Double down all you who uttered "security is an enabler" with a straight face, it's time to see if you were bluffing. Do it now, for we are the lucky ones - we win with Web services not once but twice. Not only can we make use of a Web services infrastructure to further security, but we are the critical piece of that Web services infrastructure. Say it with me, "There is no way Web services can deploy successfully without enhanced security."
The need for security in this new world of Web services is obvious. Information and applications can come from multiple sources and be served to multiple destinations. Data can be repackaged on the fly. Never before has information been so ephemeral. It's enough to make "old school" security pros shudder.
Whereas this environment may seem full of complexity, security has never been simpler. No longer saddled with the burden of native operating systems, databases, and even applications, security can finally take on its own "infrastructure" that provides a common service of authentication in multiple forms, confidentiality and integrity of information, and verification or proof of receipt.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=iAnd what shall we make of Web services for ourselves? We already have a head start in the OASIS Security Assertions Markup Language (SAML) initiative begun by Securant, Netegrity, and others to share user account and profile information across sites, platforms, and companies. Verisign leads the way with its XML standards for key management (XKMS) and business partner trust assertions (XTASS).
The Hurwitz take
You may have guessed by now that the big winners in all this will be the never-say-dead Public Key Infrastructure vendors and their supporting cast with digital signatures and encryption at the heart of our "new world order." Finally, the promise of PKI will be realized.
Even more exciting are the opportunities for other security vendors to step on each other's toes and jockey for position in the Web services world. Consider some of the possibilities:
- Authentication requirements go through the roof with the need to authenticate sources in the form of people and devices.
- Firewalls become fluent in the language of XML and encryption as they migrate toward user-aware access control gateways for legacy systems. Or will some other gateway device step in?
- Intrusion detection sensors become Online Certificate Status Protocol (OCSP) responders to signal "intrusions" in the form of unauthorized certificates. Somewhere buried under the covers is also a better way to update signature databases.
- Transaction security devices join the fray to specialize in Web services and compete against the spaces above. With no legacy limitations, they can push far ahead technologically.
So while the paranoid pundits tremble and the left-behind Luddites say Web services is just too insecure, we at Hurwitz say to all security professionals: Step up or be gone forever. Take this opportunity to demonstrate the true value of security. Be the first to dive in and express your support for the radical new business model that is Web services. Design and define your security architecture in a way that anticipates and leverages the uses of Web services.
It can't happen without us.