• United States



by Ray Wagner

Web Services Security in 2003

Dec 12, 20028 mins
CSO and CISOData and Information Security

Best practices indicate that enterprises should take a cautious approach to Web services deployment across the enterprise perimeter in 2003. Enterprises should continue internal education and development efforts to increase their expertise and familiarity with Web services standards and technologies before moving into high-value deployments that extend beyond the perimeter. This approach will allow the market for Web services security and management platforms to mature as standards stabilize.

Web services are widely viewed as the next level of application integration and a gateway to new business models and unprecedented interconnectedness for enterprises. However, security concerns and the complexity of Web services security mechanisms will cause most Web services deployments to be simple and conservative in the near future. In 2003, most enterprises will defer Web services initiatives or gain experience with the technology through internal application integration. These enterprises will wait to deploy Web services until 2004 or later, when standards and products have matured and enterprises are more comfortable with the technology. Additionally, although the major market players are making good progress with Web services security standards initiatives, broader trust-related questions remain unanswered and largely unaddressed. This also will slow adoption.

Prediction: Web services standards battles will be more contentious; however, basic security standards building blocks will be in place.

To date, the major players and competitors in the Web services market have shown a willingness to cooperate in developing security standards because they recognize that Web services will not gain broad acceptance without adequate mechanisms to protect the privacy, confidentiality and integrity of transactions. However, we expect that the standards battles will get significantly more contentious as the industry’s attention turns to federated identity (such as the Liberty Alliance and Microsoft Passport) and more-complex extensions to the Web Services Security specification.

Nonetheless, the basic building blocks for secure Web services will be available, including:

  • Web Services Description Language for integrity
  • Security Assertion Markup Language for authentication and authorization
  • Secure Sockets Layer (SSL) for channel confidentiality
  • XML-Encryption for granular confidentiality
  • XML-Digital Signature for granular nonrepudiation

Several other key standards likely will reach release status in the near future, including:

  • Web Services Security (encompassing XML-Encryption and XML-Digital Signature)
  • XML Key Management Specification for key management
  • Extensible Access Control Markup Language for authorization

However, complex, high-value Web services deployments will be rare. The high-level trust issues that have plagued the public-key infrastructure (PKI) industry also obscure the path to full realization of Web services benefits. Enterprises that could not justify the expense of deploying PKI in 1999 likely will not be able to justify similar expenditures for security for complex Web services deployments in 2003, especially in current market conditions. Enterprises will consider only internal or low-value, external Web services deployments (the Web services equivalent of early-stage, “brochureware” Web sites) in the near term. Higher-value transactions based on connections with known business partners are unlikely for most enterprises in 2003.

By 2004, Web Services Security and XML Key Management Specification will provide a relatively complete standards foundation for security; however, trust issues and the cost and complexity of the supporting infrastructure will constrain most Web services deployments to early adopters and low-value transactions (0.8 probability).

Impact on 2003: The dominant Web services security concern will shift from a focus on the lack of standards and mechanisms for securing Web services deployments to monitoring and control issues. With a nearly complete set of basic security standards in place, Web services perimeter products will begin to mature. Larger vendors will enter the marketplace or acquire smaller startups. Enterprises that are preparing to deploy Web services across the perimeter will be able to choose from a selection of comparatively mature security products by 2004.

Reacting in 2003: Enterprises will be able to securely deploy carefully planned and architected Web services with perimeter mechanisms (rather than built-in mechanisms) by year-end 2003. Enterprises and internal organizations that make a strong business case for Web services architectures will be well-positioned to begin laying the groundwork for architecture and development in 2003.

Prediction: Internal developers will recognize the value of Web services.

Web services technology is extremely appealing to developers who are trying to solve application integration and communication issues. Web services also represents powerful tools for the development of new business models that leverage intra-enterprise coordination. As with any powerful and versatile tool (for example, the Web or PCs), developers will recognize the technology’s possibilities and rush to use Web services to solve tactical problems and implement strategic plans often without giving adequate consideration to security or efficiency concerns. Given this tendency, as well as the likelihood that most new enterprise software will include Web services interfaces, line-of-business and IT managers and policymakers will find themselves trying to “catch up” with Web services use within their organizations.

