Why security must be at the heart of web services

As any number of marketing directors will tell you, the future is web services, right? And given the money being ploughed into this area it's hard to disagree. Yet one of the few things that could harm or even kill web services at birth is IT security. Joey Gardiner assesses the risks...

Web services are actually starting to take shape. With the likes of Microsoft and Sun trumpeting their first simple customer case studies, some of the initial mist over what on earth web services means seems to be clearing.

While practically complex, the vision of an intelligently interlinked internet where joined up services are offered to users automatically, according to their preferences, is irresistible.

Microsoft's example of a US airline already using .Net technologies to give customers a discounted rental car from a third party when they book a flight starts to indicate the potential applications.

On the supply chain side web services can start delivering some of the real benefits promised by e-marketplaces, which ended up being stalled by a lack of interoperability.

Sounds encouraging, doesn't it?

Here's the bad news. Web services still have a number of huge hurdles to cross before they become useful. The issue most likely to upset the apple cart is IT security.

Security issues around web services are complex and thorny but go to the heart of how successful they will end up being. This is principally because the level of security will determine the amount of functionality that can be delivered - the better the security, the lower the functionality.

The trick is to make functionality high enough to attract users to the service, while keeping security good enough to make users feel safe. It's a difficult circle to square.

The potential problems were expressed perfectly last autumn by the customer reaction to online bank Egg's adoption of Microsoft's .Net technologies. Egg users emailed silicon.com in droves saying they were transferring their accounts - because they just didn't trust Microsoft with their data.

Stuart Okin, Microsoft UK's chief security officer, reckons the issue of trust is key. "The first and largest hurdle is getting businesses and consumers to trust an infrastructure that goes across the internet using multiple partners," he said.

"It'll be tough for many companies to accept that even though there will be parts of the services outside of their control web services can be secure."

Microsoft has more problems than most in this respect. Despite being widely acknowledged as the leader in web services, Microsoft has a bad reputation on security. If security issues are damaging to web services as a whole, they are particularly acute for Microsoft, which stands to lose contracts if businesses think its software isn't up to the job.

Additionally the security problems are tougher than with standard ecommerce because of the aggregation of services implied by web services.

Key to the web services vision is the idea of single sign-on, whereby users can be authenticated once and then benefit from a whole host of services, all of which are capable of recognising identity and reacting accordingly. Theoretically, users will be able to shop online in a variety of different places without the rigmarole of entering credit card or address details again and again.

Added convenience indeed. But also added risk? The world of single sign-on means if a hacker breaks in at one point, theoretically he has access to all services used. So now the hacker has not just credit card details but addresses and maybe bank details too.

In other words, total online identity security has been compromised.

As Sinead Hanley, senior consultant at services giant Andersen knows, this makes people a bigger target to hackers: "If you manage to get in to systems, the rewards are potentially so much bigger. Therefore the hacker has more motivation to try."

And as most security experts admit - including Microsoft's Okin - no systems are un-hackable. What matters most is how much the hacker wants to get in.

However, single-sign-on systems do have security benefits, the greatest being they prevent users from having to have multiple passwords for all their different online services. Currently people tend to use the same password for all their services, which is dangerous if a password for the most harmless of services is comprised, or write their passwords down in a list which can be lost, stolen or copied.

Many security experts accept that for the increased risk associated with single sign-on architectures, a stronger way of authenticating users is needed than the ubiquitous but untrustworthy password.

Herein lies the crux of the problem, because the usability of web services suffers severely if users have to use digital certificates or some form of hardware, such as a smartcard, to verify who they are.

Retailers have been unwilling to force this extra hassle on customers, and seem unlikely to, especially as the tangible benefits of web services still remain for the most part in the future.

Andersen's Hanley said in the consumer market, at least, forms of strong authentication might never take off. "There are stacks of different types of authentication but they tend to make things more fiddly - people always revert to passwords," she said.

This leaves the web services vendor in a fix, with no obvious happy medium to be found between security and functionality. Some say single sign-on - supposedly the big benefit of web services - can never happen, for these reasons.

Don Massaro, president and CEO of web traffic management firm Array Networks, said: "Single sign-on - it's a fairy-tale - there's no single sign-on. The challenge is not authentication but authorisation - what are you allowed to see once you're in?"

And with the PKI market still awaiting its long-heralded take-off - essential for many high-value B2B web services - this is not the only area where such difficulties are found.

There are some bright spots on the horizon though. Initiatives like the recently announced Web Services Security standard (WS-Security) led by IBM, Microsoft and Verisign will start to ensure interoperability of security protocols. And the Liberty Alliance group formed by Sun and others is trying to find a way to manage widespread strong authentication for end users.

The situation is undoubtedly complex. If, as Gartner Groups predicts, disillusionment with web services starts to creep in over the next couple of years, it may be in no small part due to difficulties with IT security.

Beyond getting customers to understand what web services are, the single largest stumbling block remains how to manage the security of web services.

Web services can only be a success if the elusive balance is found between functionality and security. As Array Networks' Don Massaro added: "The biggest issue in web services right now is how do you secure your transactions without destroying usability for the end user."

This is exactly what businesses will have to know the answer to before many even consider rolling out web services.