WS-Security represents an important step for Web services security and acceptance of the technology TO EXPLOIT THE advantages that Web services offer means opening up corporate applications at the API level to the broader Internet. CTOs worried about hackers taking over their Web sites are faced with the prospect of having their mission-critical applications and data programmatically exposed, quite literally, to the entire world. Fortunately, there are ways to exploit the value of Web services without endangering your systems. First, it’s important to note that Web services work just fine as purely inside-the-firewall integration mechanisms. Like their predecessors CORBA, DCOM (Distributed Component Object Model), and RMI (Remote Method Invocation), Web services are designed to link multiple applications on different platforms together. And because Web services technologies are entirely based on XML, and because vendors and end-users are pushing to adopt industry standards, Web services represent the first truly cross-platform integration tool. But the practical problems brought by using Web services are considerable. There are multiple competing security frameworks. Your XML packet may traverse any number of intermediate routers, firewalls, load balancers, and so on, any one of which may “peek” at your packet — rendering the information insecure. Or your business rules may require you to enforce access rights, (example, only certified travel agents can run an airline reservation system). Solutions in the works Fortunately, help is on the way — although it’s not here yet. IBM, Microsoft, and VeriSign have collaborated to begin standardizing the technologies and processes behind WS-Security (Web Services Security). The first version of the spec arrived on April 5, 2002 and is available on the Web sites of the three author companies. WS-Security details the mechanisms by which a SOAP (Simple Object Access Protocol) message can describe not only its contents but also its credentials, and the algorithms by which your XML packet’s privacy and nonrepudiatability (digital signature) were generated. This embraces the all-important notion of multiple security domains and architectures. It represents an important first step in the creation of a comprehensive Web services security framework. Yet, as its authors are quick to point out, WS-Security does not even begin to address what might be called the “higher-order” problems. Areas yet to be defined include how precisely different trust domains and security architectures can reliably interoperate, how privacy preferences can be expressed, how authorization and access policies can be incorporated, and so on. For the time being, CTOs will have to decide if existing security infrastructures and architectures meet their Web services needs. However, given the tremendous advantages Web services technologies offer, be assured that work will continue at a feverish pace. Security