Reaching out online
Fed move to Web services creates efficiencies, vulnerabilities<@VM>Success story: Criminal Justice Data Center
- By Joab Jackson
- Oct 30, 2002
Jeremy Epstein, director of product security for WebMethods Inc., said one of the things the company learned is to build Web services on a secure platform, such as Java.
Last month, the White House officially put government agencies on the path to using Web services, a collection of emerging Web-based open standards for sharing computer programs online. During an interagency conference, e-gov czar Mark Forman told federal information technology leaders that he views Web services as a crucial component for extending government systems to the citizens, business and agencies, particularly with the 24 e-gov initiatives the Office of Management and Budget identified last year to improve government services.Web services are "the revolution in the IT industry [in which] we need to be in the forefront," said Forman, the OMB's associate director for IT and e-government.Although federal agencies have long been speaking about putting services online, only recently have tools come into use that allow them to go online cheaply and on a widespread scale. Proprietary software exists for putting applications on a network, but it tends to be expensive and written for only a limited range of programs. However, over the past few years, members of industry, government and academia have been drafting what they hope will be a universal set of standards for placing most software services online. Collected under the title "Web services," protocols such as the Simple Objects Access Protocol, or SOAP, and extensible markup language, XML, allow computer programs to be accessed by people or other programs over the Internet as easily as Web pages of text are today. For agencies looking to share services and offer them to people and businesses nationwide, Web services hold a lot of promise, said Forman, who is leading OMB's effort to get more government services online.But just as the collection of Web services standards will open the door for agencies to conduct transactions with citizens, business and each other, that proverbial door is also wide open for hackers, according to industry officials and security experts. Web services will "open up a whole new avenue for security vulnerabilities," said encryption expert Bruce Schneier, founder and chief technology officer of Counterpane Internet Security Inc., Cupertino, Calif. Government integrators embarking on Web service projects now may face considerable obstacles in security. While some security solutions are offered by vendors, gaping holes remain, and Web service standards are still being hammered out. "The same security issues that happened in the early days of the Internet, we are seeing in the Web services world as well," said Yuval Ben-Itzhak, chief technology officer for the Web application security provider KaVaDo Inc., New York. In October, KaVaDo released a module for its security package that covers messages sent by SOAP. "Typical administrators are not aware of the power of Web services, so they keep them on the server. And this is the dream of the hackers who will use them to take control of the applications," Ben-Itzhak said.
[IMGCAP(2)]Ben-Itzhak explained how this can happen. The chief advantage of using SOAP is that the administrator doesn't have to open new ports in the firewall in order to send commands between systems on different networks. SOAP eliminates the need to open new ports by sending its commands through the port already opened for Web traffic -- a port open on almost every enterprisewide firewall, Ben-Itzhak said. But the open port also allows a clear path for hackers to send malicious SOAP orders behind a firewall. Although there are standards committees hammering out rules to address Web services security, they are not finalized, industry officials said. However, they may be arriving quickly. Work is under way on standards for XML Signature, XML Encryption and Web Services Security, and may take less time than usual to be ratified, said Eve Maler, senior extensible markup language standards architect for Sun Microsystems Inc., Palo Alto, Calif. She also is a former chair of the security assertion markup language specification of the Organization for the Advancement of Structured Information Standards.Still, as of late 2002, most basic standards are not yet finalized."We're probably not going to see new standards until the middle of next year," said Don LeClair, vice president in the office of the chief technical officer for Computer Associates International Inc., Islandia, N.Y. His company just released software that allows developers to make Web services from mainframe applications. It also is working on a Web services module for its Etrust intrusion detection software. Even when the basic standards are in place, those for more sophisticated transactions, such as user authentication, still need to be drafted.Security solutions provider Entrust Inc., Addison, Texas, has been working on standards that allow developers to specify the encryption levels needed to pass messages between systems as well record the time transactions take place. "We're seeing suppliers and vendors asking for strong authorization and authentication," said Leah MacMillan, director of solutions marketing for Entrust.In October, Entrust released a solution for secure transactions for Web services, known as the Entrust Secure Transaction Platform. Such a system can use digital certificates and passwords to verify which users can use which services. However, the solution doesn't solve the problem of wanton requests sent elsewhere in the system, MacMillan said. She said what is still needed are firewalls that specifically filter XML requests.Which isn't to say an integrator can't address Web services security. Jeremy Epstein, director of product security for WebMethods Inc., Fairfax, Va., a pioneer in the Web services space, said one thing the company learned is to build Web services on a secure platform, such as Java, the programming language developed by Sun. Java limits the ill-intentioned actions its programs can take, because they are confined within a defined space in the computer's memory, called a Java Virtual Machine. Another thing integrators can do is form strong partnerships with established vendors, Epstein said. When a security standard or other specifications change, a company that partners with a vendor specializing in those specifications will have an update much more quickly. Even if the Web security standards are not finalized, the working drafts are available and can be useful, LeClair said. He has seen some vendors implement the draft specifications into their products and revise them later when the final draft is set.Integrators also should keep in mind that projects limited to internal networks are easier to implement, because all the action happens behind the organization's firewalls, industry officials said. "In the most simple inter-enterprise cases, the requirements can be minimal," Maler said. Existing browsers, which use secure socket layer encryption, will work fine for these services. Because users behind the firewall are trusted users, in most cases, the chance for damaging activity is minimized.Federal IT leaders recognize these pitfalls in the fledgling state of Web security and expect agencies to adjust accordingly. "There are some Web services we may choose not to deploy because of the security risks, and that's fine," Forman said. * Staff Writer Joab Jackson can be reached at firstname.lastname@example.org. For John Agsalud, president of Honolulu-based integrator ISDI Technologies Inc., the benefits of using a Web services approach is clear: It permitted an easy way to give a vast number of desktop computers access to a new state criminal records system. As part of a $3 million contract awarded in 1999, ISDI built the Offender Based Transaction Statistics and Computerized Criminal History system for Hawaii's Attorney General. The system needed to aggregate information from other systems run by police departments, prosecutors, courts and federal agencies. The information on these systems would be available to more than 1,000 appropriate users through a wide variety of desktop computers. With such a diverse set of systems to tie together, ISDI decided to go with Web services tools, a collection of emerging Web-based open standards for sharing computer programs online. Since most of the users would only be browsing data, a simple Web browser running on any computer would suffice. "You don't have to worry about placing software on the client desktop," Agsalud said. Such simplification drastically reduces the need for tech support to help individuals download and maintain client software. To deliver the data to users, ISDI employs a number of EAServers, a server model manufactured by Sybase Inc., Dublin, Calif., and configured to handle complex Web-based transactions. ISDI also used Sybase's PowerBuilder software to quickly write the Web service interfaces that tap the back-end data. The system is scheduled to go live Nov. 4.
Joab Jackson is the senior technology editor for Government Computer News.