When IT decision makers are asked what is stopping them implementing web services, security concerns are usually near the top of the list. With no fewer than four vendors releasing web services security solutions last week, that worry may at last begin to fade.
The products released represent different facets of web services security that need addressing before enterprise adoption can begin in earnest. Web services management specialists Digital Evolution and Oblix have both upgraded their existing platforms to include identity management – the essential task of ensuring that people at the other end of a web services transaction are who they say they are, and that these people get the permissions and accesses they need.
Security specialists RSA, in contrast, has come from the other direction to include web services management in its identity management platform. A fourth supplier, Reactivity, a developer of XML security hardware, has produced a range of products for web services security and management under a "Secure Deployment System" banner.
Web services was initially mooted as a way of integrating processes across the Internet as well as internally. But many potential users were put off by the lack of security in the base standards.
Although some organisations chose to implement their own security methods to compensate for the shortfalls in the technology, many decided to hold off from external web services deployments until vendors developed a native web services security standard. Just such a standard emerged in April from industry body Oasis and vendors are rushing to integrate support for WS-Security into their products as quickly as they can.
So far, however, the vendors who have come to market first have been smaller players – including those who released products last week. The bigger companies, such as IBM or Microsoft, whose participation might reassure enterprises that the standard is strong enough for deployment, are still some way off adapting their products to include WS-Security.
More importantly for an integration technology, interoperability testing of different vendors' implementations is just as far away.
Nevertheless, Forrester research analyst Randy Heffner recommends examining the web services security solutions now available. "XML security gateway vendors are showing their creativity in the breadth of features and functions that they are integrating," says Heffner. "This gives the customer the opportunity to find a product that closely matches the specific requirements of the environment and applications."
Early adopters should keep one eye firmly on their exit strategy, though. Heffner recommends looking at products that will pay for themselves within a year, since the market will change significantly within the next two to three years as mainstream security vendors begin to integrate web services security into their platforms.
As these first standards-based products reach the market, the first signs of a future for web services beyond the firewall are beginning to appear. When the big players produce their own implementations, the real rush will begin.