A year after I first looked at Web services security, security concerns are still one of the main reasons customers
are holding back on Web services deployments. With Web services security standards still in development, the comparatively few customers who are adopting Web services are relying on a new version of a tried-and-true security toll: the firewall.
When used on a network, firewalls examine data packets to see, for example, if the packet comes from an acceptable IP address or Web domain. When used in a Web services environment, firewalls examine requests for a Web service written in Extensible Markup Language (XML) or being transported via Simple Object Access Protocol (SOAP).
Called application firewalls, XML firewalls or XML communications gateways, they are sold as either software that can run on a server or often as a dedicated, rack-mounted appliance. Many combine the ability to inspect Web services messages with other capabilities, such as specialized chips to speed the processing of the XML messages (which are much larger than the data packets scanned by network firewalls) or the capability to perform identity management.
While functions such as identity management will become increasingly important, "If somebody can just look at the content of a SOAP message and pick out your credit card number, it doesn't help much," says Jason Bloomberg, a senior analyst at ZapThink LLC, a Web services research firm in Waltham, Mass.
Among the leading vendors who can prevent such snooping, says Bloomberg, are Forum Systems Inc., Westbridge Technology Inc., Reactivity Inc., Vordel Ltd., Sarvega Inc. and DataPower Technology Inc. Each boasts a different mix of security, acceleration and policy management capabilities. For example, DataPower's XS40 XML Security Gateway appliance combines security features such as an XML/SOAP firewall with encryption/decryption and acceleration of Secure Socket Layer (SSL) traffic.
KaVaDo Inc. combines its InterDo application firewall with its ScanDo Web services security scanner that analyzes applications deployed on Web servers and builds a profile of acceptable behavior or user requests, says co-founder and Chief Technology Officer Yuval Ben-Itzhak. By allowing only what is specifically allowed, he says, InterDo reduces the false alarms that can otherwise overwhelm security administrators. Using ScanDo speeds the process of creating a tailored security policy for not only each Web service, but also specific operations (such as "check inventory level") within that Web service, he says. MagniFire WebSystems Inc. takes a similar approach with its TrafficShield appliance, which uses "intelligent, crawler-based technology" to map the application and automatically create a policy to protect it.
Westbridge sells an "XML communications gateway" that stores specialized security policies for, say, different levels of customers or suppliers without having to hard-code it into the Web service, says President Kerry Champion. This makes it far easier and less expensive to audit, enforce and change those policies as needed, he says.
Several vendors also said they're negotiating to combine their application firewalls with existing network firewalls to provide a single point of control over both data packets and XML documents. "Customers are asking for more integration" between application firewalls and network firewalls, authentication and load-balancing products, says Ben-Itzhak.
But Champion says few of his customers want such a shared appliance because they're nervous about routing Web services traffic close to the edge of their networks where they might be more vulnerable to external attack.
Another big challenge coming down the pike, says Bloomberg, is enterprise identity management – the ability to track which users have access to which resources in the organization and to know when a specific user is requesting access to an application, database or other resource. This is particularly important in a Web services environment, he says, a request for service might not be traceable to a specific user, but only to a server or an application.
To ensure a query is coming from a legitimate user, he says, the user has to be authenticated when they enter the network, after which there "has to be a token assigned to follow that query on its path" among the various systems which generate or receive requests for Web services. If companies are sharing Web services, "it's even more of a challenge because the two companies have independent identity infrastructures," he says.
Two organizations are developing standards for such federated identity management. This month BEA Systems Inc., IBM, Microsoft, RSA Security Inc. and VeriSign Inc. published the WS-Federation specification, designed to allow the authentication and access control systems used by applications at different organizations to work together. The second is the Liberty Alliance Project, backed by Sun Microsystems Inc. and more than 170 companies, non-profit and government organizations. Right now, "It's not really clear if we need more than one federated identity standard, or exactly how they will work together," says Bloomberg.
Until then, vendors such as Netegrity Inc., RSA, Oblix Inc., Novell and Sun are bringing their own identity management tools to market. Netegrity, which Bloomberg called one of the leaders in the identity management space, hopes to leverage the success of its SiteMinder authentication and authorization tool with TransactionMinder for Web services security. TransactionMinder deploys agents that scan and analyze the content of the XML documents used to invoke a Web service, using data from the Netegrity Policy Server to authenticate identities and determine who is authorized to access specific Web services.
By separating the policy server from the access enforcement point (the agent), Netegrity architecture is easier than its competitors to scale to multiple points within an organization – a distributed security model which many analysts say is better than centralizing control at only points within the network.
In another sign that various Web services security capabilities are being combined into single products, Oblix and Westbridge recently announced the integration of their identity management and application firewall tools.
While vendors work to bundle more features into their products and standards organizations labor to complete their specifications, Bloomberg says customers who need Web services should begin using them and rely on the existing security tools. "If Web services and a services-oriented architecture are meeting your needs today, don't wait just because the standards aren't mature," he advises.
About the author
Robert L. Scheier writes regularly about security from Boylston, Mass. He can be reached at firstname.lastname@example.org.
For more information, visit these resources:
- SolutionCenter: Web services security solutions
- Scheier's Security Product Round Up: Web services require new approach to security
- Executive Security Briefing: Watch out for overkill on Web services security