Web services adoption forges ahead

Web services adoption forges ahead

Last year, major vendors started embracing Web services in a big way

Last year, major vendors started embracing Web services in a big way. Various experts also predicted major trends and developments for Web services. BEA Systems Inc., for example, expects an accelerated uptake of Web services this year. BEA foresees new and enlarged projects by early adopters who have had success with their initial internally focused projects and now want to extend the benefits to larger internal user pools and business partners, according to Hui Yoke Leng, regional marketing manager, BEA systems.

In addition, mainstream adoption will be driven by factors such as the increased awareness of the benefits, the distributed and rapidly changing demands of e-business, application integration efforts driven by the need for more streamlined business processes, and the increased collaboration both within and outside of the enterprise, said Hui.

But, due consideration will have to be applied to security. Ray Wagner, research director at Gartner Inc. predicted that the Web services standards battles would start to heat up.

Wagner said that, so far, the major players and competitors in the Web services market have shown a willingness to cooperate in developing security standards. This is because they recognize that Web services will not gain broad acceptance without adequate mechanisms to protect the privacy, confidentiality and integrity of transactions.

However, he expects that as the industry's attention turns to federated identity such as the Liberty Alliance and Microsoft Passport as well as emergence of more complex extensions to the Web Services Security (WS-Security) specification, the standards battles will get significantly more contentious.

As it is, cooperation in Web services standards among vendors are showing strains, especially with complex high value Web services deployment that involve security. There are concerns that there might be fragmentation in certain Web services standards such as through different implementations for Liberty Alliance and MS Passport supporters.

A number of developments address this issue, most notably the WS-Security specifications. WS-Security will evolve over time. IBM is taking steps to assure that security is not an impediment in the long-term adoption of Web services, said Justin Martin, sales leader, WebSphere Foundation and Tools, IBM Asia Pacific. WS-Security enjoys wide support throughout the industry, and was authored by IBM in conjunction with VeriSign and Microsoft.

Web services, by itself, is not a brand new concept that emerged recently. The concept of Web services is the logical evolution through the distillation of knowledge and experience gained from years of working with distributed technologies. Web services will allow organizations to share information stored in their computer applications with other applications in the company and with external organizations. Take CORBA (common object request broker) as an example. However, the lack of support from vendors relegated CORBA to the few that needed distributed computing. It is believed that standardization and support from vendors will save Web services technology from the fate of CORBA.

With plenty of basic Web services standards being ratified by various organizations such as the Organization for the Advancement of Structured Information Standards (OASIS), other standards are set to emerge in 2003. According to IBM's Martin, IBM's focus will be to try to incorporate these standards, including BPEL4WS, WS-Security, WSDL, SOAP and UDDI.

"The three standards bodies have been working together to create protocols and architecture guides for managing Web services," added Hui from BEA. "Work is under way to align the architecture work of the World Wide Web Consortium (W3C), OASIS and the Common Information Model developed by the Distributed Management Task Force (DMTF)."

OASIS hopes to have a concrete protocol on the table by mid-2003; the architecture guidelines from the W3C's Management Task Force are expected to be ready at about the same time. "But BEA's view is enterprises should not wait for the standards to be finalized before embarking on Web services projects," said Hui. "It's best to go in now."

"Late last year, BEA and five other industry players published a set of six advanced Web services specifications that make it easier to apply business policy and implement security for a wider range of applications," said Hui from BEA.

"Using accepted standards and specifications around SOAP, security, transactions and discovery," added Hui. "The new specifications cover trust relationships, exchange of multiple messages, security policies, communication of requirements and capabilities by senders and receivers of Web services, attachment of requirement and capability statements to Web services, and general policies affiliated with a service."

Together, the new specifications provide a framework that is not just extensible and flexible but maximizes existing Web services infrastructure investments as well. The specifications are now under public review and comment, after which they will be revised as appropriate and submitted to a standards body.

Wagner from Gartner believes that Web services technology will be extremely appealing to developers who are trying to solve application integration and communication issues. Web services also represents powerful tools for the development of new business models that leverage intra-enterprise coordination.

