Web services changes the security game

Peter Judge ZDNet.co.uk

Published: 13 Feb 2003 10:36 GMT

No one is quite sure how quickly Web services are taking off, but three things are very clear. Firstly, security is the biggest obstacle to people adopting Web services. Secondly, they are right to be nervous -- because the work is not yet done. But thirdly, the industry -- users and vendors -- will not let this stop the spread of Web services.

So we are going to see some very fast work in security over the next year or so.

"The main barrier to the wholesale adoption of Web services is security and trust," said David Sprott, chief executive and principal analyst at CBDi, a Web services consultancy.

This shows up in how people are using them. "Web services are mostly taking off internally," said Mark Greatorex, director of .Net for Microsoft UK. "People want to get it right internally, before they expose their Web services externally."

Not everyone agrees though. "People are immediately doing Web services outside the company," said Andrew Nash, director of technology and standards at RSA Security. "People are doing way more than I would have expected."

People who talk to the director of technology at trust specialist RSA will be very leading edge users. But the rate of adoption has taken Nash by surprise. As far as he was concerned, Web services were still climbing up the early slope of the Gartner hype curve -- somewhat earlier in its life than Gartner itself seems to think.

Nash thinks Web services are in their infancy, because he is familiar with how good security is in IT generally, and how good it will have to be for sensible companies to trust Web services on interactions between companies. "I expected to see IT guys kicking the tyres, and not much more," he said.

But people want to do more, and are asking the IT guys to deliver, because they see what Web services can offer. He talks of a big financial information provider that wants to rush ahead with external Web services: "XML is wonderful for them," he said. They have high value information, and XML gives it its own intelligence, allowing them to deliver it in more ways to customers.

Security and trust has painstakingly built up for IT services where humans interact with applications. But Web services involves applications, or components, interacting directly with each other. And this requires a whole new level of trust.