By the second half of 2004, 40 percent of Global 2000 enterprises will have unauthorized, undocumented and unmonitored Web services connections that extend beyond their perimeters (0.8 probability).

Impact on 2003: Enterprises that are trying to understand Web services and approach their deployment conservatively likely will discover that Web services have been deployed by internal organizations and departments that want expedient solutions to specific operational business problems. Many of these “quick and dirty” deployments will have significant security flaws or will ignore security concerns altogether.

Reacting in 2003: We believe that Web services will be a de facto standard for application integration and new application deployments in the near future. The earlier that enterprises move to understand this technology, and establish monitoring and control policies for its use within and across their perimeters, the better off and less vulnerable they will be.

Prediction: Recognizing the scope of the enterprise security problem will suggest the obvious, yet complex, solution.

As enterprises confront a world in which Web services become increasingly ubiquitous, they will recognize that transmissions using Hypertext Transfer Protocol (HTTP) or Secure Hypertext Transfer Protocol (S-HTTP) to cross the enterprise perimeter may be suspect. For example, Gartner forecasts that Web services will reopen 70 percent of the attack paths that were closed by firewalls in the past decade because Web services can bypass traditional perimeter protections, carry any type of payload and interact with almost every enterprise resource. There will have to be some degree of application-level inspection of transmissions to keep enterprises secure.

By 2005, best practices will require that nonregistered HTTP and S-HTTP traffic must be inspected at the enterprise perimeter; this will require application-level inspection capabilities specifically, Extensible Markup Language (XML), Simple Object Access Protocol (SOAP) and Web services in perimeter security technologies (0.9 probability).

Impact on 2003: Enterprises will experience larger-than-average increases in HTTP and S-HTTP traffic when more applications use XML and SOAP for communication. The release of Microsoft’s .NET server and later versions of the Windows operating system and Office suite, which leverage the power of Web services, will contribute to this increase. Reported flaws in Web services protocols and products will generate interest in management and control systems, including security systems.

Reacting in 2003: Enterprises should begin strategic planning for future Web services architectures, which will touch every area of the enterprise infrastructure. Most Web services security mechanisms can be perimeter-based. Therefore, enterprises should investigate tools such as security gateways, SSL concentrators and accelerators, and wire-speed SOAP/XML inspection hardware. Strategic planning will enable enterprises to determine the Web services architecture classes that are most appropriate for their needs.

Prediction: “Keep it simple” will be the dominant Web services strategy.

Web services technologies and the mechanisms to secure them are still in their infancy. The business case for Web services is a compelling one, but most enterprises will approach them conservatively by maintaining independence from these technologies in mission-critical applications until the technologies generally are perceived as reliable. Furthermore, complex, multiparticipant Web services (as currently proposed) will require large-scale commitments of resources to security mechanisms, including PKI. Most enterprises will consider simple, low-value Web services first. They will seek simpler, less-costly security mechanisms in the short term.

Through 2005, cost, complexity and a lack of experience with required security mechanisms will drive 80 percent of across-the-firewall Web services deployments toward simple point-to-point architectures secured only by SSL server certificates (0.8 probability).

Impact on 2003: Few enterprises will try to implement complex Web services deployments because of uncertainty about the technology and the probability that the community of interest to which the service is targeted won’t be able to use it. Most Web services offerings even those that are considered simple will require that the service provider also provide connection provisioning support to end users.

Reacting in 2003: Enterprises that have not yet adopted PKI should not do so in the near future unless they have compelling applications that require key management. Enterprises that are buying Web services security platforms should insist that they be able to fully leverage the power of standard SSL server certificates not only for channel encryption, but also for two-way authentication and digital signing of transactions. Enterprises that are considering heavy use of Web services technologies should prepare to invest in SSL acceleration/concentration mechanisms. Overall, enterprises should proceed carefully and deliberately in deploying Web services technology.

For more Gartner research on Security & Privacy, please visit Gartner’s focus area.