Tuesday, November 22, 2011

The Future of Web Services

In the late 1990s and 2000s the Internet evolved from a static content web pages into dynamically generated websites with a database back-end. The era gave birth to technologies such as ASP and PHP which dominate more than 52 percent of the market (BuiltWith Trends, 2011). Today, as the grid computing, distributed computing and cloud computing are rapidly becoming defacto choice for data storage and access (Divakarla, U, & Kumari, G 2010), web application need to evolve and adopt the emerging data access technologies. In addition, many businesses rely on Business to Business (B2B) information which is exposed through web services technologies to provide an additional layer of security (access authentication and authorization) as opposed to exposing a direct connection to the back-end database.
Information such as geographical location (MaxMind, Inc. 2011), credit rating (Experian Information Solutions, Inc. 2011), employment and income verification (Equifax, Inc. 2011), address lookup and readdressing information (Canada Post, 2011) is available to merchants and service provides through standard (SOAP and RESTful) web services. As such, instead of maintaining its own database of geoip information or postal codes, a web application can simply invoke an exposed web services to get access to the up-to-date data maintained by an “expert” service provider. Moreover, “Amazon S3 provides a simple web services interface that can be used to store and retrieve any amount of data” (Amazon Web Services LLC, 2011) which allows web software developers to create a database driven application without having a traditional database back-end relying completely on standard web services protocols such as SOAP and REST.
The main obstacle in adoption of a distributed information storage such as Amazon Web Services is the security aspect of it. While vendors state that the storage “is secure by default” (Amazon Web Services LLC, 2011), there are certain aspects of security such as physical security which are can not be controlled by the data originator. As such, merchants and service providers wishing to utilize a “cloud” storage option need to evaluate and implement compensating control such as adoption of HTTPS protocol to transfer the data and encrypt the data before it is stored in the “cloud”. Ideal, on organization wishing to join the "cloud" should assess the risks by conducting a Threat Risk Assessment (TRA) and to make sure there are security controls in place to mitigate the identified risks.



No comments:

Post a Comment