/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsRoughly thirty years ago, the personal computer ushered in a revolution in
computing that enabled anyone to own a computer and use productivity-enhancing
software. About eighteen years later, the birth of the World Wide Web enabled
anyone to publish information about themselves or their company. Over the last
few years, the next revolution in IT has been brewing: Web Services allow
anybody to create electronic services that can be used by anyone else, thus
enabling electronic anybody-to-anybody communications, coordination, and
interaction.
If you have not heard about Web Services from your customers, partners, and
suppliers as yet, you certainly will very soon. A poll of global CEOs, CIOs, and
CTOs by an industry analyst firm found that almost 80% of companies are planning
to (or have already done so) roll out Web Services over the next year. The
reason? Almost 70% reported that they expect topline revenue growth by adopting
Web Service technologies, while just shy of 60% expect both topline revenue
growth as well as bottomline efficiencies.
|
/dq/media/post_attachments/ca4f95e2a7fe28cd1be170fd09191b24e94733a511e2f87cd3d46dcd67052573.gif)
However, simply jumping on the Web Services bandwagon will not lead to
revenue growth, operational efficiencies or overall corporate success. As with
any other technology, enterprises must formulate a coherent strategy to use Web
Services to achieve their organizational and financial goals. In order to do so,
companies must understand Web Services, their value proposition, and how to use
them properly.
Why Web Services are Important
Web Services are indeed a technology for distributed computing. One critical
distinction between Web Services and distributed computing technologies that
have come before is that a person who implements a Web Service can be almost one
hundred percent certain that anybody else can communicate with and use the
service.
Based on industry standards such as XML and HTTP, and supporting
near-ubiquitous interoperability, Web Services place few restrictions on with
which other applications your applications can interact.
This anybody-to-anybody characteristic of Web Services enables new business
opportunities as well as more efficient and fluid business relationships.
Who are Using Web Services?
Companies of all sizes and in all industries are rallying around Web
Services. Not only are high-tech, telecommunications, and financial services
companies using and deploying Web Services, but also "low-tech"
industries such as sugar manufacturing are also adopting Web Services and
reaping enormous benefits.
|
For example, a major sugar manufacturer has exposed its inventory and
ordering systems as Web Services. This is allowing its customers — soft drink
bottlers, chocolate and candy manufacturers, and sugar retailers — to
accurately and easily order sugar. More importantly, each of the customers can
immediately integrate its ERP and SCM systems with the sugar manufacturers Web
Services.
Similarly, on the back-end the sugar manufacturer is exposing its procurement
systems as Web Services. This allows the sugar manufacturer to electronically
and automatically connect with sugar cane growers and retailers, and purchase
the right type and amount of sugar cane at the right time (based on its
manufacturing process and ERP systems) and at the most competitive prices so as
to best meet the needs of its customers.
Securing Web Services
Perhaps the most often cited reason given by enterprises for not deploying
externally-facing Web Services is the lack of understanding of the security
risks involved as well as the best practices for addressing those risks.
Development and IT managers want to know whether the security risks and the
types of attack common for Web sites will be the same for Web Services. Will
existing enterprise security infrastructure already in place, such as firewalls
and well-understood technologies like Secure Sockets Layer (SSL), be sufficient
to protect their companies from Web Service security attacks?
Since Web Services leverage much of the infrastructure developed for Web
sites, it is understandable that the types of security breaches that are common
for Web sites will also be common for Web Services. However, since Web Services
provide an application programming interface (API) for external agents to
interact with it and also provides a description of this API (in the form of
WSDL files), Web Service environments facilitate and in fact attract attacks.
|
||||||||
Security
WS-Security is quickly emerging as the de facto standard technology for
addressing security within a Web Service environment. Essentially, WS-Security
brings together a set of industry standard technologies for XML encryption and
digital signatures, and positions them within the context of Web Services and
SOAP messages. Since SOAP messages are platform- and transport-independent,
placing security information within these messages allows multiple systems to
securely interoperate no matter what their underlying platform or the transport
mechanism used.
The origins of WS-Security are with Microsoft, IBM, and VeriSign submitting a
group of security specifications to the Organization for the Advancement of
Structured Information Standards (OASIS). Later, Sun Microsystems started to
cooperate to further develop the specifications.
Data Protection
Data protection refers to the management of transmitted messages so that the
contents of each message arrives at its destination intact, unaltered, and not
viewed by anyone along the way. Data protection is critical within a Web
Services environment as personal information, such as credit card numbers, and
competitive organizational information, such as customer contacts and employee
names, will be exchanged between Web Services.
|
/dq/media/post_attachments/a20194872a7df9b757e2f529abeffd8de3fbece522bc457baac3dee7c44462e9.gif)
Encryption techniques are used to implement data protection. The most
commonly used of which is the Secure Sockets Layer (SSL) protocol. The SSL
protocol creates a secure tunnel between the origination and destination
computers based on public-key encryption techniques.
However, SSL provides only point-to-point data protection. In many instances
the Web Service provider may itself forward the request to be ultimately handled
by another computer (or Web Service) or even a person.
Authentication
Authentication refers to verifying that the identity of an entity is in fact
that which it claims to be. In a Web Service environment, a Web Service provider
may need to be authenticated by the Web Service requester before the service is
invoked and personal information is sent. The requester may also need to be
authenticated by the provider before the service is rendered and critical
information is sent back in the reply.
