With Web services security, there's nothing to fear but fear itself

Security concerns often are cited as one reason why the use of Web services has yet to fully take off. But many of those fears may be irrational.

"Existing standards are robust enough to protect against possible network intrusions or any other issues," says Eric Marks, CEO of AgilePath Corp., a Newburyport, Mass.-based consulting firm that specializes in Web services projects. "If you use good common sense and apply security measures in an appropriate and repeatable fashion, you should have no problems with the use of Web services."

The standards Marks refers to deal with, for one thing, how the person creating a service embeds the information that lets other programs know the service has a legitimate purpose for wanting to communicate with them. But there were ways to weed out potentially mischievous or malicious Web services even before the standards were in place.

Jeff Tonkel, CEO of Infravio, a software company that has developed applications for managing Web services, argues that developing security for Web services is no different than it is for any other Web-based applications.

"Essentially you need the same security measures—a firewall, virus scanning software, encryption technology, and authentication and authorization programs," he says. "The only difference is, with Web services, these programs have to work with Web services protocols instead of the HTTP protocol that is typical of other Web-based programs."

Tonkel also notes that Infravio has a program called X-broker that can act as an intermediary between Web services. When placed on a network, X-broker will pick up Web services messages from a sending program and then run a series of checks to verify the identity of the services and its purpose for wanting to talk with another program. Tonkel likens this to having the user name and password verified when a person wants to log on to a secure Web site.

Once X-broker clears a service, it passes the service's credentials to an identity management program, which determines what programs the service will have access to and what functions it can perform with those programs. Tonkel say X-broker is compatible with identity management programs, including Microsoft's Active Directory, IdentityMinder from Netegrity,and various open-source applications.

Marks says some companies—including Digital Evolution, AmberPoint, Reactivity, and Vordel—also offer varied approaches to ensuring the security of Web services, which, he adds, is all the more reason that "fears about security definitely should not be a reason for delaying the deployment of Web services to solve specific business problems."