Security key goal for Web services group

The Web Services Interoperability organization (WS-I) was formed last year at the behest of companies including IBM and Microsoft to see to it that Web services products from different companies work together. The group now has approximately 160 members, including about 20 companies that are not information technology suppliers.

Although businesses are forging ahead with Web services applications as a way of bridging differences between disparate systems, minor incompatibilities are surfacing. The WS-I's stated goal is to make sure gear from various IT suppliers is compatible and to help customers iron out any Web services glitches. So far, the group has delivered a draft specification of basic Web services protocols, which is set to be finalized in the second quarter.

But to date, the WS-I has been better known for various political squabbles than for technical leadership. A high-profile spat between Sun Microsystems and its founding members has generated most of the attention for the group. After initially being shut out by founding companies including IBM, Microsoft and BEA Systems, Sun subsequently joined the organization.

Now the WS-I is intent on making its mark in a more meaningful way.

In March, the group will formally tackle the thorny issue of Web services security, which analysts say remains an imposing roadblock to the technology's adoption. The WS-I will create a number of technical working groups that will recommend how IT providers and businesses should choose from several Web services security methods to match different business scenarios.

"The industry is focused on what we're doing to a very great extent," said Tom Glover, chairman of the WS-I and a program manager for Web services standards at IBM. "Standards alone don't guarantee interoperability."

But despite its laudable intentions, the WS-I faces challenges--both technical and political--as it tries to establish itself as an influential Web services standards arbiter. Corporations like United Airlines, Merrill Lynch and DaimlerChrysler, joined the organization last year because of the stated "vendor-neutral" stance of the WS-I. Businesses want to use Web services, but they don't want to have to debug incompatibilities between supposedly standardized products. If the WS-I mission misfires, Web services standards progress could stall and disillusion both IT providers and their customers, analysts warn.

"At any step along the way, if someone is not adhering to the specification, then the chain becomes only as good as its weakest link," said Stephen O'Grady, an analyst at RedMonk.

For example, when businesses rely on Web services to exchange data between business partners, they need to ensure that a transaction will not break down because of a software incompatibility, O'Grady said.

Getting down to business
The technical work at the WS-I until now has focused on its "basic profile," a series of guidelines, sample applications and tools to test product compatibility. The basic profile has been in draft form since last fall and is expected to be completed by the second quarter this year. It addresses the first Web services standards written, including XML document definitions, Simple Object Access Protocol (SOAP), Web services Description Language (WSDL), and Universal Description, Discovery and Integration of Web services (UDDI).

In taking on the hot-button issue of security, the WS-I has its work cut out for it. Matching numerous overlapping proposals for security standards to a huge number of business usage scenarios makes for a complex undertaking.

For example, a Web service for accessing customer information internally may not have the same stringent security demands as a Web service that transmits sensitive data on customer accounts between financial institutions over the Internet. The WS-I intends to give corporations guidance on how to use security effectively with Web services in different business situations and clarify any ambiguities in the security specifications for IT providers.

The WS-I is not a typical standards organization because it doesn't design the base level specifications for Web services products. Still, as past experience shows, it's clearly not immune to the political wrangling present in most multicompany collaboration efforts. WS-I members are already campaigning for a seat on the WS-I's board of directors in an effort to exert more influence on the future direction of Web services.

Last week, Web services start-up Cape Clear Software said it would run for election to the WS-I board of directors in March in an effort to promote "transparency and accountability." Cape Clear noted that the great majority of the WS-I's 160 members are small to medium-sized Web services companies but that the smallest company on the board has an annual revenue approaching $1 billion.

Cape Clear said it is concerned that large companies in the WS-I will be tempted to steer Web services standards to favor their entrenched businesses and products.

"Smaller companies have much less of an agenda, and an ability to keep the others honest," said Cape Clear CEO Annrai O'Toole. "We'd like to prevent the (WS-I) from becoming a cartel moving the technology to suit a cozy few."

WebMethods, which is a medium-sized integration software maker, also plans to run for the board.

More than a rubber stamp
The WS-I's Glover contends that the group is not simply rubber-stamping the dictates of its largest members. Glover points to the fact that the largest vendors have had to rework and delay releases of their Web services wares to hew to the WS-I's basic profile.

Sun, for example, had to rework the crucial 1.4 update to its Java 2 Enterprise Edition (J2EE) to comply with the WS-I's basic profile. Sun was forced to release the Web services-ready Java specification in the second quarter of this year, a three-month delay.

Despite such inconvenience and potential lost revenue, however, the first "deliverables" from the WS-I have garnered the hoped-for industry support. However, the WS-I faces the vexing issue of enforcement, particularly as it steps up the pace of its recommendations this year. Being members of a voluntary organization, companies are not legally bound to follow the WS-I's lead.

"Frankly, that's a question that the board grapples with," admits the WS-I's Glover. "Right now we're expecting the community to pretty much police themselves."

The WS-I is toying with the idea of a logo program. The model would be self-certification: After IT companies follow the WS-I's implementation guidelines and run the appropriate tests, they could certify themselves, affix the WS-I logo to their products and make their claims publicly available.

The WS-I is also looking beyond security and discussing the creation of committees to consider Web services standards around reliability and business workflow. The trick, say industry observers, is making sure the WS-I addresses real-world implementation issues and doesn't overcomplicate Web services standards.

As the WS-I takes on more complex technology specifications, it will also need to confront the thorny issue of intellectual property. In particular, Microsoft has not stated whether its standard submission for automating business workflow, or "choreography," will be royalty-free.

For the WS-I to set itself apart from other standards groups, it needs to share intellectual property freely, said Rich Green, vice president of development tools and Java software at Sun.

"Everyone is on board with the WS-I, but my question is, if we're not going to share IP (intellectual property), then what is the WS-I?" said Green. "If you don't have really open IP (rules), then the system falters."

With future IT industry growth hinging in large part on interoperable and secure Web services, the WS-I faces a crucial proving period. The next year will show whether the WS-I will be remembered as a worthwhile experiment at standards consolidation or another standards initiative that falls short of expectations.

"Once the WS-I starts diving into the meat of things, like security, messaging, reliability and transactions, the question becomes whether it will get the support of vendors--and will they have the compliance schemes," said Ron Schmelzer, an analyst at ZapThink. "That remains to be seen. And in order for it to work, it can't be a political process."