Foreword

Previous page
Table of content
Next page


Many people have asked whether Web Services is an evolutionary or revolutionary technology. From my perspective, it is both. One of the core specifications used in creating Web Services is SOAP. The authors of Web Services Security describe both RPC-based (Remote Procedure Call) SOAP and Document-based (messaging) SOAP. Both of these techniques have been in use in the Information Technology industry for at least 25 years.

So SOAP-based Web Services can be considered an evolutionary technology. There is nothing new about programmers writing applications where one software module does a RPC request to another module, either within the same system, over a Local Area Network (LAN), or even over a Wide Area Network (WAN). What enabled companies to deploy distributed data-exchange applications over the past 25 years was their ability to reply on a seamless security structure as long as they implemented their distributed applications using the same hardware and software architecture (e.g., IBM’s SNA or DEC’s DECnet). In a similar manner companies have been exchanging document-based messages in application-to-application environments over WANs for more than 25 years. This has been done using Electronic Data Interchange (EDI) standards. While EDI did free the sending and receiving party from having to use the same hardware/software architecture, they usually had to subscribe to the same Value Added Network (VAN) service provider, who provided the end-to-end security necessary to be sure that these transactional “documents” arrived securely. These VAN operators provided the “reliable messaging” infrastructure that enabled electronic commerce to take hold—at least between large enterprises.

The revolutionary nature of the Web Services technology is that companies can now create and deploy distributed applications without regard to the hardware platform, operating system, programming language, or network topology of either party wishing to communicate with the chosen Web Service application. What’s missing in the current core set of Web Services specifications is a unifying set of security standards. The IT industry professionals have spent over 25 years developing methods for enabling secure communication of applications in a WAN distributed environment. Quite naturally, companies expect that their use of Web Services to deploy application over the Internet will also have to provide a strong foundation for security.

Web Services Security does an excellent job of explaining the need for security in the emerging Web Services environment and clearly describes the various security standards that are being developed to meet the needs for deployment of “secure” Web Services. Many of the security standards that are needed for deployment of Web Services are being developed within the open environment provided by not-for-profit, global organizations such as the World Wide Web Consortium (W3C) and OASIS (Organization for the Advancement of Structured Information Standards).

The author points out, “At this stage, it should be obvious that the prospect of software from different companies communicating together, while powerful, is fraught with security concerns. In fact, without a convincing security model, the Web Services framework we’ve outlined would be next to useless.”

The authors provide clear analogies to help the reader understand the concepts needed to understand Web Services Security, like the type of security needed for information that is in transit—“However, when it is in transit, a more appropriate analogy may be that of an armed escort who accompanies the information to make certain that it arrives intact at its destination. The escort ensures not only that the data is protected, but that it travels intact from the sender to the recipient. This ensures that not only the data is secure, but the process is secure also.”

The understanding of Web Services Security can not be achieved by looking at the latest security standards for Web Services. So here the reader is provided with a rich set of examples to demonstrate the inter-relationships between the new Web Services Security techniques and the foundational security standards that have existed for a number of years such as Public Key Infrastructure (PKI), Digital Certificates, and Digital Signatures.

An important aspect of this book is the timeliness of the topic. It is very difficult for a book, which is a snapshot of information at a particular point in time, to be written about technology standards that are still under development. This author provides such sound and practical knowledge for these emerging standards, that the information will remain relevant as these standards for Web Services Security emerge from the standards development organizations and begin the process of achieving wide-spread adoption. It is only through the actual efforts of the author participating in the security standards process that he is able to bring to the reader a firm grasp of the fundamental aspects of these standards that is unlikely to change dramatically in the next few years. As new advances are made in the security arena, this book will serve for many years as an important foundational work describing these security standards for Web Services, upon which other standards will likely be based.

An added bonus for readers of this book is the work presented in Part IV. Here the author provides an effective view of how security principles in general and Web Services Security in particular can be used with other major standards that are considered an important part of enterprise Web Services. These include Liberty Alliance, UDDI, and ebXML. Here they provide an excellent explanation of the security principles and security standards described in detail in the earlier chapters and either incorporated within these other standards, or how the implementation of these standards can be accomplished in conjunction with the Web Services Security specifications. For example, they begin their description of security with respect to ebXML thusly: “The good news from a security aspect is that ebXML was conceived and designed from the ground up with security in mind, in contrast to other protocols or standards where security was never considered at all at the design stage.”

Another added bonus is the author’s practical view towards the topic of security summed up in these questions, “We need to ask ourselves: ‘If security is the answer, then exactly what is the question?’ The question is unequivocal: What sort of security is needed to ensure that you can contract [do business] online?”

I highly recommend this book on Web Services Security that covers the broad background necessary for this topic, delves into sufficient detail to provide an education just short of reading the specifications themselves, and then rounds it out by providing practical examples of the environment wherein these specifications and standards are expected to be deployed.

Patrick J. Gannon
President & CEO
OASIS Open
<Patrick.gannon@oasis-open.org>


Previous page
Table of content
Next page
Web Services Security
Web Services Security
ISBN: 0072224711
EAN: 2147483647
Year: 2003
Pages: 105
Authors: Mark ONeill
BUY ON AMAZON
Strategies for Information Technology Governance
Software Configuration Management
Developing Tablet PC Applications (Charles River Media Programming)
Competency-Based Human Resource Management
The Java Tutorial: A Short Course on the Basics, 4th Edition
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy