Advertisement
Promo

Server platforms Toolkit

Key factors for secure Web services

Ray Geroski

Published: 19 Nov 2002 10:49 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

To help you evaluate your current needs before moving forward with Web services, Don Awalt, founder and CEO of RDA, a software engineering firm whose solutions help companies offer services over the Internet, provides some insight on these critical elements of Web services.

Security
Security is the most important aspect of Web services. To successfully provide services and access to data and applications over the Web, organisations must determine how they can secure communications and transactions.

Basically, Web services work to expose the inner workings of your company to the Internet, Awalt said. Public users of your Web services will have a window into your data and how you do business. This has both security and customer service implications, according to Awalt. Not only do you have to secure that access to the data, but you also have to account for customer issues that may arise from doing business in this manner.

According to Awalt, the most important issues to consider with regard to security are:

  • Authentication
  • Authorisation
  • Auditing
  • Validation

Every company needs to determine how it will handle these issues, said Awalt. For example, if an organisation makes data available to users via a Web services interface, it has to decide whether it is going to develop and manage the authentication method itself or whether it will rely on a third-party system. Organisations also have to ask themselves if they have the infrastructure to support authenticating the number of users that they expect to access the system.

Instead of any one authentication method moving to the forefront, Awalt said the current trend is for the adoption of Web services protocols that would support the infrastructures and protocols of existing systems.

"Web services," said Awalt, "is basically an integration architecture. One organisation may be using X.509 and another may be using Kerberos, so we have to make this stuff work with architectures people already have in place."

Awalt believes that security is the biggest obstacle organisations face in implementing Web services because many are naïve about security and do not consider all facets of security issues. For example, Awalt once dealt with a company that featured a financial system that enabled consumers to conduct transactions over the Internet. The system supported authentication of users to the system but not authentication of the system to users. This oversight, Awalt said, could have resulted in theft of customer data. Someone intent on stealing financial data could have set up a system pretending to be the customer's financial services system, and the customer might have transmitted sensitive data to it and never known the difference.

"It's hard," said Awalt, "to find good blueprint architectures that consider all of the things you have to worry about so they can be properly covered in the applications you design."

Another security consideration critical to Web services is auditing. Organisations will have to provide a means of recording transactions and being able to display that data securely to customers so they can verify what they've done. It's also an issue of being able to prove that a customer completed transactions.

Awalt said that a scenario to consider is when customers claim that they did not perform transactions that have been recorded in the system. Two important questions to ask are: What kind of proof will you have that transactions have taken place, and who performed them?

"All you can really prove, potentially," said Awalt, "is that somebody used some information of the customer's to perform a transaction."

Reliability and architecture
Another important issue to consider when implementing Web services, said Awalt, is the reliability of the system. The architecture must be able to handle errors and be able to account for issues such as messages arriving in the wrong order or failing to arrive altogether.

"About the only way you send messages over the Internet reliably," said Awalt, "is to send them multiple times."

Because measures like this must be taken to ensure reliable communication over the Internet, Awalt said the way transactions are handled may have to be changed. For example, if you withdraw money from an account over the Internet, the system must be able to account for the possibility that requests may be sent multiple times for a single transaction. The logic of the system must be designed so that multiple communications like this are interpreted as the correct number of actual transactions instead of separate items.

Next

Previous

1 2


  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
84 out of 171 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Server platforms


Company/Topic Alerts

Create a new alert from the list below:












Video icon

Video

Microsoft Futures

Windows 7: Mixed reviews from PDC attendees

As developers received their copies of Windows 7 on Tuesday, they offered varied reactions to the Microsoft operating system update More

Microsoft floats clouds on Windows Azure

At the Professional Developers Conference, Microsoft announced the Azure Services Platform, the company's cloud-computing platform More

Ozzie: Success of Azure comes down to trust

In an interview, Ray Ozzie says businesses will be taking a risk by placing core operations in Microsoft's datacentre, but that the software giant has more to lose if things go bad More


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters