Market dynamics: Web services management and security.
RPC over HTTP via XML. It's five years since Dave Winer of UserLand first articulated the idea that was to grow into Web services. And it is three years since the World Wide Web Consortium (W3C) accepted the submission of Simple Object Access Protocol (SOAP) 1.1. Yet, although most organizations these days say they are committed to Web services, major production deployments remain relatively rare.
One of the most critical obstacles to more widespread adoption of this promising technology is the perceived dearth of tools for Web services management and security. Based on a survey carried out in May by the Palo Alto Research Group, Actional--one of the market leaders in that sector--announced that more than 84% of IT professionals at Fortune 2000 companies cited managing their production Web services environments as a key concern. Within that group, 68% described their concern as "significant to major". And HP's CEO Carly Fiorina, speaking at BEA's eWorld customer conference at Orlando in March, declared that "Web services management is the next barrier to mainstream Web services adoption".
As we shall see in what follows, that perception is not altogether accurate. A lot of creative work has recently been devoted to this field, and many new and powerful ideas have emerged in the last year or two. But a vicious circle is in operation. Without a substantial revenue stream, the companies that specialize in Web services management and security cannot afford to market their offerings intensively. And organizations planning to roll out Web services are reluctant to spend large sums of money with suppliers they may never have heard of.
That vicious circle will gradually unwind over the next one to three years, as more and more companies find that Web services offer an irresistible cost-benefit proposition. In order to contain the cost side of the equation, they will need to find management and security tools that work effectively in practice. In the words of Phillip Hallam-Baker, chief scientist at VeriSign, "When people start talking about security being the issue, that's when you can tell they're serious about deploying Web services. That's because security is always the last thing people think about".
Beyond a shadow of a doubt, new tools and techniques will be needed. Surveys reveal that the most attractive aspects of Web services are platform independence, flexibility, loose coupling and vendor neutrality. While conferring valuable business benefits, these characteristics also have the effect of increasing management complexity by at least an order of magnitude. Just look at the prospectus flaunted by advocates of the Web services model--complex distributed systems, controlled and operated by multiple enterprises, and continually changing to track the latest business requirements. That is a pretty good description of a system manager's nightmare. As for security, the less said the better...
Frank Moss, co-founder of Bowstreet, who ran Tivoli before it was acquired by IBM, is on record as saying that Web services management will be many times more complex than conventional systems management. According to the Stencil Group, a firm of analysts specializing in Web services, the following questions need to be addressed as soon as Web services spread throughout an organization:
* What services are running within the enterprise? Where are those services running? Which operations are those services supporting?
* Who has access rights? How will services be dynamically upgraded?
* How are services performing? How will I be alerted about service failures?
* How will I securely share services with trading partners?
Another important characteristic of Web services--at least when used between enterprises--is that the distinction between management and security becomes blurred. By integrating its IT applications with those of business partners over the Internet, a company opens up its business operations to the outside world. Even after the initial cost-benefit analysis, that will require a continuous risk management exercise to be carried out; and almost every administrative activity will have its own security dimension.
While the Web services model has stirred up great interest around the world, the intrinsically technical nature of the subject can be off-putting to non-programmers. In order to spread the message to business people (including senior management decision-makers), some vendors and analysts have started talking about Service Oriented Architecture (SOA) instead. Indeed, it has even been suggested that the well-known acronym SOAP should be redefined to stand for Service Oriented Architecture Protocol instead of the original--and rather misleading--Simple Object Access Protocol.
Although some would argue the point, an SOA can be viewed as a generalized (and less technically explicit) Web services architecture. Its key characteristics include the existence of distributed services that can be "looked up" through a broker or directory service, and then invoked remotely. So, for the purposes of market analysis, we will sometimes find that "SOA" and related terms are used as an alternative to any explicit mention of Web services.
Market Opportunity 1: Web Services Security
When the Web services model was first suggested, back in 1998, it was envisaged as a lightweight, quick-and-dirty way of letting any application, wherever located, talk to one another freely. That is still the case when it comes to demonstrations and prototypes--but things change when two or more organizations begin thinking about linking their core business systems, however loosely.
A flood of new security specifications has been announced in the past two years. But all the standards in the world will not stop a single hacker, unless they are consistently designed and robustly implemented. And the production of Web services security products is lagging far behind the work of the standards architects.