He believes that developers will recognize the technology's possibilities and rush to use Web services to solve tactical problems and implement strategic plans. Problem is that the developers will often implement without giving adequate consideration to security or efficiency concerns. Given this tendency, as well as the likelihood that most new enterprise software will include Web services interfaces, he believes that line-of-business and IT managers and policymakers will find themselves trying to "catch up" with Web services use within their organizations.

Furthermore, he believes that enterprises that are trying to understand Web services and approach their deployments conservatively will be likely to discover that Web services have been deployed by internal organizations and departments wanting expedient solutions to specific operational business problems. Wagner fears that many of these "quick and dirty" deployments will have significant security flaws or will ignore security concerns altogether.

Wagner predicted that by the second half of 2004, 40 percent of Global 2000 enterprises will have unauthorized, undocumented and unmonitored Web services connections that extend beyond their perimeters. He believes that the sooner enterprises move to understand Web services technology, and establish monitoring and control policies for its use within and across their perimeters, the better off and less vulnerable they will be.

Discussions with IT managers had already shown that Wagner's predictions are valid, as many internal staff and developers are keen to develop Web services in-house to solve complex problems. However, the rush to fulfill present needs could lead to a tangled unarchitected Web services in-house that could inevitably leak Web services connectors beyond the organization's perimeters causing security concerns.

Martin from IBM believes that the first challenge when developing Web services in-house is clearly skills. "Most companies are unlikely to have proven Web services technicians in their offices today," said Martin. "In this regard, IBM has a seasoned bunch of service practitioners who have worked with many companies."

"Second, if the company wishes to use Web services over the Internet to connect to partners and suppliers, they are challenged to find partners and suppliers who are also Web service-enabled," said Martin.

"Simply, it takes two to tango, and companies need to find their dance partners. In this regard, IBM is hosting a public UDDI (universal description discovery and integration) registry to make it easier to find people with Web service implementations."

However, with regards to the public UDDI registry, there are many discussions about its viability in its present form.

Virtually anyone can register their Web services on the registry without any proof or need to show that their Web services are actually running, much less functioning, as advertised.

Companies that wish to use any public Web services that are listed on the public UDDI registry will need to work closely with the other parties to come up with technical specifications as well as having air-tight legal binding documents before using any publicly listed Web services.

It is not plug-and-play by any stretch of imagination. During the recent XML conference in Baltimore, some participants suggested that 2003 would be the year that will make or break UDDI.

However, Martin from IBM disagrees. "UDDI is an evolving specification that continues to add function. Consequently, it is unlikely that 2003 will be the final determinant of UDDI's success," he said. "The vast majority of companies are still in the early stages of their Web services deployments, and as such, have yet to fully explore the benefits of UDDI. Ultimately, the benefits of UDDI will make it a very compelling technology for firms using Web services."

Wagner believes that the business case for Web services is compelling, but that most enterprises will be conservative and will maintain independence from these technologies in mission-critical applications until the technologies generally are perceived as reliable.

Furthermore, complex, multi-participant Web services will require large-scale commitments of resources to security mechanisms, including PKI (public key infrastructure). However, this does not translate into a huge acceptance and implementation of PKI.

Wagner's advice to enterprises that have not yet adopted PKI, is that they should not do so in the near future unless they have compelling applications that require key management. He believes that enterprises that could not justify the expense of deploying PKI in 1999 likely will not be able to justify similar expenditures for security for complex Web services deployments in 2003, especially in current market conditions.

As such, he believes that complex, high-value Web services deployments will be rare. The high-level trust issues that have plagued the PKI industry also obscure the path to full realization of Web services benefits. Enterprises will consider only internal or low-value external Web services deployments in the near term. He believes that most enterprises will consider simple, low-value Web services first.

They will seek simpler, less costly security mechanisms in the short term. Higher-value transactions based on connections with known business partners are unlikely for most enterprises this year.

For those enterprises that are buying Web services security platforms due to compelling needs, Wagner's advice is that they should insist that they be able to fully leverage the power of standard SSL (secure sockets layer) server certificates. Not only for channel encryption, but also for two-way authentication and digital signing of transactions. Enterprises that are considering heavy use of Web services technologies should prepare to invest in SSL acceleration or concentration mechanisms.

Overall, enterprises should proceed carefully and deliberately in deploying Web services technology. -- Computerworld Singapore

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments