My first reaction was, any IT department that doesn't know that people on the business side are deploying Web services has a bigger problem than potential security lapses. In a world where business and technology are inextricably interwoven, an IT department that doesn't know where Web-services initiatives are underway has a communications and collaboration problem that can be just as devastating as a security problem.
No argument there, says Kerry Champion, Westbridge's founder and president. "Technology will never solve your organizational problems," he says. But even if you have a good organizational structure in place now, new versions of popular products expected in the next six months may wreak havoc--from a security standpoint, anyway--in terms of what users can achieve with Web services.
Where the problem lies
"No matter what technology is providing, you still have to have a rational organization that is cooperative," Champion says. What the XML SOAP Monitor brings, he claims, is visibility into a system, while the company's XML Message Server product, which you do have to pay for, he likens to a Web-services firewall. (The Message Server handles the basic security chores at a cost of anywhere from $25,000 to $125,000, based on number of CPUs and modules purchased.)
You want to know what's traveling over your network, says Jason Bloomberg, senior analyst for research firm ZapThink. "Unauthorized traffic is just one step below malicious traffic," he adds. "If it's unauthorized, it could be accidental. But if you don't even know that there's a lot of SOAP traffic on your network, you won't even know there's a problem."
While you may be tempted to push this kind of thing onto the back burner, because Web services are still the domain of programmers and fall under IT's control, Bloomberg advises against such short-sighted apathy. In the next version of Microsoft Office, he says, anybody with an Excel spreadsheet can publish or consume a Web service; that is, they can make information in the spreadsheet available to anyone across the network who either updates a particular cell or requests an update from a particular cell.
"It's possible that spreadsheets will generate more XML message traffic than any other piece of software," suggests Champion. "That kind of use is going to generate a growing stream of bottom-up usage." It'll be a problem even before the next version of Office, he warns. "The companies that have created [Web-services development] tools have made them very easy to use. All you have to do is add one declarative statement to VisualBasic or Java and you get a Web services function."
Champion goes so far as to compare the current state of illicit Web services use to the early days of HTML, when people started to build their own Web pages, then intranets, without corporate standards or centralization, and companies realized there had to be policies for how they were built.
Of course, it's not hard to find an executive who believes that the particular technology he's selling is going to be the Next Big Thing. However, revolutionary programming tools tend to sift down as far as programmers and then stop. Everything from Hypercard to Java was supposed to enable the traditional user, but it hasn't happened yet.
The possible boom in rogue Web services and the security threat that it entails can also be compared to instant messaging. "Nobody expected the security issues that instant messaging (IM) caused. That caught everyone by surprise," Bloomberg says. "Desktop Web services is to machines what instant messaging was to humans. If people can publish arbitrary Excel cells as Web services, you have to start worrying about security, confidentiality, privacy, and network traffic load, just as you did with IM."
Too little, too early?
The next version of Office isn't due until the middle of next year. Hence, Westbridge is offering more of an inoculation than a cure. Granted, they want to sell more of their XML Message Server security software. And granted, the SOAP monitor only tackles one piece of the XML puzzle.
It's also possible that Office's Web services capabilities will simply become part of the 80 percent of the application that few of us ever use, the high-end equivalent of Clippie, may he rest in peace. But still--users have a remarkable way of surprising everyone.
And if XML takes off with the intensity that many expect, monitoring tools are going to be the first thing you'll want to add to your toolbox.
Are you worried about undetected Web services traffic? TalkBack below or e-mail Howard.