Given that the new dispensation hinges on the availability of effective security, it looks as if specialist vendors can expect a bonanza, with steadily increasing demand for years to come. That would explain the proliferation of companies focused on Web services security, of which there are literally scores. Alongside newcomers such as Flamenco, Vordel and Westbridge, established suppliers like Baltimore, Entrust and RSA Security are jostling for their share of the cake.
John Heasman of British IT security consultancy Defcom, who recently completed a dissertation on Intrusion Detection at Oxford University, says that Web services need three main layers of security:
1. Securing the transport of data--moving XML data over HTTP for example, using standard Secure Socket Layer (SSL) encryption.
2. Securing the data itself--this involves encryption of the sender's and recipient's information and verification of their identity, typically through some sort of digital signature and asymmetric encryption.
3. Validation of the data being handled by applications--this layer is forgotten by many application developers in their haste to get Web services up and running.
The Web services security market is still extremely immature and fragmented. There has been so little practical experience, as yet, that vendors are still trying to understand exactly what the requirements are. Standards that are useful in practice will take even longer to evolve.
Yet there is a pressing need for effective security products. Precisely because they are so inexpensive, flexible and easy to create, Web services are springing up all around--not always with the knowledge of CIOs and security managers.
To take the classic case in point, one argument that is often cited in favor of Web services is their "firewall friendliness"--from the developer's point of view, that is. Whereas conventional middleware such as COM, CORBA, FTP and RPC--not to mention proprietary messaging systems like WebSphere MQ or Microsoft Message Queuing--are firmly blocked by existing corporate firewalls, Web services tunnel right through. This is because they use port 80, the TCP/IP port allocated to the Web protocol HTTP. In other words, while the firewall administrator thinks that everything is blocked except for Web browsing sessions and email, the exact opposite is the case--almost anything can be passing through in the guise of Web services.
Needless to say, once the firewall administrators find out what has been going on, they are not going to be very happy. Nor is the security manager, nor the CIO. If used naively, Web services can thoroughly subvert the entire corporate security policy. "Desktop Web services is to machines what instant messaging [IM] was to humans," says Jason Bloomberg, senior analyst at ZapThink. "If people can publish arbitrary Excel cells as Web services, you have to start worrying about security, confidentiality, privacy, and network traffic load, just as you did with IM".
The solution is to extend that security policy to accommodate Web services. That means a new firewall at the very least--and probably a whole new kind of firewall. But there is much more to Web services security than just firewalls.
Established Market Vendors
In security, almost more than in any other domain, IT users are likely to turn to their established suppliers for advice. Hardware manufacturers, operating system vendors and security specialists fall into this general category. Although Web services security is not their core competence, it is something they will have to provide--directly or indirectly--if they are to go on serving their current installed bases.
Some of the best-known conventional security companies are turning, more or less gradually, in the direction of Web services. In the nature of things, they cannot react as quickly as the more nimble startups that have dedicated themselves to this market segment. Among the older companies in the security space are Baltimore, Check Point, Entrust, RSA Security and VeriSign--plus, of course, IBM and Microsoft.
Together with IBM, Microsoft has led the way in publishing specifications for Web services security. More than any other Web services offering, the .NET Framework is designed to be fully self-contained--even more so since the release of Web Service Enhancements (WSE) for Microsoft .NET in December 2002.
The .NET Framework has an elaborate security architecture of its own, which admittedly does not extend much beyond the Web services interface. WSE aims to fill that gap, providing support for digital signing and encryption through WS-Security, routing through WS-Routing, and non-XML attachments through WS-Attachments. Moreover, WSE is extensible, allowing developers to write their own "interceptors" to process incoming and outgoing messages.
Like IBM, Microsoft has announced integration with AmberPoint's products. Startups and Specialists
A startup founded in May 2001, Boston-based Forum Systems aims to deliver end-to-end data integrity, data-level confidentiality, Web service auditing and XML data processing.
The Forum Sentry 1500 XML Security Appliance incorporates a data privacy server (XML encryption and decryption), a Digital Signature server, and an XML firewall (filtering, authentication, access control and schema validation). Designed to be non-intrusive, it can be installed as an in-process shared service, a proxy intermediary, or a transparent gateway.
Authentication can be done using HTTP(S), SAML, WS-Security or SSL. Authorization is driven by policies and access control lists. Forum has patents pending for its "dynamic content security processing capabilities"
Although perhaps less well known than competitors like Vordel and Westbridge, Quadrasis is a business unit of Hitachi Computer Products (America)'s Software Solutions Division. As such, it is a tiny part of Hitachi, Ltd., one of the biggest corporations engaged in the IT business, with total revenue of $67.9bn in 2001.
Quadrasis focuses on security products and services, against the background of its Enterprise Application Security Integration (EASI) framework. In August 2002 it announced availability of the Quadrasis/Xtradyne SOAP Content Inspector, an XML application firewall (developed in cooperation with Xtradyne Technologies) that checks SOAP messages for security.
The SOAP Content Inspector supports authentication, authorization, audit, alarm and policy, as well as WS-Security and Microsoft Passport. It also provides attribute mapping for cross-domain single sign-on (SSO) authorization, and can add SAML assertions to verified SOAP messages.
Like other XML application firewalls, the SOAP Content Inspector would normally be installed in the "demilitarized zone" (DMZ) between a corporation's outer and inner firewalls. At any rate, it would certainly be deployed inside at least one conventional packet-level firewall.
Set up in 1998 and based in Belmont (near San Francisco), Reactivity is venture funded by a group of investors including Mitch Kapor, founder of Lotus. The company's Service Firewall was launched in July 2002, but superseded in March by a new hardware appliance called the XML Firewall.
Like competitive products, the XML Firewall is an XML proxy that does authentication, authorization, XML validation, routing and auditing. It is also integrated with various certificate authorities, helping to automate the laborious and error-prone chore of keeping certificates up to date. It can even send an email to warn when a certificate is about to expire. A performance profiler and event viewer are also included in the package, which comes in a stackable "pizza box" form factor.
Content-based routing means that the XML Firewall can send SOAP messages on to different servers based on message content. For instance, orders valued above $10,000 could be checked with extra rigor, then dispatched to a special "high-value order server".
XML Signature, XML Encryption and many other encryption standards are supported, as well as LDAP and Microsoft Active Directory, but not yet SAML, XACML or XKMS.
This year Reactivity has submitted a proposal for a non-repudiation standard to the OASIS Web Services Security Technical Committee.
Exemplifying the youth and exuberance of the Web services security market, Vordel--a small privately-held company based in Dublin, Ireland--has become one of the world leaders in this highly sophisticated space. Software AG has entered into a distribution agreement to sell Vordel's software worldwide.
Described as "an enterprise-class XML security server", VordelSecure is essentially an application firewall that co-resides with an HTTP server and checks incoming and outgoing traffic on ports 80 (HTTP) and 443 (HTTPS) against predetermined policies. It uses the Apache Tomcat servlet engine, which works with either Apache or Microsoft IIS; alternatively, it can plug directly into the Sun ONE Web Server. Vordel has put a lot of work into optimizing performance, in cooperation with Intel: critical code is written in C or C++, and the company is exploring the possibilities of putting some of it into hardware.
Instead of trying to do everything--an impossible task--VordelSecure does one important thing very well. It inspects all incoming and outgoing XML messages, checks that they are authorized, and authenticates digital certificates against data from PKI directories and local or global trust services (including XKMS). It can also delegate authorization to existing access control software through SAML. VordelSecure then checks the integrity, structure and content of messages using XML Signature, XML Schema and XPath to filter out unwanted or malicious content.
An audit trail is kept for all processed transactions, with support for non-repudiation and risk management.
Although a startup (founded in 2001), the Mountain View company Westbridge Technology boasts a strong management team drawn from Oracle, HP, DoubleClick, Tumbleweed, Broadvision, Booz-Allen & Hamilton, Silicon Graphics and Comergent.
Westbridge's XML Message Server (XMS) resembles VordelSecure in being an XML application firewall. However, it also performs a range of Web services management tasks and thus offers wider functionality than VordelSecure at a higher price point. XMS is very flexible: it can be installed in proxy mode, or at each Web Service (either in "Tight Proxy Mode" or within the container). It recently became available in hardware as the Westbridge XA2500 XML Firewall Appliance which, according to the company, "can be easily dropped into an XML network and requires just minutes to set up".
XMS caters for authentication, access control, encryption, decryption, signing, signature verification, content filtering, logging, and alerting. It supports all the relevant standards, including HTTP, HTTPS (SSL), XML Signature, XML Encryption, WS-Security, XKMS, X.509 certificates, LDAP, SNMP and SMTP.
Westbridge aims for "ease of application" and "range of application", meaning that its products can be quickly, easily and non-intrusively deployed without any programming, and that complex, heterogeneous networks can still be controlled from a single central console.
Market Opportunity 2: Web Services Management
Just as in the case of security, Web services also demand new management techniques. Existing system management, network management and application management tools operate at too coarse-grained a level to be entirely suitable. And component management products like those of Altaworks, Dirig or Wily Technologies are not sufficiently business-oriented. For one thing, organizations whose operations depend on Web services will insist on service-level agreements (SLAs) to assure continued reliable operation and quality of service (QoS).
A little thought makes it clear that, just as with Web services security, the vital ingredient is end-to-end coverage. Conventional system management tools focus on individual applications, computers or network segments. None of them can monitor and report on the health of a whole set of Web services, still less diagnose what is wrong with them.
Tomorrow's Web service management tools will have to be able to correlate the status of a whole variety of distributed components and their underlying infrastructures with the availability and performance of associated Web services. Going a step further, it will often be necessary to determine the impact on particular business processes, and warn the appropriate managers so that they can take steps to minimize losses.
Other possibilities suggest themselves. For instance, selected fields could be extracted from all incoming and outgoing SOAP messages for the purposes of real-time business activity monitoring (BAM).
The XML and Web services analysts ZapThink expect the market for service-oriented management (SOM) to grow from $30m in 2002 to $9.2bn in 2007, when it will account for no less than 75% of the total system management market. Although the large, established system management vendors like Computer Associates, HP and Tivoli have been slow to release Web service management products, ZapThink predicts that they will begin to dominate the SOM space starting in mid-2004, to the extent that SOM point solutions will peak in 2005.
In the Palo Alto Research Group survey mentioned earlier in this report, 53% of companies polled said they currently had or planned to install a Web services management solution. The most important selection criterion, according to the survey, was the assurance of Web services availability, followed closely by security and performance/scalability.
As in the case of security, IT users will often seek advice from their incumbent suppliers--and they, in turn, will no doubt be eager to grab as large a share as possible of the new market for Web services management.
While the standardization process is still at an early stage, network management vendors like CA, HP and IBM (Tivoli) have an obvious advantage in that they are already equipped to gather information from distributed systems--potentially even across corporate boundaries.
One of the giants of the system management world, BMC Software is typical of those large companies that have adopted a watching brief on Web services. BMC has joined the Web Services Interoperability Organization (WS-I), and talks up its support for application servers such as BEA WebLogic and IBM WebSphere, as well as for webMethods.
All of this is very well and good, but it contributes to managing the infrastructure underneath Web services--not Web services themselves.
One of the world leaders in system and network management, CA now claims that it "offers the industry's most comprehensive set of solutions to manage, secure and deliver Web Services". This, however, seems doubtful. CA's "Web Infrastructure Management" focuses on three main targets: Web (i.e. HTTP) servers, application servers, and "middleware"--meaning IBM WebSphere MQ.
Like BMC, CA seems to be focussing on the infrastructure that underlies Web services, and perhaps waiting for the market to grow to a worthwhile size.
HP's relationship with Web services--as, indeed, with middleware in general--has been checkered. With the backing of CEO Carly Fiorina, though, it has now set up a dedicated Web services management organization within its software business. This unit has created a "Web services management engine" as an optional add-on for OpenView, HP's popular network management package. The add-on, which is scheduled to ship by the middle of 2003, will allow business units to assign SLAs to Web services and ensure that these are delivered in the form of measurable QoS.
HP's professional services organization is also expected to ramp up the number of employees dedicated to Web services management. It has 500 at the moment, and plans to have 1,000 by the end of 2003.
