Andrew Nash
CTO, Reactivity
The next major driver for user-generated XML will be the introduction of Microsoft's Vista with XML document formats and Web services based integration functionality. Microsoft's Office 2007 also promises to add a considerable load to the XML stream within enterprises. Microsoft Office 2007, scheduled for release early next year, uses XML-based file formats. With Office 2007, virtually every organization,small, medium, and large, will have a significant increase of XML traffic within their networks.
As hundreds or even thousands of additional XML messages quickly proliferate throughout the network, the traffic and latency problems will increase. Most of XML traffic will be generated from perfectly valid sources in your intranet, your extranet and directly from the Internet. As a result, differentiating the good traffic from the bad traffic is critical to the integrity of the network. Without sophisticated solutions to accelerate and verify the messages, the basic security protections for this traffic would act like a chokepoint that actually limited XML deployments.
Immediately, security control becomes much more illusive.
However, today there are standards and solutions that address the fundamental issues of XML and Web Service security in real time. However, composite and work-flow applications are going to have a hard time both separating good and bad XML traffic and controlling trusted access to Web Services. This spells doom in the short and long run because message-based attacks--replay attacks, out of order message attacks and just plain fraudulent message insertions--are going to be easier to perpetrate in the blizzard of XML traffic that will be flowing through your network firewalls and around your internal networks.
AJAX, for example, introduces a host of new threats and security issues that Web application developers may not recognize.
Effective use of AJAX requires the efficient processing of XML and verification of identity and access rights. Security functions including signing, encryption, identity verification (not to mention threat mitigation such as schema validation, content inspection and denial-of-service detection) are cost prohibitive and can bring you average server platform to its knees--around 300-400 transactions per second for simple processing dropping to just tens of transactions for security functions.
As a result, message-level security features have to be utilized. The flow of traffic in our new loosely-coupled, re-usable-business-service world cannot be secured effectively using simple session-based solutions like SSL. Fortunately, network intermediaries such as XML security gateways can off-load XML, security and trust processing from the application platforms.
This architectural component of an XML Gateway offers the ability to create enforcement, policy control, logging and audit capabilities to the network. Also, the ability to implement a distributed mechanism for dealing with this traffic is critical to turning the invaded network into an XML enabled network. Due to extensive XML security issues, management issues, and acceleration requirements, XML traffic will suddenly become 100,000-times multiplied. I advocate reducing system overhead by offloading processing and caching messages, particular portions dealing with schema validation, content, security, and inspection.
AJAX is here for the long run. Every application development environment and packaged application is generating XML and Web services interfaces. Microsoft Office embeds it. User generated XML will dramatically affect our IT and network infrastructure. The XML processing load, and more importantly the security of XML content, has o be addressed. Enterprise quality XML-enabled networks must route, filter, transform, monitor, audit and protect the privacy of XML messages based not only on URL's, but also on identities and content.
This is not all bad news, however. The positive is that XML will become more ubiquitous and accessible to many parts of the enterprise. The rise of XML will create countless new opportunities for additional Web services, lots of potential technology openings, lots of back-end services, and lots of integration opportunities--especially when you throw in third-party environments, such as the new versions of SAP NetWeaver and other application suites that are coming out. By the end of this 2006, there's going to be a huge amount of XML beginning to flow around the networks.
Rather than just deal with point-to-point processing issues, organizations need to look at dealing with the optimization of the entire system. This process requires companies get really smart about tracking what messages are flowing through, what they look like, caching information about those messages, so you can reduce the overheads to deal with specific parts of the processing that you're seeing. For example, if you’re always seeing a particular Web service getting transactions that are order messages, then you can cache a lot of the information about those messages. Then you only have to deal with those components that are different. If you’re smart about the way you deal with caching of message content, you can actually dramatically reduce the processing time it takes to deal with similar messages.
We are about to be deluged by XML in all of our organizations, ready or not. Taking steps to ensure that the influx of XML can be controlled will help enterprises to not only survive but also thrive in the new network environment.
biography
Andrew Nash is CTO of Reactivity and formerly the Director of Technologies at RSA Security in the Office of the CTO. Andrew is a known leader in PKI and Web-Services security markets and the co-author of numerous Web Services specifications including Web Services Security, WS-Trust, WS-Federation, WS-SecureConversation and WS-SecurityPolicy.
Harnessing the power of waves
Planting solar gardens
Fill your car for $1.10 a gallon?
