Comments
By Roger Strukhoff
Richard Davies wrote: The UK has a good crop of technology pioneers in cloud computing - for example ElasticHosts, FlexiScale, Flexiant, OnApp - and also some strong government initiatives such as G-Cloud. We will have to see whether this kind of technical leadership converts into swift mass-market adoption or not.
Jan. 8, 2012 11:38 AM EST
Cloud Computing
Conference & Expo
November 2-4, 2009 NYC
Register Today and SAVE !..
Did you read today's front page stories & breaking news?
SYS-CON.TV: Eclipse Adds SOA, AJAX, and Flex Tools. Guests Mike Milinkovich and Mike Tylor

2008 West
DIAMOND SPONSOR:
Data Direct
SOA, WOA and Cloud Computing: The New Frontier for Data Services
PLATINUM SPONSORS:
Red Hat
The Opening of Virtualization
GOLD SPONSORS:
Appsense
User Environment Management – The Third Layer of the Desktop
Cordys
Cloud Computing for Business Agility
EMC
CMIS: A Multi-Vendor Proposal for a Service-Based Content Management Interoperability Standard
Freedom OSS
Practical SOA” Max Yankelevich
Intel
Architecting an Enterprise Service Router (ESR) – A Cost-Effective Way to Scale SOA Across the Enterprise
Sensedia
Return on Assests: Bringing Visibility to your SOA Strategy
Symantec
Managing Hybrid Endpoint Environments
VMWare
Game-Changing Technology for Enterprise Clouds and Applications
Click For 2008 West
Event Webcasts

2008 West
PLATINUM SPONSORS:
Appcelerator
Get ‘Rich’ Quick: Rapid Prototyping for RIA with ZERO Server Code
Keynote Systems
Designing for and Managing Performance in the New Frontier of Rich Internet Applications
GOLD SPONSORS:
ICEsoft
How Can AJAX Improve Homeland Security?
Isomorphic
Beyond Widgets: What a RIA Platform Should Offer
Oracle
REAs: Rich Enterprise Applications
Click For 2008 Event Webcasts
In many cases, the end of the year gives you time to step back and take stock of the last 12 months. This is when many of us take a hard look at what worked and what did not, complete performance reviews, and formulate plans for the coming year. For me, it is all of those things plus a time when I u...
MORE »
SYS-CON.TV
Security
Secure Web Services
Secure Web Services

By: Jeff Browning
Sep. 23, 2002 12:00 AM

Businesses need to provide their users with a method for securely connecting to their networks while minimizing the costs associated with providing this service - and also providing end users with as much convenience as possible.

As businesses embrace Web services as the method for delivering their applications, they are struggling with security issues. Network World recently reported that the top worry for IT executives deploying Web services is security. SSL (Secure Sockets Layer) can provide a viable alternative to Virtual Private Networking (VPN) companies for securing Web services.

Remote Access
Originally, remote end users connected to their corporate networks using dial-up modem services over POTS (plain old telephone service). This essentially provided businesses with a private connection to an end user, albeit temporary in nature. The primary security concern was one of authentication of the end user - guaranteeing that the business was letting the right people access the network through its modem pool.

As the Internet became ubiquitous, businesses longed for a way to eliminate the long-distance charges generated by their dial-up remote access services. End users were dialing into their ISPs locally to access the Internet with no long distance charges - why not just let them access the corporate network via the Internet? The simple answer was security. VPN companies came to the rescue.

VPNs
VPNs typically put specialized software on the client machines as well as a machine acting as the gateway to the corporate network. These pieces collaborate to encrypt traffic between the end points, guarantee the identity of the remote users accessing the corporate network, and guarantee that end users connect to the right place. Businesses can enjoy the savings of eliminating long-distance charges while maintaining the security of a private connection.

There is, however, a downside. The specialized software that has to go on the client machine costs both time and money. The client software itself must be purchased and installed on every client machine that will be enabled to access the corporate network. Anyone who's been involved in these rollouts knows that words like "incompatible," "conflicting programs," and "pilot error" make the cost of deploying this crucial service much higher than simply the price of the software at the end points - especially when dealing with thousands of remote users.

SSL
The Internet, of course, was (and is) growing by leaps and bounds. But consumers at large were wary of sending their credit card information over the Internet and being defrauded. SSL was popularized as a method to eliminate this concern. As long as the little lock or key icon popped up in the end user's browser, he or she felt more at ease and willing to conduct transactions over the Internet.

Originally, SSL delivered two basic functions:

  • It allowed the browser to be certain that the site being connected to was genuinely the one requested (by using a form of authentication).
  • It secured the data that was in transit between a browser and a Web server by using encryption.
SSL allows end users to guarantee the identity of the server to which they're connecting. Certificate authority (CA) companies such as VeriSign sell certificates that are installed on the SSL server. The CA acts as an objective third party that forces the business requesting the certificate to prove its identity prior to being granted a certificate. End users or browsers can verify that the SSL server to which they're connecting has a valid certificate issued by a CA and actually belongs to the business to which they're attempting to connect using SSL. Finally, certificates are the mechanism used to associate a unique key used for encryption with a particular SSL server.

The browser and server exchange keys in order to be able to negotiate an encrypted session. SSL then encrypts data while it's flowing between the end user and the SSL server to secure the traffic while it's in transit.

These functions have been crucial to the success of online business. Without them, end users wouldn't have the peace of mind needed to share information required for completing business transactions over the Internet.

So Why Not Just Use SSL Instead of VPNs?
Every system that's used to connect to the Internet has the client software installed, by default, as SSL into every browser. End users are familiar with it. SSL is a widely adopted standard. There's no cost for the client software. There are no integration issues on either the client or corporate network side. So what's missing?

The majority of the SSL benefits discussed have been end user-centric. In order for SSL to be successfully used as a viable alternative to VPNs, another element is necessary - essentially, a method to control which clients are allowed access to the corporate network. The SSL-based solution must be able to guarantee the identity of the end user attempting to access the corporate network and decide whether he or she is allowed access. This can be accomplished using client certificates. The company can simply act as its own CA and have end users download certificates. This allows coverage of the basic security tenets: "who you are" (typically a user ID), "what you have" (in this case a valid company-issued SSL certificate), and "what you know" (a password).

This method allows the company to guarantee that only end users with valid certificates are able to access the network. The authentication must occur at a gateway point prior to the remote user's actually gaining access to the network. The key is having a gateway solution that allows a business to enforce these policies easily. With that in place, we have the security issues addressed - encrypted traffic between the end points, guaranteed identity of the remote users accessing the corporate network, and a guarantee that end users are connecting to the right place - all without the cost or administration problems associated with VPN solutions.

Coexistence
While the SSL solution works perfectly to secure Web services or Web-enabled applications and address the concerns expressed by IT executives, VPN technologies provide a few things that SSL can't - dictating that the technologies coexist. VPNs provide a solution for applications that aren't Web enabled, such as client/server-based applications, print services, and general file sharing. While SSL can certainly address downloading files through a browser, there isn't a solid solution for the other two applications at this time.

Businesses now have the opportunity to supply an SSL-based solution to the 80% of their user population that likely uses only 20% of the applications available (VPN services will continue to be required for the other 20% of the population). This shift will result in tremendous savings for businesses in terms of both time and money through:

  • Elimination of costs associated with specialized client software
  • Reduced help desk calls
  • Lowered demands on IT
  • Increased ease of use for remote users
Conclusion
Not exactly "adios VPNs, hello SSL." But as businesses embrace Web services through such efforts as Microsoft's .NET strategy (and J2EE-based platforms for Web services) and the Web enabling of most major business applications available now or within the near future, IT executives will be able to say "adios" to VPNs for a greater percentage of their end users and enjoy the bottom-line benefits as a result.

Reference

  • Fontana, John. (2002). "Top Web services worry: Security." www.nwfusion.com/news/2002/0121webservices.html?docid=7747
    Published Sep. 23, 2002— Reads 14,046
    Copyright © 2002 SYS-CON Media, Inc. — All Rights Reserved.
    Syndicated stories and blog feeds, all rights reserved by the author.
    About Jeff Browning
    As Product Manager for F5 Networks, Jeff is responsible for driving the product and marketing strategy for F5's iControl API and Software Development Kit. With over 10 years of software industry experience, Jeff's extensive background in Web services, Enterprise Portals, and Software Development tools at leading companies like Microsoft and DataChannel helps bridge the gap between networking technologies and Web services applications for better performing, scalable, and secure enterprise solutions

    • In order to post a comment you need to be registered and logged in.

    Register | Sign-in

    Reader Feedback: Page 1 of 1

    SOA World Latest Stories
    By Maureen O'Gara
    Yahoo’s critical negotiations with Alibaba to sell part of its stake in Alibaba back to the Chinese company have collapsed according to All Things Digital, a report later confirmed by CNBC. Apparently the collapse includes Yahoo’s parallel and intertwined negotiations with Softbank t...
    By Elizabeth White
    Can you bring services from the cloud to your customers faster and have them adopt it with ease of use or bring the power of bundled services to the fingertips of your clients without creating new rigid ‘apps stove pipes'? Do you want to prevent your business running away to public and...
    By Maureen O'Gara
    The Internet highway may start looking like a proverbial New York traffic jam at rush hour soon. Feel free to substitute any town you like because Cisco says there’s going to be a faster-than-expected 18x surge in worldwide mobile data traffic between 2011 and 2016. That’s when mob...
    By Pat Romanski
    OCZ Technology Group, a provider of high-performance solid-state drives (SSDs) for computing devices and systems, on Tuesday announced the Z-Drive R4 CloudServ PCI Express (PCIe) flash storage solution, designed to accelerate cloud computing applications and reduce operating expenses i...
    By Liz McMillan
    Many organizations have embraced, or are considering, the benefits of cloud computing – speed, flexibility, increased expertise, shared workload, reduced costs, etc. The benefits are many – but so are the risks. What are the threats to cloud security? Which parties assume responsibilit...
    By Liz McMillan
    SoftLayer Technologies on Tuesday announced the immediate worldwide availability of SoftLayer Object Storage, a redundant and highly scalable cloud storage service that allows users to easily store, search and retrieve data across the Internet, with optional CDN connectivity, or across...
    MORE »
    Subscribe to the World's Most Powerful Newsletters
    Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
    Click to Add our RSS Feeds to the Service of Your Choice:
    Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
    myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
    Publish Your Article! Please send it to editorial(at)sys-con.com!

    Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021

    SYS-CON Featured Whitepapers
    Most Read This Week
    By Jeremy Geelan
    By Bob Hockman
    By Brian McCallion
    By Steven Yaskin
    By Jeremy Geelan
    By Jeremy Geelan
    By Udayan Banerjee
    By Udayan Banerjee
    By Jeremy Hess
    By Maureen O'Gara
    By Liz McMillan
    By Maureen O'Gara
    ADS BY GOOGLE