Al Smith, CTO of HP's web services management organization, says he does not expect significant revenues from Web services management until late 2004 or even 2005. (Of course, HP's idea of "significant" is very different from that of a small company like Infravio or Swingtide).
It is an old story--at IBM the discrepancy between aspiration and delivery, even between research achievements and functioning products, can be quite wide. There are some magnificent schemes bubbling away in IBM's labs--autonomic (self-healing) computing, on-demand computing, grid computing, e-business and so forth--but it is quite difficult to get hold of any actual software just yet. Perhaps that is inevitable, in the nature of such grand architectural concepts. There will be jam tomorrow but only a scraping of margarine today.
Ask IBM for Web services management software right now, and you will be directed to the Tivoli division, whose network management products compete with those of CA and HP. Tivoli has a nice white paper about IBM's strategy for Web services management, but it leans heavily on "planned functions" and "expected future versions".
The "technology" codenamed Allegro, which has been trailed for well over a year now, is supposed to ship sometime in 2003. An optional add-on to WebSphere Application Server, Allegro will handle provisioning, monitoring, metering and billing of Web services, plus associated security tasks such as authentication and authorization.
In the meantime, early adopters can download the Emerging Technologies Toolkit from IBM Research's alphaWorks website. The Toolkit contains (among other things) Web Services Management Middleware for On Demand Services (WSMM) and Web Service Level Agreement for On Demand Services (WSLA). Catchy! Their features sound rather like those of Allegro, so maybe this is a pre-release version. Some degree of integration with Tivoli Enterprise Console is provided.
Interestingly enough, Tivoli and AmberPoint announced an integration between their products in December 2002. While good news for AmberPoint, this tends to confirm the belief that Tivoli still has some way to go in addressing Web services management.
Web Services Vendors
There are quite a number of "full-spectrum Web services" vendors, which devote varying amounts of attention to management and security. For some organization's purposes, these vendors may offer enough--especially if the intended deployment is exclusively inside a corporate firewall.
Only three examples are given, for reasons of space.
As well as Cape Clear 4 Studio (for development) and Cape Clear 4 Server, the Dublin-based company provides Cape Clear 4 Manager--a set of security and management services specifically designed to support Cape Clear Server.
Cape Clear 4 Manager handles deployment, configuration and runtime administration, routing and protocol translation, and cluster management. Performance monitoring and diagnostics are part of the package.
Cape Clear 4 Manager also doubles up as a security manager, taking care of authentication (with support for Java Authentication and Authorization Service--JAAS), encryption, digital certificates and session management. Single sign-on is supported through SAML, and a firewall proxy is included.
Polarlake has introduced a unique new method of processing XML messages, which merits serious attention. Its products are mainly aimed at intranet use (within the firewall). Hence, there is little built-in security. However adequate management capabilities are provided, and can be accessed either through Polarlake Management Console (PMC) or through an SNMP-compatible product such as HP OpenView or BMC Patrol.
As one of the leading Web services platforms--perhaps the very best--Systinet WASP is in the limelight, and its server comes with a strong set of management and security features. It offers dynamic hot deployment, remote administration, profiling and configuration of Web services, runtime monitoring, and auditing and logging of activity.
On the security side, WASP performs authentication through HTTP, SSL/TLS, SPKM and Kerberos; authorization and access control through JAAS and Java Security, and encryption and proof of identity through X.509 certificates.
Administrative functions are organized by domain, and most security functions are controlled declaratively for ease of use.
Startups and Specialists
Among the Web services management pure-plays, Actional is probably the longest established company, having been founded as long ago as 1985. Then known as Visual Edge Software, the Canadian firm specialized first in user interface development tools, and after 1995 increasingly moved into middleware "bridging" technology. In 2000 it changed its name to Actional and launched a new line of "control brokers" for EAI, followed early last year by SOAPswitch, its first Web services product.
Actional recently announced Looking Glass, a Web services management server and console. These components work closely with the SOAPstation service broker and Actional's active service agents, which continuously collect data and return it to the console for analysis and possible action.
SOAPstation is a Web services proxy that handles service provisioning, fine-grained access control, versioning and change management, logging and reporting over HTTP, HTTPS, SMTP or JMS. This architecture allows SOAPstation to intervene actively in the flow of messages if required--for instance, to impose access control or perform XSL transformations. Actional has patented some of its "active management" techniques.
