Web Services' Security Factor

Allen Brokken, principal systems security analyst at the university's Columbia campus, is trying to standardize operations and security across multiple departments that support 26,000 students and 12,000 employees. The conflict, he says, is between protecting data and limiting access to it, while also making it available to the people who need it every day to do their jobs.

"Access has to be controlled, but Web services exist to make information available," he says. "Information passes from one server to another and another in a hidden way, and it's revealed to people who don't have security training."

Part of Brokken's job is to audit the security of the university's systems and applications. He uses Web Inspect, an auditing tool from S.P.I. Dynamics Inc. that he says cuts the amount of time to audit a system. "An audit usually takes me between eight and 32 hours," he says. "Web Inspect ran for about two hours and found more than I would have."

Are security concerns about Web services overblown? Some analysts say they are, arguing that basic IT-security best practices will keep Web services secure. What's more important is to make sure that the underlying applications are developed in a secure manner. Firewalls and software that scans the XML messages used to communicate among Web services can easily counter most common threats, says Chris Haddad, an analyst at the Burton Group.

Security is "a perception issue rather than a technology issue," he says. "The main vulnerability is in the app itself and validating requests to it."

Some businesses are turning to third-party service providers to help them secure their Web services. The IT staff at Exchange Bank, a financial institution with a billion dollars in assets in Northern California, wasn't convinced that products currently on the market would provide enough protection to its online banking operation. The staff kept creating threatening scenarios, including some that involved phishing and pharming, that commercial products couldn't prevent.

"Any servers accessible over the Web by nonemployees must be hardened against people trying to break the integrity," says Bob Gligorea, the bank's information security officer.

The bank hired security-service-provider Internet Security Systems to provide round-the-clock support. It uses a variety of authentication options and helps the bank balance security needs with the desire to make Web services easy to use for customers.

If businesses employ good IT-security procedures throughout the company, then Web services won't cause many new problems, says Andy Jaquith, a Yankee Group analyst. "Web-service vulnerabilities get more hype than they deserve," he says. "It's not about vulnerabilities; it's stupidity on the part of some users."

Web services are no more insecure than any other part of the IT infrastructure, says Jason James, VP of IT at Happy State Bank. With $200 million in assets, the Amarillo, Texas, bank has been dealing with security issues for years without much problem. "We've been dealing with network-security issues since modems and dial-in," James says.

To ensure his systems can fend off a hacker attack, Happy State Bank employs security service provider Core Security Technologies Inc. to conduct penetration tests. "Without Core, it would take two of our security experts a week each per month for the penetrations," James says.

Businesses deploying Web services should do three basic things to enhance security, James says. Encrypt the information being used by the Web services, deploy identification and authentication technology to ensure you know who is seeking access to applications and information, and install a Web-services firewall that can monitor and inspect high volumes of XML messaging traffic.

If those steps can effectively secure Web services, then a wave of automated services could take hold and become a mainstream way of providing service to customers. If not, then Web services will join the long list of technologies that never lived up to their potential.