“You have to master message-based security,” Forrester’s Schadler says. “You have to learn the principles, which of course include encryption and having a way to authenticate without opening up the entire message.” Fortunately, plain old SSL can handle the point-to-point encryption, while the draft WS-Security standard, coupled with SAML (Security Assertion Markup Language), provides a viable way to secure most types of Web services documents (see “Security: A Work in Progress,” page 42). In conjunction with the Sun Identity Management Server, Subramaniam used a combination of WS-Security and SAML in developing RouteOne’s consumer loan management system.
To secure beyond the capabilities of these two basic standards, vendors must provide their own security schemes or implement draft protocols that aren’t as far along, such as those that apply to sharing security guidelines such as WS-SecurityPolicy between organizations. Startups Reactivity and DataPower sell XML firewall appliances that monitor SOAP packets for everything from XML Trojan horses to DoS (denial of service) attacks. Both also improve performance.
BEA’s Dietzen argues that the slowdown due to the size of Web services messages is overblown. “There are two sides to the complaints about XML,” he says. “One is the size complaint — and that one is really easy to defeat. Because if you take an XML document and you Zip it, you’ll end up with encoding that’s more compressed than almost any binary representation. Zip works really well, and it’s efficient. The CPU processing cost is more real. We’re probably at a factor of between 10 and 20 of a highly optimized binary protocol versus what you can do with XML.”
Enterprises with a need for speed may balk at that overhead. RouteOne, for example, uses Web services to communicate with partners — but inside, “it’s purely Java-based,” Subramaniam says. “We have a very service-oriented architecture, but not necessarily a Web services-based, service-oriented architecture. We leverage JRMP [Java Remote Method Protocol], Java serialization, and so on. For internal lines of communication, that’s a lot more efficient than using Web services.”
Managing and manipulating
RouteOne’s internal architecture makes sense for a small company that focuses on a single, processing-intensive line of business. But for larger enterprises, IBM’s Sutor — a key figure in the development of Web services standards — continues to believe that Web services and SOA will transform IT.
“You can have all sorts of gorpy technology under the covers, and on the very top, you can have all these beautiful business models and processes,” Sutor says. “Somewhere they have to meet. So the change that we’re talking about with SOA, with Web services, is that the configuration becomes much easier to map — almost on a one-to-one basis between individual parts of business processes and Web services.”
So how do we reach this nirvana, in which discrete chunks of business logic become reusable, interchangeable parts that can be strung together into business processes with almost no development cost? Should that ever happen, at least two pieces must be in place: new methods of modeling and building business processes, and technology to manage Web services across platforms and to ensure the stability necessary to maintain a mix-and-match environment.