Unlike most of its direct competitors, Actional is a full-spectrum Web services vendor. Moreover, SOAPswitch provides a rich set of adapters for everything from CICS, COM, CORBA and J2EE to JD Edwards, Oracle Applications, PeopleSoft, SAP and Siebel. Last but not least, Actional has an 18-year tradition of designing and marketing excellent software.
If you have only heard of one Web services management product, it is likely to be AmberPoint. Founded in 2001 as Edgility Software, it has a star-studded executive team drawn largely from Forte Software, and including as CTO Paul Butterworth, chief architect at Forte and, before that, at RDBMS specialist Ingres.
AmberPoint's aim is to make Web services based systems into production-ready assets that are easy to monitor, manage, secure and upgrade. Its software is provided as non-invasive modules that can easily be added to existing applications--a style very much in the spirit of Web services. The products can be installed either inside a Web services container, or as separate proxies, and run on both Microsoft .NET and J2EE. Support for JMS as a Web services protocol has recently been added.
AmberPoint Management Foundation, the company's core offering, monitors Web services status and business content; detects and corrects problems as they arise; supports live updates of production systems; and has no bottleneck or single point of failure. It operates at five levels: access control, business alerts, online upgrade and redirect, and auditing and logging.
AmberPoint Service Level Manager, announced in May, allows managers to ensure acceptable levels of service, prioritize usage, and differentiate service according to QoS metrics.
AmberPoint has already signed partnership agreements with IBM and Microsoft, the two industry giants that lead the Web services movement, as well as with Sun.
Formed in 2002 from the merger of ServiceMesh and VelociGen, the San Francisco firm Blue Titan has some very ambitious goals. Its Network Director is designed as a "unified control layer that brings security, reliability and manageability to Web services interactions". At a price of $150,000 it should be something special, but Goldman Sachs, Ford, PriceWaterhouseCoopers, Siemens, Sony, Toshiba and others have made that investment.
Network Director is a hub designed to sit alongside network routers and handle application-level Web services traffic. It includes a central policy-enforcement engine called Control Points, which runs on BEA's WebLogic application server, and handles Web server policies like access control, prioritization, failover and load balancing. Control functions such as setting an SLA, revoking access or monitoring an endpoint can be assigned to any Web service; and these functions can be chained together to create higher-level infrastructure policies. These are enforced throughout the whole Blue Titan network "fabric".
Network Director supports WS-Security, WS-Policy and WS-Reliable Messaging.
Flamenco Networks of Alpharetta, Georgia is a small company that began by marketing a managed administration and security service for corporate Web services. This year, it has diversified by offering its Web Services management (WSM) software for sale to organizations that prefer to bring those activities in-house. Flamenco maintains that it is the only vendor offering a choice between software product and managed service. This allows its customers to get started quickly using the managed service, and cut across to less expensive in-house operation as time permits.
Flamenco's patent-pending "heartbeat" architecture allows it non-invasively to secure, monitor, provision, and manage Web service transactions behind, and across, firewalls. It uses federated lightweight proxies, which can be deployed either standalone or "in-server", and which communicate regularly with a central WSM controller. If desired, users can deploy proxies to partners outside their firewalls for more complete coverage. The product is said to be extremely scaleable.
Flamenco WSM is very capable and flexible--it can undertake any or all of monitoring, metering, logging, alerting, routing, provisioning and security. It acts as an application firewall, handling authentication, authorization, encryption and digital signatures. WSM supports WS-Security, XML Encryption, XML Signature, SAML, XKMS, X.509 certificates and SNMP.
Talking Blocks has been included in this report for completeness' sake, but it differs from most of the other vendors mentioned in being both more ambitious and (at the moment) less commercially viable. Incorporated in 2000, the San Francisco company announced its Web Services Management Suite last year, but does not seem to have made many sales yet. This is hardly surprising, in view of the sweeping scope of its vision for Web services development, management and security.
Perhaps more than any other company, Talking Blocks has set out to make the Service Oriented Architecture (SOA) a reality. The idea is to set up an extra layer of abstraction over architectures like .NET and J2EE, mediated by Web services. Within this environment, TBMS provides a comprehensive security infrastructure, centralized visibility and active management of all Web services, logging, auditing and reporting, performance optimization, and "seamless and non-disruptive" change management. Space does not permit going into detail here, but anyone who takes SOA seriously might do well to look at Talking Blocks' website and perhaps speak to the company.