In many simple service invocations that do not involve the exchange of
personal or corporate information or where there is no charge for the service
invocation, authentication may be unnecessary. For example, a client application
that queries a free weather report Web Service may not need to authenticate the
provider nor does the provider need to authenticate the requester.
After a principal’s identity has been authenticated, authorization
mechanisms are used to determine what the user (or application) will be allowed
to access. Information about the user, such as subscription levels, is used to
allow the appropriate level of access.
Authorization is increasingly important within Web Service
environments. Web Services expose data as well as processes and operations to
programmatic access. For the most part, access to this type of information was
before channeled through humans. These human beings acted as checkpoints that
safeguarded the information from unauthorized access. With Web Services
providing programmatic access, authorization schemes must now act as the
checkpoints.
Non-repudiation
Non-repudiation provides a means to prove that a sender sent a particular
message, and does not allow the sender to later disavow having sent it. The
means to support non-repudiation is not provided by standard security
mechanisms, such as SSL and passwords, instead it is addressed by digital
signatures.
Digital signatures are similar to standard handwritten
signatures, and allow the receiver of a document to verify that the source from
which it came has created it (or viewed it) and has validated the contents of
the document. It also supports the notion of accountability in that the
application (and the company) that validated the document can be proved and the
company held accountable for their actions.
|
Web Services can be Secure
There has been a frenzy in the media that Web Services are insecure.
Certainly, Web services can be insecure, but the technologies and standards are
in place to address security for Web Services. Developers and architects must
properly use these technologies to create secure systems, and then institute
processes that complement the technology and deliver end-to-end security.
Processes are important because technology can only do so much. For example, a
well-architected credit card processing solution may be very secure, but if the
credit card user leaves her card out for public view or improperly disposes of
her receipts, the resulting security lapse cannot be attributed to the
technology.
Web Services and Mobility
Web Services and mobility go hand-in-hand. As companies use Web Services to
tie their business processes together across the supply chain and create
"extended enterprises", more issues will require the immediate
attention of decision-makers. This requirement for 24x7 access to enterprise
data and processes will pave the way for mobile devices to become first class
citizens within the device landscape of corporations.
As mobile applications become more important, Web Services
offer a powerful architecture for developing these applications.
|
/dq/media/post_attachments/b06966a8b0fa35b7af4b73d7e92685ca71927275e862a3cd671b788af0ff5608.gif)
The use of Web Services by mobile applications allows some,
if not most, of the application’s business logic to run on remote servers,
which are independent of the mobile device’s computational resource
limitations. Since the use of Web Services separates out some of the business
logic and does not require that the entire application be run on the mobile
device itself, the time to download (over a wireless network) an application in
order to run it can be greatly reduced.
When developing mobile Web Services-based applications, a
variety of different architectures are possible. A mobile systems architecture
that is commonly used is a proxy-based one in which the mobile application
communicates only with a proxy server. The proxy server in turn communicates
with and manages the back-end resources, such as Web Services.
Within a typical enterprise environment, Web Services-based
applications utilize multiple Web Services instead of just one. In this case, a
proxy server-based invocation model effectively creates a single, coarse-grained
interface to the multiple, underlying Web Services. This eliminates the need for
multiple individual Web Service calls. Eliminating these calls in favor of an
effective coarse-grained interface to multiple Web Services has numerous
benefits for mobile applications as well as for their users. These benefits
include:
n Usage costs:
By reducing the number of individual Web Service invocations and using a
higher-level, more coarse-grained interface to multiple Web Services a proxy
server-based Web Service model reduces wireless network usage, and thus airtime
costs.
n Latency:
Proxy server-based Web Service invocations also potentially lower application
latency by reducing the number of messages that must traverse over slower speed
wireless networks. Additionally, since there may be lengthy delays between one
Web Service call and the next call, the connect/disconnect cycles required to
access the wireless network increase latency.
n Energy
conservation: Since transmitting and receiving every bit of data using a
wireless network consumes a fixed amount of energy, reducing the amount of
wireless network usage has a corresponding reduction in energy consumption.
Conserving the energy consumed by mobile applications increases the device’s
battery life.
The number and type of mobile devices being used by
enterprises is steadily increasing as Web Services enable multiple organizations
to easily tie their business processes together across supply chains and create
"extended enterprises". The use of Web Services is encouraging this
trend towards mobility, and, at the same time, Web Services also provides a
compelling architecture with which to build such mobile applications.
Web Services and Web Portals
Web portals are important tools for enterprises. A portal is a user-facing
aggregation point where multiple, potentially unrelated functionalities and
services are housed. Usually, portals are used as a gateway to consumer type of
offerings, such as news, electronic mail, and stock prices, or to corporate
employee offerings, such retirement planning and account information, time cards
and payroll, as well as employment agreements and other legal documents.
Portals provide a single location that users can turn to when
they are looking for information and services. Instead of spending a lot of time
searching through multiple locations, portals aggregate the relevant information
at a single, easy-to-remember location.
Another type of Web portal that is commonly used by
manufacturing companies is the manufacturing components retail portal. This type
of portal provides a single online location where complex machinery and
components from a large number of manufacturers can be purchased.
Web Services offer a unique means by which to build such
user-friendly and cost-effective Web portals. Since Web Services are
remotely-hosted and remotely-managed by their owners, Web portals simply have to
either allow or disallow access to each Web Service. Additionally, since Web
Services use industry-standard technologies and can be accessed from any
computer, they ensure interoperability with the portal as well as with the
portal’s users.
Sandeep Chatterjee
The author is CEO of Cyndeo