Full leverage of secure enterprise infrastructure integration will lag until 2004+, due to application platform and network complexities as well as standards adoption rates (for example, security APIs). Identity authentication will remain the primary use of directories through 2006. Greater directory integration and management demands will drive eventual convergence with database platforms and services (2006+).

Security a key concern

[an error occurred while processing this directive]

Web services are not a new idea, but interest and initial use of such services are rising sharply. The idea of having a loosely coupled, language-neutral, platform-independent way of linking applications within organizations, across enterprises, and across the Internet is compelling.

However, security is a key concern as Web services move from early adoption to mainstream acceptance, particularly outside the safety of a secured enterprise network. What has become increasingly apparent is that the traditional network-based security mechanisms that protect Web application traffic (such as Secure Sockets Layer [SSL], IP security [IPSec]) are insufficient for a fully evolved Web services environment. Although such mechanisms may be sufficient within an enterprise network for simple Web services, a robust implementation introduces new configuration layers and interfaces to multiple networks of consumers and service providers, necessitating an application-level approach to security.

During 2002/03, organizations will adopt Web services execution platforms and toolsets from incumbent technology providers and expose existing component application programming interfaces (APIs) using Web services technology. Security for those services will remain transport- or network-centric (in other words, not integrated with Web services architecture). Security standards efforts to provide multivendor Web services security will peak in early 2004, resulting in simple, network-intensive solutions, but most production implementations will continue to exploit single-vendor security solutions. Serious attempts to compromise Web services security (for example, denial of service, validation "spoofing") will become more widespread during 2004/05, resulting in additional product and service delays. Robust Web services security for widespread, multivendor use will not be widely available before 2006 due to complexity issues and vendor posturing.

The problem

Web applications are typically based on an n-tier application pattern, consisting of, at a minimum, a presentation, business, and data logic layer. Security for Web applications is delivered via the presentation layer through interaction with an identity and permissions infrastructure, providing basic authentication and authorization services. Web services architecture does not dictate a presentation layer, requiring delivery of basic access security to an integration/interface layer instead.

Extensible Markup Language (XML) documents are used as data definition and request and response mechanisms among this integration layer, the communications service layer, and the service delivery layer. This architecture exposes XML documents to networks and enables Web services "consumers" to execute logic programmatically. As a result, traditional approaches to securing Web application sessions will not ensure the integrity of XML documents end to end, particularly in networks where there are intermediate consumers between the user and the data source. A method of delivering the security for a selected document with the document is required, as well as an infrastructure to sign, encrypt, decrypt, and validate that document.

1 2	| Next page

		ARTICLES  XML Web services need a firewall  Web server farms: Scale-out is in  Web services outweigh Web server options  Web services meets grid computing  Selling developers on .Net		PRODUCTS  Microsoft Windows .Net Server 3  Sun ONE Application Server  IBM WebSphere  Oracle 9iAS Web Services  Novell eDirectory
		Visit the Security Update Center

Newsletters
	Tech Update Today eBusiness Update Tech Update Weekly	Linux Update Security Update Windows 2000/XP Update		All newsletters FAQ Manage my newsletters

[an error occurred while processing this directive]

[an error occurred while processing this directive]