According to the latest Web services "hype cycle" from Gartner, both Web services security standards and the deployment of Web services with security are rushing headlong into the dreaded "Trough of Disillusionment." This means that the greatest levels of hype in these areas are supposedly behind us and the reality of just what can and cannot be done is collectively dawning on us.

Taken at face value, this news could be either good or bad. The good news could be that now that the hype is over and we have passed the lofty "Peak of Inflated Expectations," we can all get down to the serious work of putting together workable security solutions and solid security standards to help bring Web services to where they deserve to be. The bad news could be the security components of Web services getting mired in the "Trough of Disillusionment" for too long and losing their appeal for the enterprise.

Rightful Place?
One question we should ask ourselves is, do the Web services security categories belong where Gartner has placed them on the hype curve? There are a number of ways that we can look at it. One way is to examine the position of the security elements on the hype curve relative to their peers. The security pieces still have a long way to go to catch up with established components of Web services, such as SOAP and WSDL, which are already on the "Plateau of Productivity" and are on the verge of exiting the hype cycle as they approach full mainstream adoption.

Another way to look at it is to consider how these components are progressing over time. If you look at where they were placed on the curve at the same time last year, the security elements have been big movers - especially when compared to some other areas, like UDDI, which have been essentially frozen in place. In last year's hype cycle, Web services security standards had not even made it to the top of the "Peak of Inflated Expectations." In just a year's time, by Gartner's estimation, the security standards have made respectable advances toward broad acceptance and implementation; secure Web services made a roughly equal advance along the curve.

Unfortunately, the path to productivity must inevitably pass through disillusionment, which is where Gartner sees the current state of Web services security. To really make a judgment about whether Gartner has made the right call about where we are with security, and where we might be heading, it is useful to understand how we got here.

Keeping the Momentum
Gartner's hype cycle assumes that all new technologies will eventually hit some rough spots in their life cycle, especially if they fail to meet the lofty expectations that are so often set for them early on. This is certainly true of Web services security. As Web services took off, there seemed to be no shortage of efforts to answer the need for securing this new paradigm. Creativity, and even unprecedented cooperation, appeared to be the order of the day: rival authentication standards banding together to create SAML; Microsoft and IBM joining hands to chart out a whole family of standards; promises of quick action from standards bodies to "fast track" Web services security standards; dozens of companies responding to the call to create technologies for implementing the standards. Plus, the newly conceived security standards showed bright promise for applications far beyond the world of Web services. It all felt so good, we should have known it would have to end. Competition, old rivalries, "standards bloat," and many other factors have served to pull us collectively back to reality. For example, Microsoft and IBM started to see different directions for their WS-* roadmap. And, the notion that standards would make security products interoperable right out of the box remains a dream for most. So, perhaps the assessment that we are in a state of disillusionment around Web services security, if it is off the mark at all, is not off by much.

But that doesn't mean this is the end of the story. The descent into disillusionment could mean that real productivity and value from Web services security is just over the next rise. The danger is that if momentum is lost, these key components of the Web services world could suffer the same fate that intrusion detection technologies have suffered in the larger security space - a permanent place in the "trough." Losing momentum at this critical juncture could have dire consequences for security in Web services and the usefulness of Web services as a whole.

The Next Big Step
So, how can we ensure that security stays on track to help Web services deliver on their promises? I see three things that we can do for a start:

• Keep it real: If we can properly manage our expectations and not fall back on the overblown hype of the past, then our disillusionment will likely be short-lived;
• Close the gap: Right now, Gartner shows deployment of Web services with security as being a good deal further along in the cycle than the Web services security standards. This is a dangerous gap since it could indicate that many Web services security deployments are not using standards. I hope it is actually more of a matter of definitions, since Gartner considers the use of Secure Sockets Layer (SSL) encryption to constitute a Web service deployed with security (most robust applications Web services require much more to be secure). Whether the gap is real or just a gap in understanding, we must work to close it;
• Maintain the focus: If those who are experimenting with or adopting Web services for use in their environments keep a strong focus on the importance of security to Web services, then the momentum should be able to carry these components over the hump.