The Downside Of Web Services: Security Risks

By Maria Trombly | Securities Industry News | Dec. 23, 2002

As Web services proliferate across Wall Street, new security vulnerabilities will also appear, experts warn. The first and most obvious concern is the lack of common security and transaction standards. "Because of the stage of maturation of the security standards, you have to be very selective about how you use Web services outside of the enterprise," said Merrill Lynch CTO John McKinley. Merrill Lynch has been on the leading edge this past year in deploying Web services in the enterprise, and has joined the Web Services Interoperability Organization, an industry group, in order to bring a Wall Street user perspective to standards development.

But Web services also pose additional systemic risks in that they add to the number of protocols in use and promise to sharply increase the number of applications exposed to outside users. Both issues will probably add to the workloads of security managers, and, especially at the beginning, there are likely to be mistakes and wrong turns.

One thing that firms should watch out for, particularly in the financial services, is that XML is readable by humans.

Previous protocols were created to pass the most amount of information in the least amount of space, making them hard to decipher. But XML data streams are the next best thing to plain English when it comes to moving data around. That means that firms have to be extra careful with encrypting their Web services, even within the corporate firewall, because not everyone on a company's network can be trusted with sensitive data.

"You don't want to be passing around clear text with account numbers over Web services," said Nelson Carbonell, president and CEO at Reston, Va.-based Cysive, which uses a Web services platform to enable Wall Street clients to let end customers access their accounts over multiple channels.

But encrypting all XML data creates another problem-XML is already bulky and slow compared to previous data standards. Taking the time for encryption slows down traffic even further.

There are ways to optimize Web services performance and maintain security, however.

"I don't see the big players that we're dealing with committing this clear text problem," said Carbonell.

Web services are designed to expose applications to the outside world. That outside world can be as near as the next office over, or as far away as a business partner on the other side of the planet. This exposure by itself carries an additional security risk.

"The threat model is changing," said Kevin Soo Hoo, senior security architect at Cambridge, Mass.-based @stake, a security consulting firm. "If you trace enterprise applications form the beginning, they assume that security is taken care of by someone else, because they're deployed inside the enterprise. But the perimeter is dissolving, and, with it, some assumptions that were made about security are no longer valid."

In addition, he said, new third-party Web services applications, many recently written by start-ups, may not be as secure as promised, he said.

"Financial firms have to make sure they've checked the programs themselves as well as the processes involved in writing them," he said.

Another, more specific technology concern is that if Web services messages carried on top of regular Internet traffic are allowed to pass through the firewall, then malicious Web services instructions can pass through as well.

"If you just encapsulated Soap [Simple Object Access Protocol, a core Web services building block] inside HTTP and didn't update the firewalls and content filters, then its possible that people would pass bad stuff through," said Bob Blakley, chief scientist for security and privacy at IBM.

Similarly, the increase in the number of protocols that security managers have to keep track of will add headaches.

"Complexity is the enemy of security generally," he said. "If you run lots and lots of protocols on lots of different servers using lots of different operating systems, then it's going to be a complicated problem trying to figure out if it's all secure." But he added that there was no need to be alarmist when it comes to Wall Street firms and their security.

"The industry is not foolish," he said. "Whenever you implement a new protocol you have to make your security infrastructure aware of your new protocol."

Web services also pose another security risk in that they share with other kinds of application initiatives.

"Whenever you're doing application integration, there are always security issues," said Bill Stangel, enterprise architect at Fidelity Investments Systems Co. "Web services is basically a protocol or a technology to interface to applications [with] the same problems you have with any integration project."

A similar Web services security vulnerability parallels that posed by Wi-Fi wireless access points: they're quick, cheap and easy to set up and access but harder to manage.

"Web services and Wi-Fi are very similar in the ways that they're being adopted," said Sam Boonin, vice president of marketing at San Francisco-based Blue Titan Software, an enterprise Web services networking software provider. "They're bottom-up adoptions. Just like any guy can buy a wireless access point and hang it off a router, so you can get one of the 50 or 75 tools out there for creating Web services and expose functionality. It's very similar."

And both are difficult to root out, he added. Finally, even if a company does everything right, there is still a learning curve when it comes to deploying Web services security measures.

"The security models for the technology are somewhat new," said IBM's Blakley. "The security implementations are new and haven't had a chance to be examined by the usual market process, which weeds out bugs, and people are going to take awhile to get used to how to install these things, how to configure them, how to operate them. And while they're getting used to it, they're going to make normal human mistakes and they're going to cause some security vulnerabilities."

This isn't special to Web services, he added. "It happens with every new technology that gets introduced."

And there's no way to avoid this shakeout period, he said.

Firms can minimize their risks, however, by following established processes that include graduated rollouts with new risk assessments at each phase.

"This is not sexy stuff," he said. "People love to talk about quantum cryptography and neural networks. I'm talking about good boring operational discipline. But that's what good security is about."