There are so many companies tackling Web services management that we couldn't cram them all in without reducing each entry to a couple of lines. For reference--because some of the following vendors may easily turn out to be important in the future--here is a brief list of other companies doing interesting and valuable work in this area.
* Adjoin http://www.adjoin.com/
* Confluent Software http://www.confluentsoftware.com/
* Digital Evolution http://www.digev.com/
* Path Communications http://www.contactpath.com/
* Infravio http://www.infravio.com/
* Primordial http://www.primordial.com/
* Santra Technology http://www.santra.com/
* Swingtide http://www.swingtide.com/
* WestGlobal http://www.westglobal.com/
Web services security specialists are pushing ahead with the features that customers demand (and need) the most, while planning to support OASIS and W3C standards as they are formally adopted. In line with the whole theme of Web services, non-invasive products are favored--the term "drop-in" appears in a lot of brochures. The leading security tools also require little or no programming, being transparent to the application developer. That does not mean that they are cheap, however--some products start at $50,000 or more.
Performance is already being identified as one of the biggest issues confronting users and vendors. What works well in a testbed environment does not always scale up adequately, and there is a lot of processing involved in encrypting, decrypting and verifying SOAP messages. This has led to a trend towards hardware appliances, which are already available from Forum Systems, Reactivity and Westbridge, while others are exploring the option.
The current confused and immature state of standards for Web services management is reflected in the confused and immature state of the market. Much the same could be said, to a lesser extent, of Web services security. The need to find solutions rapidly, combined with the potentially huge payoff for success, has spawned scores of ambitious startups.
As the standards take shape and begin to be implemented, there will be a market shakedown in which the pure-play startups will be severely culled. Many will go out of business, while some of the most successful ones will be snapped up by mainstream vendors, including industry giants like CA, HP and IBM.
There is a major "gotcha" looming up, however. The whole raison d'etre of Web services was originally to cut users free from the stifling bonds of proprietary systems and vendor lock-in. Whatever platforms and products you used, so the pitch went, you could always link them together with Web services. What was more, Web services themselves were industry standard software--the same everywhere.
That has been getting less and less true, as vendors add Web services capabilities to their existing product portfolios and get down to competing in this new arena. But with the advent of production-strength security and management tools, Web service users will run the risk of being well and truly locked in.
The most likely scenario is that an organization wishing to deploy Web services in support of its business will turn to a big supplier like BEA, CA, HP, IBM or Microsoft. Next thing, a team of "professional services" people will descend, armed with procedures and processes and architectural plans... all of which hinge on the systematic use of that supplier's products (or those that it resells). For instance, if you ask IBM to provide Web services management and security, the immediate implication will be that you commit yourself to use WebSphere for everything. Only then will you be eligible to participate in the benefits of autonomic computing, Allegro and all the rest.
There is always the alternative of "doing it yourself". That will appeal more to the technically savvy, and perhaps to those who are not betting their business on successful deployment of Web services. It is already a cliche among vendors that many customers buy, not what is necessary to provide adequate security, but enough to give them a plausible defense against lawsuits for negligence.
For the next two or three years, there may well be a technology gap between the most advanced pure-play startups and the big mainstream vendors. To take a specific example, IBM and Microsoft are pushing WS-Security (and the dozen or so other specifications layered on top it) for all they are worth. Obviously, that is a good thing. But they do not have anything remotely like the specialized application firewalls that have been developed by newcomers like Vordel and Westbridge. In the long run, the standards and the practical, ad-hoc solutions are going to have to converge. Experience will show just what is essential, what is "nice to have" but not quite so vital, and what is just window-dressing.
The question is, who will volunteer to go out and get that experience?
|Printer friendly Cite/link Email Feedback|
|Publication:||MarketWatch: Application Development|
|Date:||Jun 27, 2003|
|Previous Article:||Consultants must respond to Web services, says analyst. (APP Dev News Review).|
|Next Article:||Desktop dominos fall for Sun's Java, says Schwartz. (APP Dev News Review).|