IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Fear about security has always been a barrier to the adoption of new technologies, and web services is really no different.
In technical terms, at least, web services presents no greater security threat than any other web-based application. Eventually, it will permit the free flow of data traffic across an unbounded network, but initial deployments will be internal rather than external.
Through time, companies will be able to offer packaged applications across the Internet, effectively outsourcing different parts of an application to specialists in each field.
An application looking to perform a specific function would access an Internet-based registry to find organisations that provide the functionality as a web service. That said, the more complex the application becomes, the harder it then is to track how those services are being sourced – and by whom.
This raises several questions. How do you know which machine your system is communicating with at any one time? How do you know that all parties in the chain boast adequate security?
As with any outsourced function, a clear understanding of where the responsibilities lie has to be laid down in a Service Level Agreement between customer and supplier. In a similar way to the ASP model, the supplier has control over the company’s data and the process under which it is accessed (and, therefore, the responsibility).
The main danger with web services lies in the multiplication of risk by combining web applications alongside what is effectively an outsourced model – while at the same time using public-facing servers. The odds of a hacking incident occurring are considerably increased over an in-house application.
In terms of protecting these public-facing servers and applications, the very best efforts must be made to safeguard data at source. Maximum intrusion prevention will need to be deployed. Messages passed between co-operating processes are also at risk of attack and must be protected.
Accepted practice will be to safeguard messages written in XML by sending them over secure HTTP. However, this doesn’t circumvent the issue of protecting the application itself, as well as the data. Any hacker worth his or her salt attacks at the core, often hiding code within secure HTTP.
The importance of comprehensive server protection cannot be overstated – in particular during a time when web services is in its infancy. Let’s not forget that, as far as web services is concerned, a recent survey by Compuware highlighted that three-quarters of IT and security managers cite security as the biggest barrier to its adoption.
EBOOK: Lessons from IFSEC 2023 – Big Tech, Martyn’s Law and Drone Threats
Read IFSEC Insider’s exclusive IFSEC eBook and explore the key takeaways from the 2023 show!
Navigate the impact of Big Tech on access control, gain insights from Omdia’s analysts on video surveillance trends, and explore sessions covering topics like futureproofing CCTV networks, addressing the rising drone threat, and the crucial role of user proficiency in security technology.
There's also an exclusive interview with Figen Murray, the driver behind Martyn's Law legislation.
