In this age of data thievery, most security experts will tell you strong authentication is a must -- especially when the company offers Web-based services. But if a recent survey is any indication, developers are struggling to adopt methods that are consistent across the enterprise.
A lack of IT staff and support from the business side of the operation is one reason, said Joe McKendrick, an analyst with Santa Cruz, Calif.-based research firm Evans Data Corp. Mergers and acquisitions are another factor. As companies merge, a lot of legacy systems come along for the ride, making it harder to develop consistent authentication procedures.
"A majority of companies are
McKendrick and a team of Evans Data analysts surveyed more than 400 Web service developers in June and found they are more likely to rely on their own custom-developed authentication methods than industry standards like the Secure Sockets Layer [SSL] or the Simple Object Access Protocol [SOAP].
Almost one in four developers [23%] said they devised their own security mechanisms to protect online transactions compared to 22% who use SSL and 9% who use SOAP. A quarter of respondents acknowledged authentication remains the thorniest aspect of their Web services security plans. Eight of 10 respondents [79%] said they encounter organizational resistance when they try to move their efforts forward. One out of five respondents [19%] said they can't find enough IT talent versed in Web services development to get the job done. Meanwhile:
- 55% of respondents said Web services are being shared with only one other business unit within the company and in some cases there's no sharing at all. Only 6.5% said they are sharing Web services across more than 20 business units.
- 68% of developers have either adopted SOA or are in the process of doing so. But they acknowledged actual implementations are still few and far between.
'All this stuff lying around'
When you consider all the mergers and acquisitions of recent years, McKendrick said the findings aren't all that surprising. When one company acquires another, it absorbs an array of technology, including authentication devices.
"In a typical situation the IT staff is pretty heterogeneous, using a mixture of platforms, systems and architecture under a single roof," he said. "A larger company may have several types of systems for the production, the supply chain, the financial division or the inventory division. You may have different companies with separate IT staffs who have worked on separate [authentication] systems for their own areas. So with mergers and acquisitions you get all this stuff lying around."
For companies looking to adopt more consistent authentication methods, McKendrick said involvement from the business side of the enterprise is a must. "Web services and SOA touch so many parts of the organization today that it's not just a matter for IT anymore," he said. "It's about rebuilding the business process. So you need people from the business side involved."
Making it work for now
The hodgepodge approach may not be all bad, McKendrick said. With the advancement of single sign-on techniques like federated identity management, it's possible for companies to make do with diverse systems.
"If you look at what the Web services standards committees are saying, there's a push for things like federated identity management, where with one token you can end the need to be re-authenticated every time you have to pull data from a new system," he said.
"A token is like a driver's license," he added. "If you have a driver's license from Massachusetts and you're driving to Florida, police in every state you pass through aren't going to stop you and force you to get a new license for their state. With one license you're able to drive through other states."
It's similar with a token, he said, adding, "The federated identity management approach might be one way to make companies function with different authentication systems."