OASIS Security Standards Bolster Web Services
OASIS Web services security standards may bolster adoption of technology
outside of corporate middleware.
A pair of recently ratified OASIS security standards should help developers push Web services out from behind the enterprise firewall, but widespread adoption of the new protocols will likely take years, experts say.
Web services have been around for some years now but have seen limited use outside corporate middleware, analysts say, due to concerns over performance and security.
The latest Web services standards include WS-Trust 1.3, which helps ensure that security credentials exchanged over the Internet are legitimate, and WS-SecureConversation 1.3, which makes it possible to trade messages back and forth in a secure session without having to take the performance-slowing step of authenticating each one individually.
"I do think the standards will help further adoption of Web services, because they allow a greater degree of flexibility in how you can secure your Web services," says Microsoft Technical Diplomat Marc Goodner, who represents Redmond on standards bodies.
Gartner Inc. analysts Earl Perkins and Ray Wagner voiced an even more optimistic outlook in late March, a few days after the OASIS ratifications, concluding in a research bulletin that "the availability of these new standards means that Web services security has finally reached an acceptable maturity level."
But Forrester Research Inc. analyst Randy Heffner cautions that, while the standards represent "important progress," the broad adoption and accumulation of accepted best practices necessary for true standardization will take years to achieve. Forrester's latest surveys show roughly a third of vendors reported they plan to support WS-SecureConversation in some form, while about half said they planned to support WS-Trust.
Microsoft, which worked on the specifications along with IBM Corp. and Sun Microsystems Inc., shipped an early implementation of the standards in the Visual Studio "Orcas" community technology preview for March, Goodner says.
Burton Group analyst Anne Thomas Manes says she knows of only one outside implementation of the two new standards so far: a Case Western Reserve University hospital app that aggregates federally protected medical data from operating room equipment over a network. Most current Web services and service-oriented architecture (SOA) implementations are secured, if at all, via HTTP and SSL, Manes says.
"That's fine as long as you're doing point-to-point connections. Most people are not doing particularly complex interactions at this point," Manes says. "When they start doing true service orientation in which you've got a service used in many different systems, not just point to point, I think you'll find [the new standards] being used."
She also expects Web services standards adoption to be driven in part by Windows Communication Foundation, the new cross-network communications subsystem set out in .NET Framework 3.0. "Windows Communication Foundation actually uses SecureConversation by default," Manes notes.