influx of XML.

Maintaining control is critical in the management of security, be it electronic or physical security. In large organizations choosing to deploy XML, Web services and service-oriented architecture technology, there is an inherent transformation of the ability to control the information passing through an enterprise network.

While initially the integration of these technologies had involved considerable thought and planning, an invasion of user-generated XML is upon us. The user-oriented source getting most attention recently is Ajax. Suddenly the power of asynchronous user interface handling is becoming evident and it is generating a lot of XML traffic. It is already coming across your enterprise boundaries. Each of your users accessing Google Maps, Gmail or the new Yahoo mail client, or using the upcoming Microsoft Web Mail Browser (Kahuna), is already driving XML across your firewall. The next major driver for user-generated XML will be the introduction of Microsoft's Vista with XML document formats and Web services-based integration functionality.

Immediately, security control becomes much more elusive.

As hundreds or even thousands of additional XML messages quickly proliferate throughout the network, the traffic and latency problems will increase. Lots of XML traffic is going to be coming from lots of perfectly valid sources in your intranet, your extranet and directly from the Internet. A way to differentiate the good traffic from the bad traffic is critical to the integrity of the network.

Fortunately, there are standards and solutions that address the fundamental issues of XML and Web Service security now. However, composite and workflow applications are going to have a hard time both separating good and bad XML traffic and controlling trusted access to Web Services. Message-based attacks -- replay attacks, out of order message attacks and just plain fraudulent message insertions -- are going to be easier to perpetrate in the blizzard of XML traffic that will be flowing through your network firewalls and around your internal networks.

Ajax, for example, introduces a host of new threats and security issues that Web application developers may not recognize. Effective use of Ajax requires the efficient processing of XML and verification of identity and access rights. Security functions including signing, encryption, identity verification (not to mention threat mitigation such as schema validation, content inspection and denial-of-service detection) are really expensive -- expensive enough that they bring you average server platform to its knees, around 300-400 transactions per second for simple processing dropping to just tens of transactions for security functions.

Message-level security features have to be utilized. The flow of traffic in our new loosely-coupled, reusable-business-service world cannot be secured effectively using simple session-based solutions like SSL. Technology to off-load this XML related pressure is needed to create secure, trusted processing throughout the networks.

These processing changes can help to create enforcement, policy control, logging and add further audit capabilities to the network. The ability to implement a distributed mechanism for dealing with this traffic is critical to turning the invaded network into an XML-enabled network.

Ajax is here. Every application development environment and packaged application is generating XML and Web services interfaces. Microsoft Office embeds it. User generated XML will dramatically affect our IT and network infrastructure. The XML processing load, and more importantly the security of XML content, has to be addressed. Enterprise quality XML-enabled networks must route, filter, transform, monitor, audit and protect the privacy of XML messages based not only on URL's, but also on identities and content.

We are about to be deluged by XML in all of our organizations, ready or not. Taking steps to ensure that the influx of XML can be controlled will help enterprises to not only survive but also thrive in the new network environment.

About the Author
Andrew Nash is CTO of Reactivity and formerly the Director of Technologies at RSA Security in the Office of the CTO. Andrew is a known leader in PKI and Web-Services security markets and the co-author of numerous Web Services specifications including Web Services Security, WS-Trust, WS-Federation, WS-SecureConversation and WS-SecurityPolicy.

Dig Deeper on Topics Archive

SOA, Web services security gaining priority at large enterprises SAN FRANCISCO -- All enterprises will have to find tools to secure Web services as Web-based languages, such as extensible markup language (XML) will be gradually introduced into system architectures. In a recent interview conducted at the Burton Group Catalyst conference, Chris Haddad, director of technical architecture at Midvale, Utah-based Burton Group discussed the growing use of XML gateway appliances and other tools enterprises are using to secure service interactions. "Developers today have the tools to produce Web services and there are a multitude of unmanaged, unsecured Web services inside an organization's data center and across its application landscape," Haddad said. "Companies are realizing that they have to gain control of this environment." In this Q&A, Haddad talks about the evolution of SOA, the introduction of Web services and how early adopters are choosing to secure the Web-based messages being sent between applications and systems.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.