Web Services Running Wild

With Web services gaining wider acceptance and use, the issue of rogue, or unknown, Web services bouncing around corporate networks could become a problem as potentially damaging to data security as viruses or Trojan horses.

“It’s still off the radar of IT managers,” said Jason Bloomberg, senior analyst at ZapThink, a Web services (WS) consultancy. “There are many companies that are still basically unaware of the use of WS within their organization. And that’s only going to get worse as more and more software supports WS out of the box” like Microsoft’s Office 2003.

A rogue Web service is basically a WS legitimately written to perform a specific function for a specific group within the company. This is being done everyday. Occasionally, though, a WS is of such value to others within the organization, its location (often a simple URL) spreads by word of mouth and email. By the time the network managers get wind of it, the WS is in widespread use across the organization.

This behind the firewall scenario is fairly a benign, organic spread and use of WS; much like the way early Web sites were developed in the mid-1990s, said John Lilley, CTO of Reactivity, an XML firewall company.

Unauthorized Access

But what can happen is a WS that delves say, into financial or salary information within the ERP system, can get outside the firewall. Since a WS generally travels the same route in and out of the firewall taken by ordinary Web traffic via port 80 or port 443, network administrators would have no idea financial or other critical data was being exposed. To them it would look like ordinary Web page traffic, said Ray Wagner, research director, Information Security Strategy, at Gartner.

“For a simple point-to-point connection behind the firewall this is not a big deal, except that an organization might want to know they have a couple of development groups hooking up a couple of their back end applications,” he said. “The fact of the matter is … eventually people are going to start hooking up WS across the firewall to the public internet.”

What about authentication and other security measures? They work, of course, but if a developer decides to short-cut authentication procedures when composing a WS and hard codes his or her ERP system password into the WS, then the ERP system is simply doing what it is told by responding to the authorized request for information. It doesn’t care, or know for that matter, where the WS originated, said ZapThink’s Bloomberg.

“It has the password, right? And anybody who hits that WS there’s no way for the ERP system to have any idea who those people are,” he said. “As far as it’s concerned it’s just a WS coming with the authentication that was built-in when that developer made that serious error of hard-coding it.”

Existing Security

While there are security tools available too tackle this problem head on, as with most things, there is a compromise to be made. You can control traffic to the n-th degree and end up with a network that runs at a snail’s pace. Or, you can use SSL and security tokens to secure WS traffic between federated partners, customers, suppliers and vendors. But this approach requires pre-determined agreements between the parties and negates the value WS bring to the organizations ability to respond automatically, say, to customers inquires over the internet.

There is also WS Security (WSS), the WS security standard currently in the final stages of approval by the OASIS, but WSS deals more with the at-will sharing of security tokens between business partners over heterogeneous networks. It does little to combat the misuse of WS within the firewall or about WS escaping to the outside world.

An authentication server that looks for WS traffic could also be employed at Port 80 or 443, but, again, you run the risk of slowing down traffic to a crawl. Or, you could assign a whole new port to handle just WS traffic, but then you run into the same problem as using SSL, said Wagner, and everyone would have to know which port to use. Security managers would also have to worry about unauthorized use of that port as well. So, it really doesn’t help much.

Best Defense = Good Offense

The best defense may also be the hardest to employ since it involves the human factor. Like the control companies finally took over the proliferation of Web site development by centralizing development and standardizing policies and procedures, the same approach could be employed to govern the proliferation of WS, said Lilley.

By implementing strong governance over the creation and use of WS, CIOs and their managers can better control how, where and when a WS is deployed for what purpose and for whom. Security tokens and other digital measures can, of course, be part of this process but without oversight, WS can easily get out of control and expose valuable and potentially damaging information beyond the firewall, said Bloomberg.

“One, you need to have the rules and, two, you need to have a way of enforcing the rules,” he said. “The real challenge for organizations is realizing there is a potential problem and dealing with them on the governance level.”