Web services crossed key thresholds of enterprise acceptance during the last months of 2003, with corporate IT builders expressing dramatically greater interest in using the model for transactions up and down the supply chain as well as for in-house applications.
Last fall, Forrester Research Inc. found almost three-fifths of a sample of 75 large corporate sites planning customer service initiatives and more than two-fifths planning supply chain projects using Web services technologies. Crucially, the same study found comparable or greater percentages of these sites migrating customer and product/service data to XML-based formats, an important precursor to broader use of Web services models. Gartner Inc., of Stamford, Conn., went further, projecting that Web services would be the dominant model—used for at least two-thirds of all new development projects—by next year.
Conventional wisdom has been that outward-facing Web services would not gain momentum until key security issues were addressed directly by Web services standards.
This view failed to appreciate the strong value proposition of loosely coupled interactions among heterogeneous systems, according to John Lily, vice president and chief technology officer at Web services security company Reactivity Inc., in Belmont, Calif. "Theres a whole set of businesses whose reason for being is connection with others," Lily said, citing the use of Web services by transportation companies with many local partners and by financial services companies providing 401(k) and other services that companies want to integrate into their employee Web portals.
As for security, said Lily, theres no longer a notable difference between internal and external standards. At one company, he said, the labels applied to internal and external users were formerly "trusted" and "untrusted." Now, Lily said, the labels are "untrusted" and "hostile"—a difference in degree rather than kind. Both inside and outside the firewall, he said, the default is moving from "grant unless forbidden" to "deny unless authorized."
In this environment, Web services are at no particular disadvantage, but their security improvement is the focus of considerable industry effort.