The term "Web service" was coined only three years ago, according to Celent Communications Inc. And, already, U.S. insurers are spending roughly $78 million--or 5% of their integration dollars--on Web services-related initiatives (see "Web Services Spending By Insurers," page 14).What's more, by 2006, more than 40% of insurers' new systems integration spending will involve Web services, the Boston-based research and advisory firm predicts.
Indeed, Web services promise to greatly simplify application integration, and thereby significantly reduce costs associated with integration. But the main obstacle to companies fully embracing the technology has been security.
Based on open, standard protocols, primarily XML, Web services expose an application or data on one computer to requests from other applications on other computers-without using proprietary interface languages.
That's good for insurers wishing to efficiently enable employees, agents, customers and business partners to access their applications or data. But it also exposes those companies to new security risks.
Each Web service application interface may have hundreds of operations that can be accessed, providing hackers with new and harder-to-detect ways of compromising systems, according to Layer 7, a Vancouver-based Web services security firm.
"All the tools are out there today to develop and deploy Web services," says Toufic Boubez, chief technology officer at Layer 7. "The promise has been fulfilled from that point of view."
But the tools available don't provide an easy way to secure Web services, he says. "Rather, it involves programmers building a lot of security into the service itself."
An abstraction layer
Recently, however, vendors have begun to emerge with products specifically designed to secure Web services. And, many of those vendors are providing solutions that enable IT developers to separate Web services security from the Web services themselves.
"To try to 'bake' security into your Web services application creates a lot of overhead-in doing it, testing it, changing it, and managing it," according to Joelle Kaufman, director of marketing at Reactivity Inc., a Belmont, Calif.-based Web services security firm.
"That's really not acceptable for any large corporation," she says.
Companies need a logical place to establish security policies-a security abstraction layer that provides multiple levels of authentication, authorization and encryption, according to Forrester Research Inc., a Cambridge, Mass.-based research and advisory firm.
"Any good IT architect will tell you, 'You want your business logic developed independently from any security or policy,'" says Layer 7's Boubez, who was the former chief Web services architect at IBM Corp., Armonk, N.Y.
"You want to decouple the two because you want to make that (Web service) available to different groups under different (security) policies."
For example, he explains, if an insurer wants to make an internal application available to a group of brokers inside the organization, security may be less stringent because the brokers are inside the corporate firewall on the company's local area network.
But if the insurer wants to make that same service accessible to an outside business partner, security should be tighter, he says. "You may want to provide access over https or secure socket layer," he says. "And you may want those users to present credentials that are in a common LDAP (lightweight directory access protocol) directory."
Furthermore, he adds, if that same insurer wants to make that same application available to customers-who are accessing it from outside the firewall- yet another level of security may be required.
The early stages
Currently, Web services security falls into three layers of functionality, according to Netegrity Inc., a Waltham, Mass.-based security software solution provider.
In a white paper that describes a logical architecture model for Web services security, Netegrity identifies those layers as protection and threat prevention, identity and access management, and business policy enforcement.
"Vendors are beginning to offer products that fulfill the niche for Web services security, and they're all vying for competitive advantage right now," says Ronald Schmelzer, senior analyst at ZapThink, a Waltham, Mass.-based market intelligence firm specializing in Web services. "They're all in the very early stages. We'll learn a lot in the next two years about how to really do this right," he says.
Layer 7 recently introduced a security and policy coordination technology for Web services. According to Layer 7, its SecureSpan Solution enables organizations to manage and coordinate security and connection policies-without the need for programming-on both the Web services provider side as well as on the user side.
"If you're rolling out a new application across organizational boundaries, across departmental boundaries, you don't want your developers spending time on security," says Layer 7's Boubez.
"If you can make that an administrative function, on both sides of the equation, you save a lot of time and you have greater confidence that your security is air-tight," he says.
Forum Systems Inc. also recently released a Web services security product--a PGP XML gateway called Presidio. Based on a technology called "open PGP," Presidio enables firms to consolidate their PGP licenses, says Wes Swenson, CEO of the Salt Lake City, Utah-based firm, which is working with Springfield, Mass.-based MassMutual.
PGP (Pretty Good Privacy) is a common encryption technique to protect messages on the Internet, and Presidio provides a migration path to XML Web services security, says Swenson.
"We've made more than 850 customer calls in the last two years," Swenson adds. "Every company is in some stage of XML adoption. Web services security is an oncoming problem."
Overall, the total U.S. Web services security market will reach $4.4 billion by 2006, according to ZapThink. "Analysts predictions are probably a little aggressive," says Reactivity's Kaufman, whose firm offers an XML firewall. "But there's definitely a need. Quite simply, to do Web services without Web services security is almost irresponsible," she says.
