If security professionals believe the hype, web services will enable companies to solve their interoperability problems and provide considerable efficiencies. However, as Iain Franklin suggests in an alternative view to those of Atri Chatterjee, such services may yet be facing many hurdles before their adoption becomes widespread.
In technical terms, at least, web services presents no greater security threat than any other web-based application. Eventually, it will permit the free flow of data traffic across an unbounded network, but initial deployments will be internal rather than external.
Through time, companies will be able to offer packaged applications across the Internet, effectively outsourcing different parts of an application to specialists in each field.
An application looking to perform a specific function would access an Internet-based registry to find organisations that provide the functionality as a web service. That said, the more complex the application becomes, the harder it then is to track how those services are being sourced – and by whom.
This raises several questions. How do you know which machine your system is communicating with at any one time? How do you know that all parties in the chain boast adequate security?
As with any outsourced function, a clear understanding of where the responsibilities lie has to be laid down in a Service Level Agreement between customer and supplier. In a similar way to the ASP model, the supplier has control over the company's data and the process under which it is accessed (and, therefore, the responsibility).
The main danger with web services lies in the multiplication of risk by combining web applications alongside what is effectively an outsourced model. The odds of a hacking incident occurring are greatly increased
The main danger with web services lies in the multiplication of risk by combining web applications alongside what is effectively an outsourced model – while at the same time using public-facing servers. The odds of a hacking incident occurring are considerably increased over an in-house application.
In terms of protecting these public-facing servers and applications, the very best efforts must be made to safeguard data at source. Maximum intrusion prevention will need to be deployed. Messages passed between co-operating processes are also at risk of attack and must be protected.
Accepted practice will be to safeguard messages written in XML by sending them over secure HTTP. However, this doesn't circumvent the issue of protecting the application itself, as well as the data. Any hacker worth his or her salt attacks at the core, often hiding code within secure HTTP.
Source
SMT
Postscript
Iain Franklin is European vice-president of Entercept European Technologies (www.entercept.com)
No comments yet