"(With Web services) your biggest exposure is security."
(Forrester Research, 2001)
Security concerns are threatening to dampen the widespread usage and adoption of Web services-related technologyin the enterprise scale. Conflicting sets of standards, technologies, and specifications have emergedwith no clear-cut direction or leadership.
It is also a place wherein there is no shortage of dirty corporate politics across several industry bigwigs and bodies, which only worsens the situation further.
Beginning this week (and continuing for the next six weeks), I'll be exploring the realm of Web services security in a series of seven articles. My primary focus will be on some of the major technologies, trends, specifications, and toolkits that have come out so far. I'll also be providing some peeks into and perspectives on the future of Web services security-related areas as we go along.
I'd like to emphasize that Web service security, as a whole, is an emerging field of technology in which several industry players, consortia, and standard bodies are involved. As yet, we can look at only some of the major developments that have emerged successfully and are likely to stay for the days to come; many others are still emerging, and are in the process of proving themselves.
In the present article, I set the stage by discussing the background of Web service concepts, what security means for the enterprises, and what makes implementing Web services security difficult.
Web Services Trends
Of late, there has been lot of excitement and enthusiasm around Web service-related technologies. Setting aside all the big hype created by the vendors in the industry, everyone agrees that Web services are here to stay.
There are many who believe that Web services are but a natural evolution of computing methodologies to succeed object-oriented programming, components-based design, and distributed application development.
In simple terms, Web services are technologies that enable wrapping up your business functionalities (such as stock trading or insurance policy processing) into what are called "services," and make them available for invocation by other programs across intranets and the Internet. Vendor-neutral technologies and specifications lie at the root of Web services: These include SOAP (Simple Object Access Protocol), WSDL (Web Services Description Language), and UDDI (Universal Description Discovery and Integration).
At least at a conceptual level, Web services give rise to several interesting possibilitiessuch as disparate system communications across the Web, effortless and adapter-independent back-end integration, aggregated enterprise-wide service pools, distributed service federations, dynamically linked Web applications, and so on.
From a monetary perspective, Web services is believed to result in reduced "total cost of ownership" of all applications across the enterprise because every system can then be viewed as a collection of several services put together.